The Issue

The European Union created a policy called the General Data Protection Regulation (GDPR).  GDPR gives web users specific rights including the ability to delete any information your website has collected about them.  There are lots of web pages that discuss the legal requirements for bringing a website into compliance with GDPR, but few the spell out how to do it, exactly – sort of.

The GDPR went into effect on May 25, 2018 and already Google and several other large corporations have been sued for violating the regulation.  There are huge fines involved, so those companies spent a couple years setting everything up to be sure they were compliant.  I spent a few days sorting out what I could do with the WordPress websites I manage.  I’ll tell you what I did,  but there is no way I can guarantee you will end up in compliance with the GDPR.  You should, however, be in a much better position that if you do nothing.

General Background

The essence of what you need for compliance is a Privacy Policy that explains how you are interacting with the individual that is looking at your website.  You need to explain what kind of information you are collecting, how you are using it, what kinds of cookies you are using and so on.

Next,  you need a way to tell people exactly what information you have about them and how they can delete it from your system,

Finally,  you should have a Terms and Conditions page that explains what is expected of the users of your website.  This page should give your lawyers something to work with if someone uses your website inappropriately

Terms and Conditions

The best approach is to take a look at the terms and conditions associated with other websites.  You are welcome to take a look at our Terms and Conditions and modify them to fit your needs.  If you have a lawyer, perhaps they can write something up for you.

Once you have your Terms and Conditions page written, go ahead and publish it.  You will probably want to check your menus to see if it shows up automatically.  If it does,  you may want to remove it from whichever menu it appears on.  We’ll put it on a menu somewhere when we have the other pages ready.

Contact Page

You probably already have a contact page with a form that people can use to send you an email.  The GDPR requires you to inform people as to why you are asking for the information requested, or required, by your form.  The idea is to minimize the information you are collecting to that which is required for your website and company to properly function.  After you get rid of all the cells in your contact form that ask for information you don’t really need, add something like the following below the form:

We ask for:

1. your name, first name will do, so we can distinguish you from other users of the email address you provide.
2. your email address, so that we can respond to the message you provide.
3. a message, so we can properly respond to you.

By clicking “Submit” you are confirming that you understand what will happen with your information as explained in our Privacy Policy and you are providing this information voluntarily.

If your website allows people to create an account, you will need to do something similar for each page that requests information. The GDPR Framework plugin offers additional information on how to improve compliance of your contact form.

GDPR Framework Plugin

I looked at several GDPR compliance plugins and decided to use the GDPR Framework plugin.  It was developed with the help of European Union lawyers and will automatically generate the basic pages you need on your website.  The developers also provide  a lot of documentation if you want to really dig into the details.

Here are the steps:

1. Download, install and activate GDPR Framework
2. Work through the GDPR Wizard reading all the instructions as you go. You may save and leave the wizard at any time and return to it at Tools > Privacy to continue as needed.
   a. Generate the Privacy Policy template and edit it as needed.  The template suggests places where specific information is needed.  Check other websites to see what they included in their privacy policies so that you will get the idea and can develop something that will work for your website.b. If you are not in the EU and are in an English-speaking country, use Ireland as your Supervisory Authority.  Otherwise,  use the authority in your EU country or an authority that speaks your language.

   c. Generate the Privacy Tool page.

3. add something like this to the bottom of the Privacy Tool page: “Note: If you are not logged in, we ask for your email address, so we can determine whether we have any information about you.  We will immediately send you an email with a link to access your data.  That link will be valid for 15 minutes.”
4. Review each of the pages to be sure they contain the information needed.
5. Publish the new pages (again, check to see if the automatically show up in a menu.  If so,  you may want to remove them from that menu for now.
6. Tell WordPress (Version 4.9.6 or better) where your Privacy Policy is located Settings > Privacy
7. Add your Privacy Policy, Privacy Tools, and Terms and Conditions to a menu (Appearance > Menus).  I’ve been adding these to the bottom menu on my websites.

Cookie Notice Plugin

The GDPR or a prior requirement, I’m not sure which – or maybe both, requires you to tell your visitors that you are using cookies and get them to say that’s ok.  All Cookie Notice does is put a check box associated with your message so that the user either clicks the box or continues using the website.  Here are the steps to using Cookie Notice:

1. Download and activate the Cookie Notice plugin by dFactory.
2. Open the plugin settings and
   1. Provide a message to appear next to the check box, like “We use cookies to give you the best experience on our website. By using this website, you consent to the use of cookies.”
   2. Put the appropriate response on the button, like “OK”.
   3. Enable the Privacy Policy link so the user can quickly find and review it, should they choose to do so. Give the button a name, like “Read More”, and set it to look to your privacy policy.
   4. Enable to reload page after cookies accepted and enable cookie acceptance when user scrolls 100 pixels.  You are not allowed to force someone to accept cookies,  but you are required to give them the option to do so.  These settings make that painless for your users.
   5. I set the message/buttons to appear at the top of the page.
   6. Choose style settings and colors to fit on your website.
   7. Save the changes and check your website to see how it looks and works.

New WordPress Features

WordPress 4.9.6 and newer contains some features specifically designed to help with GDPR compliance.  Wordpress now recognizes your Privacy Policy and Terms and Conditions pages and automatically has two check boxes to the form wherein comments are submitted to your blog, like this:

WordPress also adds a link to the Privacy Policy on the form that new users of your website fill out in order to get an account on your website – if you have your website set up to accept members.

Conclusion

I am not an expert on GDPR and I am not a lawyer.  The information provided here is intended to help me remember what I did and help you get started with GDPR compliance.  As I learn more and experiment with various setting on various websites,  I plan to add to this post.  If you need more details on GDPR, use the documentation provided with the GDPR Framework plugin.