dark-mode-icon dark-mode-icon

purpleblog

Grab a coffee and read our purpleblog

Tea works too. Or hot choco­late. Or even some­thing stronger! Our arti­cles are based on the most com­mon ques­tions we get from our clients, that’s why they are so inter­est­ing to read, and actu­al­ly utilise. You won’t notice how time flies!

5 min read How to make your Wordpress website GDPR compliant

How to make your WordPress website GDPR compliant [Actionable List]

You may already know that the EU Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) is com­ing into force on 25th May. In this arti­cle, you will find out what exact­ly you need to do to achieve full GDPR compliance.

WordPress GDPR compliance

The first step in mak­ing your Word­Press web­site GDPR com­pli­ant is to audit all tools your web­site uses, your mar­ket­ing tags and procedures.

After you under­stand when and how users’ per­son­al data is col­lect­ed, you’ll be able to han­dle it in a GDPR com­pli­ant way. Below is the list of all tasks you need to take care of to achieve GDPR compliance.

Every land­ing page on the web­site needs to have a cook­ie noti­fi­ca­tion, which a user needs to accept to con­tin­ue using the website.

It can be in the form of a bar or a pop­up and needs to have 2 buttons:

  • Accept
  • Read More, which links to the Pri­va­cy Pol­i­cy or Cook­ie Pol­i­cy page

2. Cookie Policy Page

Cook­ie Pol­i­cy Page or the Pri­va­cy Page with the Cook­ie Pol­i­cy sec­tion needs to:

  • explain in detail what cook­ies are, and how they work
  • explain what each cook­ie type does in gen­er­al, and if they col­lect per­son­al data/identify users. An exam­ple of cook­ie types: nec­es­sary, per­for­mance, func­tion­al­i­ty, adver­tis­ing, etc.
  • list all cook­ies you col­lect, and explain why you use them on your web­site and for how long they store data
  • list third-par­ty cook­ies, and where users can get more infor­ma­tion about these cookies
  • give instruc­tions to users on how to con­trol and delete cookies

3. Personal Data Access Form

Users need to be able to access their data at any time by sub­mit­ting a form specif­i­cal­ly cre­at­ed for per­son­al data access request, and per­son­al data (email address) will be used only for pro­vid­ing per­son­al data access.

4. Personal Data Deletion Form

Users need to be able to delete their data at any time by sub­mit­ting a form specif­i­cal­ly cre­at­ed for that purpose.

5. Data Rectification Form

Users need to be able to change their data at any time by sub­mit­ting a form specif­i­cal­ly cre­at­ed for that purpose.

6. Data Breach Notifications

Users need to be noti­fied if and when a data breach occurs on your web­site or any of the third-par­ty plat­forms that have your users’ data on their servers.

7. Terms And Conditions Page

Terms and Con­di­tions need to:

  • include all legal terms and rules that bind the cus­tomer to your business
  • have all spe­cif­ic legal agree­ments reviewed and approved by a lawyer
  • con­tain a para­graph that explains new GDPR ter­mi­nol­o­gy and gath­er­ing user data
  • be eas­i­ly acces­si­ble from every page of the web­site (usu­al­ly the link is put in the footer)

8. Privacy Policy Page

Pri­va­cy Pol­i­cy page needs to inform the user about all data you gath­er and con­tain at least the fol­low­ing information:

  • com­pa­ny name and address
  • list­ed all data you col­lect; names, emails, phones, address, IP address­es, cook­ies, etc.
  • what the rea­son is for col­lect­ing each data type and every rea­son explained in as much detail as pos­si­ble; e.g. cook­ies for nor­mal func­tion­ing of the web­site and improv­ing user expe­ri­ence, for remar­ket­ing lists, etc.
  • for how long you retain user data – the reten­tion peri­od needs to be jus­ti­fied and in accor­dance with Data Pro­tec­tion Principles
  • list all 3rd par­ties that receive users data; Google, Face­book, Crazy Egg, LinkedIn, Mar­ke­to, Plat­forms you use for Chat and Email mar­ket­ing, CRM, etc. and explain why and where you are stor­ing their data
  • list all APIs that trans­mit user data
  • list all plu­g­ins that receive user data
  • instruc­tions to users on how to down­load their data; they should be able to do it auto­mat­i­cal­ly or by sub­mit­ting a form to the Data Pro­tec­tion Offi­cer who has to send them the data after receiv­ing the request
  • instruc­tions to users on how to delete their data; again auto­mat­i­cal­ly or via the Data Pro­tec­tion Officer
  • instruc­tions to users on how they can amend their data; again auto­mat­i­cal­ly or via the Data Pro­tec­tion Officer
  • instruc­tions to users on how to get in touch with their data-relat­ed issues; con­tact details of the assigned Data Pro­tec­tion Officer

Pri­va­cy Pol­i­cy link needs to be includ­ed in every form on the web­site that sends any type of per­son­al data, such as:

  • con­tact forms
  • opt-in forms
  • user reg­is­tra­tion forms
  • start chat forms
  • check­out forms

All form fields that col­lect user infor­ma­tion need to be revised and adjust­ed to col­lect only rel­e­vant infor­ma­tion in accor­dance with the Data Pro­tec­tion Prin­ci­ples.

