“How Do I Make My Website GDPR Compliant?”

 

… is a question that will be coming up a lot in 2018 due to the privacy law approved by the European Commission which is designed to regulate control of your website visitor’s personal data. It is set to replace Directive 95/46/EC and will be enforced by May 25, 2018.

 

What is GDPR?

Basically, your website users have complete control over their data, and you need to display on your website terms exactly why you need it. At which point, they can give the go-ahead or not. In-depth, however, it’s a little more complicated than that.

What does making my website GDPR compliant mean for everyone?

If you are a website owner and collect personal data via web forms, you’ll need to make your website GDPR compliant to this regulation, as of May 25, 2018. It is also important that you update your site’s Privacy Policy to cover all personal information that is being collected through your site.

 

The good news is that there is a dedicated team of WordPress Core contributors working on GDPR-proofing the Core code before May 25. They have a website (and associated Slack channel) set up where admins and devs can keep up with the progress and see what you need to do to get yourself (and your clients) in compliance. Here’s the breakdown of what you’re responsible for:

  • Explaining who you are, how long you’re keeping the data, why you need it, and who on your team or externally has access to it
  • Getting explicit and clear consent to collect data through an opt-i
  • Giving users access to their own data, the ability to download it, and to delete it from your records completely
  • In the event of a hack or security breach, letting your users know about it

 

How do I make my website GDPR Compliant?

Making your website GDPR-compliant is fairly straightforward. As for the other parts of the GDPR’s information retention clauses, you can include the details on the data’s whyhow, and who in either your Terms of Service or Privacy Policy. And it’s a good idea to, as well, because these are part of the explicit GDPR opt-in.

The actionable step here is two-fold:

First, make sure your ToS and Privacy Policy are GDPR compliant themselves. And second, create explicitly required fields on every form indicating acceptance of both documents before processing anything. Checkboxes are fine, and text fields where users can type “I agree” are even better (but are truly obnoxious).

A good suggestion would be to add a paragraph to your Terms of Service about accepting the Privacy Policy as a term and linking to it directly from the ToS. Then, in the Privacy Policy, add a paragraph discussing its role in the ToS, as well as exactly how your site manages data in compliance to the GDPR. Specifically, you will need to provide detailed instructions in your Privacy Policy explaining each of the following.

  • How to access and download a complete record of any data you have on them
  • The process through which users can fully delete their data from your records (and not simply unsubscribe, etc.) as a part of the ‘right to be forgotten’ laws previously passed in the EU
  • Detailed explanations of who you are, what you use the data for, who has access to it, and how long you retain it
  • Exactly how you will inform users of data breaches if they ever happen

It is now more important than ever to have a Privacy Policy in place. It was pretty important before because Google wanted you to have one. And that importance has just skyrocketed.

Make Website GDPR Compliant

 

As always, talk to your attorneys to help identify the risks and ensure your processes comply with GDPR, as well as work with your tech team to build the needed safeguards to collect the data, evaluate it and remove it.