As the new privacy law — the General Data Protection Regulation (GDPR) — is about to come into effect, all sorts of plugins are marketed to help you get GDPR compliant. In this article we cover six practical WordPress plugins that enable you to make your WordPress website GDPR-proof!
GDPR Consent Plugin (€ 39 per year)
For WordPress websites in Europe, Sowmedia launches the GDPR Consent Plugin: a plugin for WordPress with which you first ask permission from your visitors, before your other WordPress plugins (and scripts) start collecting personal data. This way you prevent your website from already collecting personal data before your visitor has given permission for this. The GDPR Consent Plugin lets you define exactly which consents you want to request of your visitors, allowing you to present a clear overview of unique required and optional consents for your visitors to interact with. This GDPR Consent Plugin is the most complete WordPress cookie & consent plugin of all.
Delete Me (free)
The GDPR issues the ‘right to be forgotten’. This basically means that you have to be able to erase someone’s personal data within a reasonable timespan upon their request. You could, of course, do this manually, but the WordPress plugin Delete Me offers your visitors to it themselves — that is, when it comes to data gathered by your website. Users can remove all their own posts and links, including their reactions to articles.
This plugin particularly comes in handy when you have a subscriber website or an active user group that regularly responds to your articles. Be aware, though, that this plugin will not remove data stored separately by additional plugins you may have added to your WordPress website.
The Gravity Forms plugin is our number one favorite plugin to build advanced forms for WordPress websites. Its form entries are stored in your WordPress site, but can also be mailed or forwarded to third parties, such as email marketing software. In case your entries are directly forwarded to another system, you may not need to additionally store these entries in your WordPress site.
The GDPR requires you to refrain from needlessly storing user data. This is why the Wider Gravity Forms Stop Entries is so convenient. This plugin removes entries immediately in your WordPress database, so form entries will only be stored in your external systems (or your mailbox). The only drawback is that you don’t have a backup of these entries any more in case you discover the link to your external system to be unresponsive, for instance. Alternatives to tackle this are the plugins below.
Do you store Gravity Forms entries within your website? Then you can protect these by encrypting them. The WordPress plugin Gravity Forms Encrypted Fields ($ 27) does this for you. User data is encrypted by this plugin within the database. Next, you can configure which persons are allowed to view specifically allotted entries. This may be required, particularly when you are gathering high risk personal data (like Social Security Numbers or medical information) that is not meant to be seen by all WordPress editors and administrators.
WP GDPR Compliance (free)
The GDPR demands ‘explicit consent’ of your visitors to allow you to process their data. Whether you want your visitors to subscribe to a newsletter, fill in a contact form, or react to a message, permission is required. Such explicit consent can be realized by virtue of providing a tick box for example. However, should a tick box be marked by default, then you are overriding the ‘privacy by default’ principle.
Forcing explicit consent in your WordPress website is largely done manually. Again, make sure that tick boxes aimed at having users agree with your terms, are not ticked by default. Fortunately, WP GDPR Compliance imbeds such tick boxes for you and supports plugins like Contact Form 7, WooCommerce and WordPress Comments. The author of this plugin has announced future support for other plugins as well.
Policy Genius (free)
As from the 25th of May, 2018, the new privacy law (GDPR) comes into force. From then onward, all of Europe will have to abide by the same privacy regulations. The Dutch Wbp will be suspended and replaced by new regulations for processing and editing personal data. These new rules apply to your WordPress website too should you have a contact form, make use of Google Analytics, or have a webshop. In this article we explain how the new privacy law operates and what applies to your WordPress website and, therefore, deserves your attention.
This is no juridical article and no rights can be derived from its content.
Moving from a user agreement to a handling agreement
The former privacy law already required a secure processing of personal data, which was to be defined in a user agreement. The new law requires every European organization to be able to account for a secure handling of all personal data, which is to be recorded in a handling agreement. This means that you, first of all, need to know exactly what kind of personal data your organization gathers.
Secondly, you need to be able to guarantee that personal data you share with third parties, is also protected; such as personal data you share with your accountant, with your CRM or within your email marketing software. This applies to software of non-European origin as well (e.g. software supplied by American companies). You are obligated to make agreements with all your suppliers. Practically, this means the GDPR has an impact on privacy policies of organizations worldwide.
