I have several web sites wirtten with WordPress and I needed to comply with the new GDPR European regulation (new in May 2018). After a few hours of work to find how to do this right… I decided to share my experience and show the steps I went through; not very difficult, but rather lenghty, I’d say.
Please, note: I am not a lawyer or your Legal Department, it all merely comes from my reading and my understanding.
First step (normally, this should be in place for quite some time already, since this started a long time ago): Add an informative message to inform visitors that you are collecting cookies.
I simply used a small plug-in (you can find others too) : Cookie Notice from dFactory.
Pros: It is working in various languges (and in English), it has been tested on more than 500,000 sites before mine, it starts in less than a minute.
For many reasons, you will need to have a decent contact form (including to be able to answer GDPR-related requests). I recommend a simple and small (and free) forms editor like Ninja Forms.
In two minutes, you will have a working contact form. Don’t forget to add the checkbox with “By using this form you agree with the storage and handling of your data by this website” (This should be present on all your forms).
Then, you need to create a “Contact” page in WordPress. You will include the specific code to include the form you just created with the following shortcode:
Small GDPR support: Ninja forms allow you to setup forms without storing any data on the web site, reducing the load to comply with GDPR in simpler forms.
But, don’t forget to enable the sending of the confirmation message to the comment author (all the more because the post-form message includes mention of this confirmation – be consistent).
On top of this, if your web site includes a comment system (quite common fact), I recommend using a plugin to include the standard reminder checkbox: WP GDPR Compliance from Van Ons. Bonus: It makes some recommendations on various GDPR-related cases.
Data Protection Officer
Name somebody (with an email address) as the internal interface for all private data issues. It is not compulsory (for smaller teams) but it is so much clearer (and recommended) that somebody feels i charge of this (even the CEO). This person will be contacted bu visitors willing to know what data you collect and how to remove all their personal data from the web site (these are legal requirements).
Make sure that this person is reachable through a very easy interface (including the contact form or some other form).
Above all, you must make sure that you can explain simply what are your intentions about private data you will collect (private data include email, name, IP address, etc.) and how you intend to comply with your legal obligations. This page must tell it all simply.
Try and write it right on the first attempt. You are legally bound to inform all your users any time you make a change (even simple ones)…
This is a WordPress page, rather than a poost (it must stay readily available and easily reachable by all even in the future).
I recommend to -more or less- follow the GDPR themes (it’s easier):
- Existence (or not) of a Data Protection Officer, in charge of the whole process of personal data handling
- Definition of data collection, handling, storing, transfer and removal processes
- Creation of a process to notify any data breach
- Explicit consent to data collection
- Right to access (and removal) of personal data
Access to personal data
You must give full access to any user’s personal data stored on the web site. This is realtively easy using a plugin (GDPR compliance from Scribit) and a specific page where you will only write the shortcode:
Of course, you can add some more details (refer to the plugin help information for more options).
Then, you can direct the requests to this page which will display the full breadth of personal data. As this is not a very nice page (rather dry reading), I recommend to keep it masked (I don’t feel it is necessary to show it permanently to all – answering requests should be enough).
Maybe not the worst or the most complicated, but I finally added a small message on the web site to announce the deployment of this whole process. Explaining is better than waiting for people to ask. And the message is positive: You care about your users and visitors.