GDPR Guide: What is GDPR, Checklist, How to Comply & WordPress?

2

Disclaimer: We are not lawyers and this is not a legal advice. For sure, we have tried to make it as accurate as possible and also as easy as possible for you to understand. But if you need a definitive legal advice for your business, you have to hire an attorney

GDPR stands for General Dara Protection Regulation. It is one of the biggest change in the history of privacy laws. GDPR will be enforced from May 25, 2018 across Europe. It means if your app, service, website etc if operated in Europe region then you have to comply with GDPR otherwise you have face fines defined in the law.

So don’t need to worry. It is not as freaky as everyone is making it sound. Let’s understand why and how to make your app, service, site GDPR compliant.

What is GDPR?

GDPR

GDPR is the new framework for the data protection laws with replaces the previous 1995 data protection directive. I think that GDPR is awesome and every country should adopt it.

But wait why everyone is so worried due to this regulation.

They should not worry because the main focus and target of the GDPR are the giant companies like Facebook, Google, LinkedIn etc. who collects lots of personally identifiable information from the users and process them on their servers.

GDPR enforces companies to explain how their data can be collected, what data is going to be stored, how it will be used and provide the users a right to delete their data from their servers in their Privacy Policy. Before submission of information from users, you have to ask for their consent mentioning your Privacy Policy page.

It also mentions that if you have collected user data and it is no longer required then you should delete it from your storage.

Why is GDPR Necessary?

Probably you have heard about the infamous Facebook Cambridge Analytica Data Scandal. If yes, then you might also know that personally identifiable information of almost 87 million Facebook users was collected and was used to sell to interested parties across the globe. You may not find it dangerous but in reality this is horrifying.

Due to the misuse of personally identifiable information on the internet, I think this should be necessary. Although I do think no one really read privacy policy but it is one step forward in preventing misuse of data.

Here are the important advantages that GDPR has to offer:

Check out the Award Winning #1 Antivirus Solution for Android, Windows & MacBitdefender

  • Greater Consumer Confidence in your Brand
  • Improved Security of Data
  • Reduced Maintenance Cost of Data

If you can think of any more advantages of GDPR then do comment it down below!

Seriousness of GDPR

Webmasters have time till 25 May 2018 to comply with the new regulation. The penalty for the non-compliance can be up to 20 Million Euro or up to 4% of the worldwide annual turnover of the last financial year. The amount of the penalty may vary according to the seriousness of the breach.

But setting this high amount of penalty ensures one thing, that EU is not messing around they are serious about this. So it’s time for every online business operating in Europe to comply.

Important Points that GDPR Mentions

There are lots of points that need to be discussed here but I will like to make it short. However, you can find all the details on the official site.

You should incorporate the following into your business model:

Consent

Cookie Consent Example

For every data that you collect from the user whether it is just a contact form, email subscription form, registration form or anything else, you have to mention that you are going to store their data and how it will be stored and processed (linking to your privacy policy page).

This consent that you are asking from users should not be marked or ticked or accepted by default. Also if you are using email marketing then you have to make sure that you can only send email to users for what they signed up for. This means no more merging of the email list, sending emails without verification etc.

Data Processing & Storage

You have to let users know that how the data submitted by them will be processed by you and how it will be stored on your servers. It means you have to mention everything that you will do with the data submitted by your users.

Right to Access

Google Data Download

GDPR gives users right to access the data that is stored on your servers. It means you should have a separate page from where the user can request access to all the stored data. If you don’t want to have an automated system for it then you can mention how the user can get access to their data in the privacy policy.

Along with it, the user can also request to update any pre-submitted data with a simple request.

Right to be Forgotten

Google Account Deletion

The user now has the right to delete any or all of their data that is collected and stored by you upon request. And after such request, you have to delete all the data from servers as well as backups.

Breach Notification

If your business/organization is experiencing any kind of data breach then you have to let the users know about this breach. You have time up to 72 hours after becoming aware of the breach. It includes all the users that you have collected data from so far.