Pri­va­cy Pol­i­cy needs to be eas­i­ly acces­si­ble from every page of the web­site. A usu­al prac­tice is to put the link in the footer.

9. Data Retention Policy

You should not retain per­son­al data longer than nec­es­sary. Data Reten­tion Pol­i­cy should set out lim­its for the var­i­ous types of per­son­al data and how, after that peri­od pass­es, data is delet­ed or dis­posed of.

Every user needs to con­sent before being able to send any kind of per­son­al data.

Every form on the web­site needs to have a con­sent box above the Sub­mit but­ton which is unchecked by default and needs to be checked by the user (even per­son­al data access forms).

If a user tries to sub­mit per­son­al data with­out check­ing the box, there should be a pop-up noti­fi­ca­tion which explains that the form can­not be sent with­out the user’s con­sent first.

When­ev­er pos­si­ble, there should be sep­a­rate options to con­sent to dif­fer­ent pur­pos­es and types of pro­cess­ing. For exam­ple, if a user wants to sub­mit a form to access their per­son­al data, con­sent should clear­ly be only for that pur­pose and their data should be used only for that purpose.

11. Google Analytics Adjustments

You need to define a user and event data reten­tion peri­od for each Google Ana­lyt­ics property.

Avail­able options are:

  • 14 months
  • 26 months (set up by default)
  • 38 months
  • 50 months
  • No expi­ra­tion period

IP Anonymiza­tion needs to be set to true to pre­vent send­ing Euro­pean IPs to the Ana­lyt­ics col­lec­tion net­work in the US.

A con­tract for data pro­cess­ing has to be con­clud­ed with Google (Google pro­vides pre-writ­ten con­tract text for order data pro­cess­ing). The signed con­tract needs to be sent in dupli­cate by post to Google in Ire­land, includ­ing a labeled and stamped envelope.

A GA track­ing detailed expla­na­tion needs to be includ­ed in the Pri­va­cy Pol­i­cy along with instruc­tions on how to opt out from GA tracking.

12. SSL/HTTPS

All web­sites need to have SSL installed and all inter­nal links switched to HTTPS. If there are any HTTP resources left, the green pad­lock will not be vis­i­ble in the address bar and the page won’t be con­sid­ered safe.

13. Plugins, APIs, and third-party software

Make sure all web­site plu­g­ins, APIs and third-par­ty soft­ware which col­lect user data are GDPR com­pli­ant and have a GDPR friend­ly solu­tion for your business.

Sub­scribe to all third-par­ty soft­ware and API providers to make sure you receive a noti­fi­ca­tion if a data breach occurs which affects your users (to be able to noti­fy your users about the breach).

14. Comments

If you are using a com­ments option any­where on your web­site you need to remove com­ments IPs for exist­ing com­ments and dis­able col­lect­ing IPs for future comments.

As on any oth­er forms, the con­sent check­box needs to be includ­ed under the com­ments field too.

15. YouTube videos

YouTube videos on the site need to be embed­ded in a GDPR com­pli­ant man­ner; acti­vat­ed advanced data pro­tec­tion modus.

16. Social share buttons

Most social share but­tons auto­mat­i­cal­ly trans­mit users data to social net­works, with­out users even click­ing on any of the but­tons. You need to make sure your share but­tons on blog and any­where else you use them do not trans­fer any user data (Shar­iff plugin).

17. GDPR is retroactive

If exist­ing users pro­vid­ed their con­sent but are not asked in a com­pli­ant GDPR way*, you have to re-con­tact them and ask them to give you con­sent and accept your new T&C and Pri­va­cy Pol­i­cy pages.

*com­pli­ant GDPR way – users were told how to access, change, and delete their per­son­al data (when opt­ing in they accept­ed the Pri­va­cy Pol­i­cy with this infor­ma­tion provided)

Conclusion

GDPR is not sim­ple, and dif­fer­ent lawyers and accoun­tants can inter­pret it dif­fer­ent­ly. How­ev­er, if you com­plete all the steps list­ed above, and get legal advice about legal doc­u­ments pub­lished on your web­site, you should be on the safe side.

If you need any help in set­ting up GDPR forms and achiev­ing full GDPR com­pli­ance, don’t hes­i­tate to con­tact us. We would be hap­py to assist you and take care of all GDPR-relat­ed tasks.

Сustomer Service
Free Consultation
Please let us know your project requirements, and we’ll get in touch as soon as we can.

    We are pleased to welcome you on the purpleplanet!
    To order the service package you’ve chosen, please fill in the form and we’ll get in touch with you soon.

      We are pleased to welcome you on the purpleplanet!
      To order the service package you’ve chosen, please fill in the form and we’ll get in touch with you soon.