Brad Jones

May

22

2020

GDPR stands for General Data Protection Regulation and is the personal data privacy regulation implemented by the European Union which came into force across the EU on May 25th, 2018. In this series of posts I will walk through some of the tools and procedures that can be followed to begin the road of making sure that your website is GDPR compliant.

Before we begin I want to clearly indicate that this post is not a complete guide to WordPress GDPR compliance, rather I just wanted to bring to light some of the tools and insights that I’ve found useful in getting closer to GDPR compliance. Secondly, I am not a lawyer and therefore you should not rely on any of this with regard to your own legal protections particularly with regard to your websites Privacy and Cookie policies. You should seek out professional legal advice which is the wisest and cheapest option for you, particularly if you end up facing legal issues with regard to GDPR data protection compliance in the future.

Overview

There are a couple of different areas that a WordPress website developer should consider when working toward GDPR compliance, they are as follows:

  • Website Privacy and Cookie Policy page technical contributions
  • Consent to collect personal data when handling form submissions
  • Cookie Notifications on each page of the website
  • Personal Data Retrieval, Reporting & Deletion upon request

I intend to write a blog post on each of the topics. I do believe that if your WordPress website solution addresses each of these sufficiently, you are well on your way to achieving GDPR compliance.

Policy

As a software engineer, this is my least favorite part of GDPR compliance and yet it is a very important component. In all reality it is an area that requires input from both the lawyer as well as the engineer building the website. I say this because key sections of information that need to be covered in the data protection policies of your website include what data you collect, what it’s used for and how you protect that data from public exposure. There are also commitments made in the data protection policies of the website that require technical implementation such as:

  • displaying a cookie notification on each page
  • including a place where a user specifies that they consent to the website storing and using personal data prior to allowing them click the form submit button
  • including functionality that allows for the complete retrieval of all personal data for an individual who has visited your website. This can even include a requirement that the data you retrieve is machine readable and not just printed.
  • including functionality that allows for the complete deletion of the personal data for an individual who has visited your website.

There are a number of factors to consider here when building your WordPress website. For example the default WordPress install comes with the ability to produce such reports out of the box and at a minimum includes things like blog comments. But, this is also a very important consideration for a WordPress developer when deciding what Plugin’s to use on the website. Some plugins integrate with the default WordPress functionality for handling such requirements, this is ideal. Other plugins only help you partially meet these requirements while still others do not offer any help in doing so. It would be a shame to spend a lot of time on achieving the perfect functionality that you are looking for from a plugin and then realize, after all that work, that it is very difficult to make the functionality GDPR compliant. So some forward thinking is in order.

Types of Policy

There are two key areas of policy that you have be sure to include if you want move toward GDPR compliance with your website, first a Privacy Policy and second a Cookie Policy.

Privacy Policy

Your websites Privacy Policy is the most significant area of policy that you must include in order to move toward GDPR compliance. Fortunately WordPress offers some initial help in writing this important page of your website.

First, when you install WordPress there is a Privacy Policy page included “out of the box” and it already includes verbiage for things like the data you collect when a comment is submitted. I have found this to be a helpful reference in writing about the other ways that you might be collecting personal data on your website.

Second, there is a privacy policy guide that you can use as a reference while your write your privacy policy. There are general sections that are included. Some plugins have also included verbiage to use when you are writing your websites Privacy Policy page. In the guide this verbiage is made available for copy and paste. This guide is typically found at the following relative path of your WordPress website:

/wp-admin/privacy-policy-guide.php

The privacy policy should also include the details about what specific privacy information you store for each part of your website. These details not only should include what you store but also how that data is used by your company after it is stored whether it be to facilitate communication with your website visitors, or to facilitate the services offered by the website or to track user usage patters on the website or even if that data is used to inform advertising, etc…. These are details that a lawyer can not come up with on their own. The person who has built the website needs to provide the lawyer with the information that they can then take away and form the wording of the policy in a manner that is legally sound.

Cookie Policy

In order to be GDPR compliant your website should also include a cookie policy. Sometimes you find the cookie policy worked into the Privacy Policy and other times you find them written separately. Either way the cookie policy typically includes a definition of what a cookie is. A listing of the types of cookies that you use on your website. And references to instructions published for how to block and delete cookies on the various popular browsers of the time.

Copying another websites privacy and cookie policy

It may be very tempting to look for a website that is similar to your website and then just copy and paste their policy verbiage. This is a bad idea and I would only suggest copying this as an initial template that you will then rework and reword so that your policies apply to your specific organizations approach to handling personal data. It is also a bad idea because a companies privacy policy is their own property and to copy it without their permission is a violation of copyright law. Here is a good article that explains why it’s a bad idea to do this.

Conclusion

With regard to both the Privacy Policy and the Cookie Policy. It is really quite important that you seek out professional legal advice to ensure that you have legal coverage in the event that something bad happens with regard to personal data. I have found that it’s helpful to provide that specific technical details in a draft privacy/cookie policy prior to seeking out legal advice.

We are a company that writes software including WordPress websites. If you would like help in implementing a GDPR compliant website please don’t hesitate to fill out a quote and we’ll get back to you as soon as we can to help.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *