What’s the GDPR, and does it matter for me even though I’m not in the European Union?
Whether you are located in the EU or not, this is an international law. Although your website might not be hosted or located in the EU, some of your website visitors could be from the EU, and if so, then you need to comply with the law. Of course, you could block visitors from the EU, but it’s a much better idea to comply with the law anyway, since its regulations are really the right way to treat privacy these days.
The new GDPR Law promotes “the right way” to manage your user’s privacy rights.
If you are already collecting any personal information, in any way, then you should make sure that the way you treat the information, and the way you communicate with your website visitors, is done properly. As I suggest in Section 11, when teaching about collecting an email list using MailChimp, you should always use a “double opt-in” system, such that to get on the list, users must provide consent. By using MailChimp’s (or any other provider’s) double-opt-in system, you are already compliant with the GDPR law in that way.
MailChimp and other providers have already formed their own Privacy Policies, but you still need to define your own if you are using services like this on your website. This includes Google Analytics!
What if I’m not collecting any personal information? Do I still need to do anything?
Yes! And, no! Well, if you don’t keep any information at all about your website visitors, then it’s true, you don’t have to add a Privacy Policy to your site (as WordPress now provides), or change anything at all. However, there are several ways you might actually be collecting information and not know it. Two very common functions of a website are using Google Analytics for tracking, and the presence of a Contact Form so that visitors can reach out to ask a question. In either of these cases, you must disclose to your visitors (through a Privacy Policy page) exactly what you are doing with the information collected.
If you use the WordPress commenting system, or allow user registration, then you are already collecting personal information.
Google Analytics saves a user’s IP Address for a period of time, and also uses Cookies on your website, and so if you do use Google Analytics on your website, you should state those things in your Privacy Policy, including the period of time you’ve chosen at Google to keep your data. Since a contact form will send you the information the user filled out, like an email address and name, then you do need to define how long you will keeping this information, and what you will be using it for. Again, this needs to be stated in your Privacy Policy.
Ok, how does WordPress help me become compliant with the GDPR?
There are several requirements in the GDPR, about what you need to do if you are collecting any information about your website visitors from the EU. (You should enact these for everyone anyway.)
First, as I mentioned, you need to publish a Privacy Policy on your website, that states what information you keep, and for how long. The new WordPress version 4.9.6 and later sections, under Settings > Privacy and Tools > Export Personal Data and Tools > Erase Personal Data, will help you with this. Also, you need to allow for requests to see the information you’ve collected, and also to be able to delete the information you’ve collected, upon request.
How do I create a Privacy Policy page and content through WordPress?
When you click Settings > Privacy in your WordPress Dashboard, you’ll be presented with a pretty straightforward set of instructions, on creating a Privacy Policy page. This includes a template of sample text, that you can edit for your own purposes. When you allow WordPress to create the new Privacy Policy page for you, it will contain a bunch of paragraphs that you’ll need to edit (and remove some) to customize it for yourself. This is where you will add anything extra that you need, like your own Contact Form data policy, and your Google Analytics data policy as well.
This can be as simple as deleting any paragraphs you don’t need, and following the instructions in the sample text to create your Privacy Policy page. Don’t forget to provide navigation to the page on your site as well, so it can be found by your website visitors.
What about the new Personal Data “export” and “erase” tools in WordPress?
These new tools are for the WordPress Users system only. If your website allows visitors to register, or allows them to comment on posts, then you are collecting personal data directly into your WordPress database. That means that because of the new GDPR regulations, you’ll need to provide a way for your users to be able to view the information you’ve collected on them, as well as comply with their “right to be forgotten.”
WordPress provides both these tools (for internal users in the WP system only) such that if a user or commenter requests their personal information from you, you have a way to easily provide it, as well as remove it if requested. Use these two tools if you get either of these requests from any of your users.
WordPress makes it easy to comply with GDPR in this way, but only for the WP Users and the commenting system. If you have another place you keep personal data, like MailChimp for example, then you will have to use their own system to comply if requested.
Please feel free to ask more questions, if you have them, in the lively Q&A section of this course, The Complete WordPress Website Business Course. I’ll also be publishing new content in the course about this, with even more detail, in the video lessons.
Here are two excellent resources, if you would like more information.
GDPR as regards Online Marketing: https://www.digitalmarketer.com/gdpr-summary/
General list of GDPR resources: https://torquemag.io/2018/05/gdpr-resources/
Your grateful instructor,
Gregg Davis