General Data Protection Regulation, the EU data protection directive, came into effect on May 25, 2018. In this article we provide guidelines on specific steps you can take to move your site toward GDPR compliance.
5 based steps toward website GDPR compliance
Take these steps to help ensure that your website is GDPR-compliant:
- Ensure your plugins comply with GDPR.
- Limit the data you collect and store via form submissions.
- Clean up your mailing lists.
Don’t just copy and paste someone else’s user policy. It is unlikely to contain the proper information for your site. If appropriate, you might include items like:
- We do not sell data.
- We do not share data unless compelled by law.
- We only ask for personal information if it’s needed to provide a service.
Follow this with details of the types of data you collect, what you use it for, and how you protect it.
The GDPR states cookies constitute personal data, as they can be used to identify an individual. You must obtain clear, specific consent from users to place cookies and track them. This could be handled by a popup on a user’s first visit that allows users to consent to or decline cookie use. To comply, you cannot have a default answer (such as accept) but must require the user to pick an option. If the user doesn’t explicitly consent, you can’t place cookies on their browser. The site should still be accessible without cookie placement, though of course features such as personalization will be lost.
We use Cookiebot, a tool that helps you automate the task of Cookie Compliance.
3. Ensure your plugins comply with GDPR
WordPress users should keep an eye on that, as it will help website administrators as well as plugin developers. Helpful plugins are also beginning to appear in the WordPress plugin GDPR section.
Joomla! developers are working on these issues as well. Follow resources such as the Joomla! newsletter for developments. Check the support pages for individual plugins you employ, such as form plugins, as that may be the first place the information and updates you need will appear.
It’s your responsibility to ensure all your plugins can export, provide and delete the user data they collect.
It’s your responsibility to ensure that every plugin can export/provide/delete the user data it collects. Is that “send page by email” plugin collecting the recipient address and adding it to a list somewhere? Unless you have explicit consent, that will violate GDPR. Things like this are a big deal for plugins that make heavy use of user data, but most are working to find ways to comply. In some cases, you might need to switch to a different plugin.
4. Limit the data you collect and store via form submissions
Forms have the potential to collect lots of interesting personal data. Don’t do it. Collect only the fields you actually need for processing. Don’t keep that data for longer than absolutely required. Be aware that many form plugins store submitted forms in the database. Increasingly such plugins are being modified to include a “do not store form data” option in the configuration. Make use of it.
5. Clean up your mailing lists
Does your site incorporate a mailing list? Hopefully, you’re already employing industry-standard procedures such as double opt-in for your list. Double opt-in means that after the user provides their email, you send a message containing a confirmation link that the user must click on to finalize their subscription. Double opt-in is not required by GDPR; however, it is a good way of ensuring that you can prove proper consent was obtained. If you purchase mailing lists from a third party, experts advise you to stop. If you use a purchased list where contacts haven’t given consent for such use, you’ll be in violation of GDPR.
If you signed any of the subscribers up without consent, those records are likely not GDPR compliant. You might need to clean your database. At the very least, ensure that you include proper unsubscribe links in any communication you send.
Individual rights a basic tenet of GDPR compliance
Right to access and portability
You’ll need to implement a method for exporting user data to CSV or another commonly used format. If you use a CMS, you might be able to accomplish this through a plugin. Plugin developers are working to build new plugins that will help achieve this functionality. Otherwise, you’ll need to code up a system for doing this yourself.
Right to be forgotten
Be sure to implement a procedure for deleting personal data when requested. There are exceptions that allow you to keep the data, but generally, if the user asks you to remove it, you must. This includes content created by the user, such as forum or blog comments and form submissions. In the future, CMS systems like WordPress and Joomla! may add a “Delete my account” button that takes care of this for you, but so far that hasn’t happened
Privacy by design
Ensure you have safeguards in place to protect data and restrict sharing. Only collect data that is necessary and forget about all of those extra, interesting but not vital, questions you might add to customer signup forms.
Set up restrictive access so only people who actually need particular data can access it. Consider moving your site to HTTPS, which encrypts communications between your website and a user’s browser.
Website GDPR compliance isn’t a simple matter, but by taking these steps, you’ll move substantially in the right direction. If you’re using a CMS system, watch for changes to the core and plugins to help you reach full compliance. In the meantime, it’s up to you to take the necessary steps to get as close as possible.