Practical steps for Website GDPR compliance

Tread lightly

General Data Protection Regulation, the EU data protection directive, will come into effect on May 25, 2018. In a previous article, we discussed what GDPR is and the responsibilities it places on website owners. Here, we provide guidelines on specific steps you can take to move your site toward GDPR compliance.

5 steps toward website GDPR compliance

Take these steps to help ensure that your website is GDPR-compliant:

  1. Fine-tune your privacy policy.

  2. Obtain clear consent to use cookies.

  3. Ensure your plugins comply with GDPR.

  4. Limit the data you collect and store via form submissions.

  5. Clean up your mailing lists.

Let’s dive in …

1. Fine-tune your privacy policy

Update your privacy policy to ensure that it makes your collection and use of data transparent. This includes detailing your data collection practices, cookie usage, and data privacy rules regarding if and when user data may be shared. Make sure it includes information about data that is collected by any plugins.

Your privacy policy should specify the types of data you collect, what you use it for, and how you protect it.

 

Don’t just copy and paste someone else’s user policy. It is unlikely to contain the proper information for your site. If appropriate, you might include items like:

  • We do not sell data.
  • We do not share data unless compelled by law.
  • We only ask for personal information if it’s needed to provide a service.

Follow this with details of the types of data you collect, what you use it for, and how you protect it.

While all these efforts at transparency can result in a long-winded, complex privacy policy, do your best to keep it simple and use clear language while still being complete.

2. Obtain clear consent to use cookies

Website GDPR Compliance Cookies
Wishful thinking.

The GDPR states cookies constitute personal data, as they can be used to identify an individual. You must obtain clear, specific consent from users to place cookies and track them. This could be handled by a popup on a user’s first visit that allows users to consent to or decline cookie use. To comply, you cannot have a default answer (such as accept) but must require the user to pick an option. If the user doesn’t explicitly consent, you can’t place cookies on their browser. The site should still be accessible without cookie placement, though of course features such as personalization will be lost.

3. Ensure your plugins comply with GDPR

Many plugins make use of user data. It’s important that you review which plugins make use of your user data and what they do with it, because plugins must also comply with GDPR. Many plugins, for example, make use of cookies. Such use must be listed in your privacy policy and must be subject to user consent.

Efforts are underway to create a WordPress GDPR plugin standard.

 

WordPress users should keep an eye on that, as it will help website administrators as well as plugin developers. Helpful plugins are also beginning to appear in the WordPress plugin GDPR section.

Joomla! developers are working on these issues as well. Follow resources such as the Joomla! newsletter for developments. Check the support pages for individual plugins you employ, such as form plugins, as that may be the first place the information and updates you need will appear.

It’s your responsibility to ensure all your plugins can export, provide and delete the user data they collect.

It’s your responsibility to ensure that every plugin can export/provide/delete the user data it collects. Is that “send page by email” plugin collecting the recipient address and adding it to a list somewhere? Unless you have explicit consent, that will violate GDPR. Things like this are a big deal for plugins that make heavy use of user data, but most are working to find ways to comply. In some cases, you might need to switch to a different plugin.

4. Limit the data you collect and store via form submissions

Forms have the potential to collect lots of interesting personal data. Don’t do it. Collect only the fields you actually need for processing. Don’t keep that data for longer than absolutely required. Be aware that many form plugins store submitted forms in the database. Increasingly such plugins are being modified to include a “do not store form data” option in the configuration. Make use of it.

5. Clean up your mailing lists

Does your site incorporate a mailing list? Hopefully, you’re already employing industry-standard procedures such as double opt-in for your list. Double opt-in means that after the user provides their email, you send a message containing a confirmation link that the user must click on to finalize their subscription. Double opt-in is not required by GDPR; however, it is a good way of ensuring that you can prove proper consent was obtained. If you purchase mailing lists from a third party, experts advise you to stop. If you use a purchased list where contacts haven’t given consent for such use, you’ll be in violation of GDPR.

Your existing mailing list may be a sticking point.

 

If you signed any of the subscribers up without consent, those records are likely not GDPR compliant. You might need to clean your database. At the very least, ensure that you include proper unsubscribe links in any communication you send.

Individual rights a basic tenet of GDPR compliance

Right to access and portability

You’ll need to implement a method for exporting user data to CSV or another commonly used format. If you use a CMS, you might be able to accomplish this through a plugin. Plugin developers are working to build new plugins that will help achieve this functionality. Otherwise, you’ll need to code up a system for doing this yourself.

Right to be forgotten

Be sure to implement a procedure for deleting personal data when requested. There are exceptions that allow you to keep the data, but generally, if the user asks you to remove it, you must. This includes content created by the user, such as forum or blog comments and form submissions. In the future, CMS systems like WordPress and Joomla! may add a “Delete my account” button that takes care of this for you, but so far that hasn’t happened

Website GDPR Compliance Eraser
Don’t need it? Erase it.

Privacy by design

Ensure you have safeguards in place to protect data and restrict sharing. Only collect data that is necessary and forget about all of those extra, interesting but not vital, questions you might add to customer signup forms.

Create a data retention policy and erase data you no longer need.

 

Set up restrictive access so only people who actually need particular data can access it. Consider moving your site to HTTPS, which encrypts communications between your website and a user’s browser.

Conclusion

Website GDPR compliance isn’t a simple matter, but by taking these steps, you’ll move substantially in the right direction. If you’re using a CMS system, watch for changes to the core and plugins to help you reach full compliance. In the meantime, it’s up to you to take the necessary steps to get as close as possible.

The above content should not be construed as legal or tax advice. Always consult an attorney or tax professional regarding your specific legal or tax situation.

Image by: bark / CC BY