You also need to make agreements with third parties that have access to your WordPress website; like your hosting party, editors, administrators and parties that can access personal data via a plugin.
What is personal data?
What is considered to be personal data? And, when is this data deemed privacy-sensitive? Basically, all data that can identify a person as an individual. For instance, when someone fills in a contact form on your WordPress website. Data like,
- postal address
- email address
- location data (e.g. GPS coordinates)
Keep in mind that company information (e.g. the name of an organization, email address, postal address, etc.) is not considered personal data.
When is personal data regarded as extremely privacy-sensitive?
On top of ‘standard’ personal data, there is an additional category: ‘privacy-sensitive’ personal data. Should you handle data within your organization that is categorized as such, then there are additional requirements. These requirements also apply to your WordPress website, when you gather data that involves,
- Social Security Number
- Medical information
- Sexual orientation
- Religious / political preference
What rights do consumers have?
As mentioned before, the goal of the new privacy law (GDPR) is to protect the rights of the end user (consumer). This includes visitors of your WordPress website. But what exactly are their rights, and what can they demand from you as an organization?
Inform, permit and refuse
People have the right to be informed before their data is being gathered, edited and processed by your WordPress website. Users must give their explicit consent to this, too. This means providing a cookie announcement in the footer of your website, giving the option to sign up for a new letter via a tick box (that is not checked by default!). Ultimately, users must be given the option to withdraw their permission at any time, for instance by unregistering or reviewing the cookie settings again.
Individuals you have gathered personal data from on your WordPress website, are allowed to request this data from you. Organizations have to deliver this data within a month and are, in principle, not entitled to charge any costs. In addition, there is the data portability right: personal data must be able to be inspected in a reasonable manner. Excel sheets or CSV files are relatively easy to open, but a direct database dump is not.
Edit, limit and remove
Consumers are entitled to ask you to rectify faulty information, as well as request to refrain from further editing of personal data (apart from storing it). Also, every person has ‘the right to be forgotten’. Put differently, upon request you will have to be able to remove people’s data completely.
The GDPR and marketing automation
Quite possibly, you make use of marketing automation in your WordPress website. This may consist of email marketing software reminding you to respond to a comment, or to send a follow up mail once the first email has been viewed. Or perhaps adverts that are shown based on customer behavior.
People have the right to demand from you that your software cannot make automated decisions based on their data and/or behavior, unless you have explicitly have asked their permission. Therefore, in case you use marketing automation, make sure you explicitly ask your visitors permission, as well as inform them that automated decisions are made based on their personal data.
How serious is all this GDPR stuff?
The penalties that can be imposed by this law are considerable. That is, fines can run up to € 20 million or up to 4% of the annual revenue. The provided ‘grace period’ that lasts until May 2018, foretells that the GDPR will be seriously upheld. Moreover, the GDPR is applies to every organization within Europe; not only the bigger ones or the multinationals.
Make sure your WordPress website is GDPR compliant
There are many aspects to take into account in order to make sure your WordPress website complies with the new GDPR regulations. Make sure you do a Checklist: Is Your WordPress website GDPR Compliant?
By May 25, 2018, every European organization has to comply with a new privacy law to be allowed to process and handle personal data. This applies to the personal data you gather via your WordPress website as well. We already posted an article on the impact the General Data Protection Regulation (GDPR) has on your WordPress website. In this article, we provide you with a clear-cut checklist to help you determine whether your WordPress website meets the GDPR requirements.
This is no juridical article and no rights can be derived from its content.
1. Inventory and document
To start off, describe the target group(s) that visit your website. Then make up a spreadsheet in which you document the kind of personal data your WordPress website collects for each group (inform yourself here on what the GDPR marks as personal data). As you specify per target group, you’ll reduce the risk of missing something. Complete this inventory by checking the following list:
a. Hosting & Administration
External service providers have access to your website as well. Check how they handle your data and if you have made the right agreements with them.
- Hosting Party
- Theoretically, your hosting party has access to all data on your website. For this reason, you will have to make a processing agreement with your WordPress hosting party.
- Managed hosting, external developers and administrators
- Which administrators have access to your WordPress website? Should you contract certain bureaus (or freelancers) to work on your WordPress website, then you will have to set up processing agreements with them as well.
- Backup Locations
- Where and how does your hosting party make backups?
