Many changes are coming for WordPress in 2018, and not least is the General Data Protection Regulation (GDPR) that the European Union is enacting, starting from May 25, 2018. The TL version; DR is the GDPR says that users have full control over their data, and you have to tell them why you need it. At which point, they can give the green light or not. Practically, though, it's a little more complicated than that.
- 1 WordPress and the GDPR
- 2 The GDPR opt-in
- 3 Ask for the minimum information
WordPress and the GDPR
Since WordPress accounts for 30% of the Internet now, we have a lot of cleaning to do. Data flows between our sites and our users, and GDPR indicates that it is our responsibility to manage our sites so that users can manage their data. Even if it is a regulation adopted by the EU, it affects almost the whole world. Because if you collect a bit or a byte of data from a person in the EU (regardless of your own location), you are subject to this law because you then have information belonging to a citizen of l & # 39; EU. And if you are in non-compliance, you can be fined 20 million euros.
It's scary for a lot of people.
The good news is that there is a dedicated team of WordPress Core contributors working on GDPR-proofing the basic code before May 25th. They have a website (and associated Slack channel) set up where administrators and developers can track progress and see what you need to do to get yourself (and your customers) in compliance. Here is the breakdown of what you are responsible for:
Explain who you are, how long you keep the data, why you need it and who in your team or outside it has access
Obtain explicit and clear consent to collect data via opt-i
Give users access to their own data, the ability to download and delete them completely from your folders
In case of hacking or security breach, inform your users about it
For more detailed explanations on GDPR, you can view our Overview of Data Regulation in 2018 the Official Computer Graphics of the European Commission on GDPR, and the Official Support Automattic Regarding WordPress and the GDPR
All that said, you need to know what you can do to comply with the GDPR. Here are some specific steps you can take to protect yourself (and protect your user's data).
The GDPR opt-in
The most important aspect of all this is the opt-in GDPR. Let me be clear about this. An opt-in is by no means the same as an opt-out. The EU said you must "get their clear consent to process the data." This means that users of must explicitly say yes, not only be able to say no .
Here is an example: you have a dropshipping business online, and maybe you are using WooCommerce . When users access your payment page, you have a check box that says "[x] Yes, I want to register for your amazing email list!"
No problem, right? If you checked the default box, you are at fault. This gives them the opportunity to withdraw. This is not what the GDPR opt-in rule says. They must explicitly say they choose to share their information with you.
The same applies to comment sections that automatically include people in the discussion, or any type of automated contact that is not directly initiated by the user. (Pop-up dialogs like Intercom may be appropriate because they do not reach their data, but could be affected by the pseudonymization clause of the GDPR .)
But your number 1 goal is to take nothing away. And honestly, take as little as possible when you get explicit permission.
Ask for the minimum information
Many websites, forms and plugins and stores ask for information that they do not really need. In general, a good rule is to ask as little information as possible to your users. If you do not need their names, even, do not take it. Or maybe only their first. Sometimes all you need is their email to do your work.
This does not mean that you can not ask for other information. The GDPR simply says you have to tell people why you need it. If you ask for their name and surname, tell them why. If you ask for their birthdays, make sure you send coupons as birthday gifts for example. Due to GDPR, there is no more information request "just in case" or "for indeterminate future projects."
Many form plugins allow you to include a note under / next to the primary label. phone numbers, you can have a text that says, "We are asking for your phone number so our customer service representatives can speed up the setup process for your custom orders."
Also, when you request information, the EU says you have to disclose "who you are […] how long it will be stored, and who gets it." As to how and when you have to disclose this stuff, this may differ. is that you have to tell who you are at the same time as you are requesting their data.
This is actually no different from the required footers that each mail service requires you to provide. or blurb explaining who you are, a single line stating that "The data on this site is processed by BJ Keeton, the DSI of Awesomesauce International and its affiliates." Or even something like "The data submitted This form will be used by Awesomesauce International and no one else will work.
This means, your contact form, registration form, payment pages, wherever users can give you their necessary information to clearly identify you and yours