Who Need to Comply with GDPR?

As I mentioned earlier in the article that if your organization or business collects information from your users in any way possible then you have to comply with GDPR. To make it short, if your organization is included in any of the following activities then you need to comply with GDPR:

  • User Registration
  • Email Subscription
  • Comments
  • Customer Chat
  • Collection of Data with any third-party services
  • Contact Forms
  • Orders and Sales

There are several other activities but these are the common ones.

GDPR Checklist

Note: Checkbox for consent must be unchecked by default in every case

Online Forms

Contact Us Form GDPR

If you are using online forms then you have to clearly mention why you are collecting data and how this data will be used. Make sure to add a checkbox for specifically asking for user’s consent before submission of the online form. Also, the consent statement must include a link to your privacy policy.

Comments

Comment Form GDPR

If you are using any type of commenting system on your website then you will be asking users for their Name and Email at least. Same as online forms mention all the things that you will do with the data along with the checkbox. If you are using any third party comment system or providing this data to any third party mention it as well.

Forums

If you are providing any kind of forum or discussion platform then ask for the consent from the user for storing all their activity on the forum along with messages, IP address and mention the third party sharing if applicable.

Chat & Chatbots

If you are using any type of chat, chat service, chat plugin or chatbots on your website then ask for the permission and consent for storing the chat before the commencement of the chat.

If I forgot to mention any important point here let me know ASAP so that others can take the benefit of this post.

How to be GDPR Compliant

Although I have discussed most of the common things that you need to know about GDPR but here is a step-by-step process to make your website/business/organization GDPR Compliant:

  1. Make a list of all the data that you collect from the users from different places (forms, comments, orders, registration). Mention all of that things in your Privacy Policy
  2. List out all the third-party services that you provide this data to and mention what you share with them.
  3. If you are using any analytics services like Google Analytics, Facebook Pixel etc. Mention that you are using them in your privacy policy and link to the analytics provider Privacy Policy as well.
  4. Also, don’t forget to mention any third-party services that you are using like Push Notification Services(like OneSignal), Advertising Networks(Google Adsense, Media.net etc.), Heatmap Services(like Hotjar) or any other services.
  5. All the data that is stored by you mention that how you will store them, how long it will be stored and how you will process the data.
  6. Create a dedicated page from where the user can request and access the data that is collected by your website. If you are unable to create that then create a form from where the user can request their data.
  7. Best way to add more security is to install SSL certificate and use https, though it is not mandatory it will surely help. If you are not looking to spend few bucks on buying an SSL certificate then you can get one for free from services like Let’s encrypt.
  8. Similarly provide data erasure facility.

Update all of these things in your Privacy Policy and probably you are good to go!

Showing Cookie Consent

Now show a consent to the users when the first time they visit your site and link to the privacy policy in there. If you are using CloudFlare then you can use Cookie Consent app, if not go with any other simple javascript code to show the consent to first time visitor.

Notifying Users about the Update

Although I am not sure about it but you have to let all of the users(that you have collected data from so far) know that you have updated your Privacy Policy or Terms, generally via email.

Tips for WordPress Users

Tip: Use plugins like Ultimate GDPR Compliance Toolkit for WordPress, developed by the createIT team to make it easy for WordPress users to be GDPR Compliant. You can get more details from their official plugin website.

Ultimate GDPR Compliance Toolkit for WordPress

As most of the bloggers rely on WordPress like me, there are small things that you need to take care of along with the ones that I mentioned earlier:

Make sure that all of the plugins, themes, and services that you using comply with GDPR. If not then you can be in trouble because all of the things you use must provide a way to extract user-specific information and delete the same upon request.

Add the consent checkbox that is unchecked by default to all of the contact forms, email subscription forms and even the comment form.

Conclusion

GDPR is a complex regulation that can take a while to understand and it may require time and money to comply with it. But for what it has to offer I think it is worth it.

So what do you think about GDPR? Let me know in the comment section below.

2 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here