Log in as administrator on your WordPress website and answer the following questions to complete the list above. In WordPress, go to ‘Plugins’, then locate what data is being collected by each plugin and determine whether this data is being stored or not:
- Contact forms (e.g. Gravity Forms)
- What information do you require from your users? And where is it being stored?
- Usernet plugins (e.g. Ultimate Member, BuddyPress, etc.)
- What profile information is stored for each user? And, what else can possibly be deduced about your users through membership? Think in terms of political activity, religious preference, financial status, or sexual orientation.
- E-commerce (bijv. WooCommerce)
- E-commerce will contain basic personal data, such as names, addresses , and banking details. However, it also reveals the kind of products people order. Do you, for instance, sell magazines with a political affiliation?
- Email marketing widgets (e.g. sign up via MailChimp or CreateSend)
- Which information do you require? What will you do once you obtain it from your users, and to which service do you forward it?
- Links with external services, like accounting packages
- g. a link between WooCommerce and Exact Online
- WordPress reaction plugins
- g. Akismet, which filters spam based on data gathered from your users’ reactions, email addresses and IP-addresses. Or, Disqus, which stores such information as well.
- Safety plugins, like Wordfence, process IP-addresses and user locations for instance.
- Backup plugins
- Complete copies of your site are privacy sensitive should they end up in the wrong hands. Where are backups stored and how are they secured?
- Like Google Analytics or Google Tag Manager: are you aware of which parts of your users’ data is being stored.
- For instance, activity monitors that register user activity.
c. Services outside the EU
Check whether you make use of services outside the EU. For instance, American service providers, for instance, that may process data from your website. Verify if they are GDPR compliant.
Check how long personal data is stored and ascertain yourself that this is done no longer than necessary. The following step will help you consider whether this time span is justifiable.
Which users have access to your website, and are their pass words up to par? Are you using marketing automation or A/B-testing? If so, have the subjects been informed?
You have to be able to justify reasons for all personal data you are storing on your WordPress website. Make sure your data gathering stays within the boundaries of the law. If you intend to store data on your WordPress website, then this is only allowed when meeting one of the following criteria:
- Because it is by consent, backed up by an agreement
Like paid subscriptions on your WordPess website for which you need users’ banking details.
- Because you are obliged to record this by law
Like customer data in your WooCommerce shop that you also need for your administration according as the Tax Administration demands.
- Because you have been given explicit consent to do so
- By virtue of a cookie announcement on your WordPress website or a registration form by which one subscribes to your newsletter. Make sure that,\
- consent is freely given (users are not to be misled or forced)
- consent is explicit (that means no tick box checked by default!)
- consent needs to be given per component (e.g. someone registers for an event, and also subscribes for a newsletter)
- users have to be able to withdraw their permission.
- Because the gathering of this data is justifiable
Like tracing the location of a logged in user as an additional safety check to determine if the user is logging in from a likely location on the planet. Of course, determining what is justifiable data gathering is somewhat of a grey area. All the more reason to explain in detail why you consider it justifiable. And, when in doubt, you may want to consult a lawyer.
Go through the inventory list (step 1) and check each item for its justification.
Remove personal data that you cannot legitimately gather and store in your WordPress website.
Deactivate plugins that can’t do so either, or search for alternative plugins that do comply.
4. Draw up Procedures
Record different protocols for situations that may occur in the future. Make sure it is crystal clear which information is to be found where, so you won’t have to figure that out later on. In any case, record the following procedures:
- Personal requests
Individuals may demand access to their personal data stored by your WordPress website, but may also want to edit or delete their data.
Record how you will guarantee data to remain confidential, now and in the future. Think about a consistent update policy for your WordPress website, plugins and theme, but also a safe back up storage and a complex password policy for every new user that is added.
- Data breaches
In case of data breaches, you are required by law to inform the Personal Data Protection Authority within 72 hours. Therefore, make sure you have a phased plan ready, as speed is crucial in such cases.
5. Inform and ask for permission
Inform visitors of your WordPress website in a clear and transparent manner. This can be realized by clearly referring to a privacy statement, for instance in the footer of your website and in the cookie statement. Also, ask visitors of your WordPress website explicitly for permission of data handling activities as documented in your privacy statement. Make sure that you get their permission as described in step 2c.