Making a Website GDPR Compliant
The European Union created a policy called the General Data Protection Regulation (GDPR). GDPR gives web users specific rights including the ability to delete any information your website has collected about them. There are lots of web pages that discuss the legal requirements for bringing a website into compliance with GDPR, but few the spell out how to do it, exactly – sort of.
The GDPR went into effect on May 25, 2018 and already Google and several other large corporations have been sued for violating the regulation. There are huge fines involved, so those companies spent a couple years setting everything up to be sure they were compliant. I spent a few days sorting out what I could do with the WordPress websites I manage. I’ll tell you what I did, but there is no way I can guarantee you will end up in compliance with the GDPR. You should, however, be in a much better position that if you do nothing.
Next, you need a way to tell people exactly what information you have about them and how they can delete it from your system,
Finally, you should have a Terms and Conditions page that explains what is expected of the users of your website. This page should give your lawyers something to work with if someone uses your website inappropriately
Terms and Conditions
The best approach is to take a look at the terms and conditions associated with other websites. You are welcome to take a look at our Terms and Conditions and modify them to fit your needs. If you have a lawyer, perhaps they can write something up for you.
Once you have your Terms and Conditions page written, go ahead and publish it. You will probably want to check your menus to see if it shows up automatically. If it does, you may want to remove it from whichever menu it appears on. We’ll put it on a menu somewhere when we have the other pages ready.
You probably already have a contact page with a form that people can use to send you an email. The GDPR requires you to inform people as to why you are asking for the information requested, or required, by your form. The idea is to minimize the information you are collecting to that which is required for your website and company to properly function. After you get rid of all the cells in your contact form that ask for information you don’t really need, add something like the following below the form:
We ask for:
- your name, first name will do, so we can distinguish you from other users of the email address you provide.
- your email address, so that we can respond to the message you provide.
- a message, so we can properly respond to you.
If your website allows people to create an account, you will need to do something similar for each page that requests information. The GDPR Framework plugin offers additional information on how to improve compliance of your contact form.
GDPR Framework Plugin
I looked at several GDPR compliance plugins and decided to use the GDPR Framework plugin. It was developed with the help of European Union lawyers and will automatically generate the basic pages you need on your website. The developers also provide a lot of documentation if you want to really dig into the details.
Here are the steps:
- Download, install and activate GDPR Framework
- Work through the GDPR Wizard reading all the instructions as you go. You may save and leave the wizard at any time and return to it at Tools > Privacy to continue as needed.
c. Generate the Privacy Tool page.
- add something like this to the bottom of the Privacy Tool page: “Note: If you are not logged in, we ask for your email address, so we can determine whether we have any information about you. We will immediately send you an email with a link to access your data. That link will be valid for 15 minutes.”
- Review each of the pages to be sure they contain the information needed.
- Publish the new pages (again, check to see if the automatically show up in a menu. If so, you may want to remove them from that menu for now.
Cookie Notice Plugin
The GDPR or a prior requirement, I’m not sure which – or maybe both, requires you to tell your visitors that you are using cookies and get them to say that’s ok. All Cookie Notice does is put a check box associated with your message so that the user either clicks the box or continues using the website. Here are the steps to using Cookie Notice:
- Download and activate the Cookie Notice plugin by dFactory.
- Open the plugin settings and
- Put the appropriate response on the button, like “OK”.
- Enable to reload page after cookies accepted and enable cookie acceptance when user scrolls 100 pixels. You are not allowed to force someone to accept cookies, but you are required to give them the option to do so. These settings make that painless for your users.
- I set the message/buttons to appear at the top of the page.
- Choose style settings and colors to fit on your website.
- Save the changes and check your website to see how it looks and works.
New WordPress Features
I am not an expert on GDPR and I am not a lawyer. The information provided here is intended to help me remember what I did and help you get started with GDPR compliance. As I learn more and experiment with various setting on various websites, I plan to add to this post. If you need more details on GDPR, use the documentation provided with the GDPR Framework plugin.