
How to make your WordPress website GDPR compliant [Actionable List]
You may already know that the EU General Data Protection Regulation (GDPR) is coming into force on 25th May. In this article, you will find out what exactly you need to do to achieve full GDPR compliance.
WordPress GDPR compliance
The first step in making your WordPress website GDPR compliant is to audit all tools your website uses, your marketing tags and procedures.
After you understand when and how users’ personal data is collected, you’ll be able to handle it in a GDPR compliant way. Below is the list of all tasks you need to take care of to achieve GDPR compliance.
1. Cookie Consent
Every landing page on the website needs to have a cookie notification, which a user needs to accept to continue using the website.
It can be in the form of a bar or a popup and needs to have 2 buttons:
- Accept
- Read More, which links to the Privacy Policy or Cookie Policy page
2. Cookie Policy Page
Cookie Policy Page or the Privacy Page with the Cookie Policy section needs to:
- explain in detail what cookies are, and how they work
- explain what each cookie type does in general, and if they collect personal data/identify users. An example of cookie types: necessary, performance, functionality, advertising, etc.
- list all cookies you collect, and explain why you use them on your website and for how long they store data
- list third-party cookies, and where users can get more information about these cookies
- give instructions to users on how to control and delete cookies
3. Personal Data Access Form
Users need to be able to access their data at any time by submitting a form specifically created for personal data access request, and personal data (email address) will be used only for providing personal data access.
4. Personal Data Deletion Form
Users need to be able to delete their data at any time by submitting a form specifically created for that purpose.
5. Data Rectification Form
Users need to be able to change their data at any time by submitting a form specifically created for that purpose.
6. Data Breach Notifications
Users need to be notified if and when a data breach occurs on your website or any of the third-party platforms that have your users’ data on their servers.
7. Terms And Conditions Page
Terms and Conditions need to:
- include all legal terms and rules that bind the customer to your business
- have all specific legal agreements reviewed and approved by a lawyer
- contain a paragraph that explains new GDPR terminology and gathering user data
- be easily accessible from every page of the website (usually the link is put in the footer)
8. Privacy Policy Page
Privacy Policy page needs to inform the user about all data you gather and contain at least the following information:
- company name and address
- listed all data you collect; names, emails, phones, address, IP addresses, cookies, etc.
- what the reason is for collecting each data type and every reason explained in as much detail as possible; e.g. cookies for normal functioning of the website and improving user experience, for remarketing lists, etc.
- for how long you retain user data – the retention period needs to be justified and in accordance with Data Protection Principles
- list all 3rd parties that receive users data; Google, Facebook, Crazy Egg, LinkedIn, Marketo, Platforms you use for Chat and Email marketing, CRM, etc. and explain why and where you are storing their data
- list all APIs that transmit user data
- list all plugins that receive user data
- instructions to users on how to download their data; they should be able to do it automatically or by submitting a form to the Data Protection Officer who has to send them the data after receiving the request
- instructions to users on how to delete their data; again automatically or via the Data Protection Officer
- instructions to users on how they can amend their data; again automatically or via the Data Protection Officer
- instructions to users on how to get in touch with their data-related issues; contact details of the assigned Data Protection Officer
A Privacy Policy link needs to be included in every form on the website that sends any type of personal data, such as:
- contact forms
- opt-in forms
- user registration forms
- start chat forms
- checkout forms
All form fields that collect user information need to be revised and adjusted to collect only relevant information in accordance with the Data Protection Principles.
Privacy Policy needs to be easily accessible from every page of the website. A usual practice is to put the link in the footer.
9. Data Retention Policy
You should not retain personal data longer than necessary. Data Retention Policy should set out limits for the various types of personal data and how, after that period passes, data is deleted or disposed of.
10. Consent Box
Every user needs to consent before being able to send any kind of personal data.
Every form on the website needs to have a consent box above the Submit button which is unchecked by default and needs to be checked by the user (even personal data access forms).
If a user tries to submit personal data without checking the box, there should be a pop-up notification which explains that the form cannot be sent without the user’s consent first.
Whenever possible, there should be separate options to consent to different purposes and types of processing. For example, if a user wants to submit a form to access their personal data, consent should clearly be only for that purpose and their data should be used only for that purpose.
11. Google Analytics Adjustments
You need to define a user and event data retention period for each Google Analytics property.
Available options are:
- 14 months
- 26 months (set up by default)
- 38 months
- 50 months
- No expiration period
IP Anonymization needs to be set to true to prevent sending European IPs to the Analytics collection network in the US.
A contract for data processing has to be concluded with Google (Google provides pre-written contract text for order data processing). The signed contract needs to be sent in duplicate by post to Google in Ireland, including a labeled and stamped envelope.
A GA tracking detailed explanation needs to be included in the Privacy Policy along with instructions on how to opt out from GA tracking.
12. SSL/HTTPS
All websites need to have SSL installed and all internal links switched to HTTPS. If there are any HTTP resources left, the green padlock will not be visible in the address bar and the page won’t be considered safe.
13. Plugins, APIs, and third-party software
Make sure all website plugins, APIs and third-party software which collect user data are GDPR compliant and have a GDPR friendly solution for your business.
Subscribe to all third-party software and API providers to make sure you receive a notification if a data breach occurs which affects your users (to be able to notify your users about the breach).
14. Comments
If you are using a comments option anywhere on your website you need to remove comments IPs for existing comments and disable collecting IPs for future comments.
As on any other forms, the consent checkbox needs to be included under the comments field too.
15. YouTube videos
YouTube videos on the site need to be embedded in a GDPR compliant manner; activated advanced data protection modus.
16. Social share buttons
Most social share buttons automatically transmit users data to social networks, without users even clicking on any of the buttons. You need to make sure your share buttons on blog and anywhere else you use them do not transfer any user data (Shariff plugin).
17. GDPR is retroactive
If existing users provided their consent but are not asked in a compliant GDPR way*, you have to re-contact them and ask them to give you consent and accept your new T&C and Privacy Policy pages.
*compliant GDPR way – users were told how to access, change, and delete their personal data (when opting in they accepted the Privacy Policy with this information provided)
Conclusion
GDPR is not simple, and different lawyers and accountants can interpret it differently. However, if you complete all the steps listed above, and get legal advice about legal documents published on your website, you should be on the safe side.
If you need any help in setting up GDPR forms and achieving full GDPR compliance, don’t hesitate to contact us. We would be happy to assist you and take care of all GDPR-related tasks.