We wrote a previous post on GDPR and what it means. Read it here - GDPR - What you need to know
To follow on from this we look at how GDPR can affect your website data. There is lots of generic information out there giving very open recommendations on what to do however as we know most of our clients are using a range of plugins and social media tools that are well known we will try to be specific.
What information is GDPR regulating on my website?
GDPR is the regulation of personal data. The data on a website that we gather that could be considered personal data is:
- Date of Birth
- Email Address
- IP Addresses
- Credit Card Details
Sensitive personal data should be treated with more care and this can include:
- Political Views
What do you need to do with this data
1.) What tools on your website could be storing data?
The first thing you need to do is to be aware of what personal data you could be storing. If you have a form, forum, shopping cart or membership area on your website do you know if the tool is storing personal data in your website database. You need to record what is storing data.
2.) What data is being stored?
You have made a list of what is storing personal data on your website, you also need to record what that personal data is. Is all of the information required? If someone asks you about the information you are holding about them can you access that data to meet their requirement?
3.) How will you verify that you are supplying the correct person with that personal data?
You may be ready to supply your request for personal data but you must be sure that the person you are providing this personal data to is the right person to receive the personal data you are holding on them. Have a procedure in place for verification before you need to use it.
4.) What is your procedure for ensuring the integrity of the data?
If you are holding personal data you need to do what you can to ensure that the data is safe and protected. Your cloud platforms i.e. accounting and CRM should be secure and you should check that they are GDPR compliant. On your WordPress website we would recommend the use of security tools, strong passwords and the use of SSL. This is where you enable a secure certificate on your website. You can find out more about SSL here. Do I need to get an SSL certificate for my website?
Lots of our websites have a plugin called WordFence enabled. This monitors the updates of themes and plugins and alerts you if they are outdated or if a WordFence scan picks up any malicious files. If you set your email address to receive updates you will be notified of any issues. This will then allow you to alert your users if you know that a breach / hack has taken place.
We highly recommend that you have a custom privacy statement written. We have provided some free privacy policies on the past but we feel that these not only may be getting out of date but that they are not tailored to your actual website. A specific policy covering your tools will ensure your commitment towards compliance. Contact us for details and we can create a custom policy for you.
Where should I be looking on my website for this data?
There are several places on your website that you can expect to be collecting clients data:
- Newsletter Sign Up Forms
- Members Area
- Shopping Cart
We are going to look at ways to help you become more compliant in these areas.
Disclaimer: We are not legal experts, these are just recommendations. If you need to be compliant you should appoint a data protection officer (DPO).
In order to receive data you need permission, the common recommendation is that a simple checkbox is added to all forms. We recommend the following is added as a required field check box. "I consent to my submitted data being collected and stored."
Most of the forms installed by Navitas Design will be storing your data which we used to feel was a benefit however we can now change that installation to delete any forms which have been submitted from the database. If you would like us to do this for you please submit a job request to support @ navitasdesign.co.uk.
Newsletter Sign Up Forms
As with forms it may be in your interest to have a check box allowing users to "consent" to receiving email marketing from you. If you are using something like Mailchimp they have been using best practices for sometime and their double optin ensures not only that your list is clear of spam BUT that you are adhering to best practices by getting a further confirmation which is recorded and time stamped that your data was left with permission.
Most of the newsletter sign up forms installed by Navitas Design will be storing your data which we used to feel was a benefit however we can now change that installation to delete any forms which have been submitted from the database. If you would like us to do this for you please submit a job request to support @ navitasdesign.co.uk.
We will update this section when we have confirmation of best practice.
Members Area and Shopping Carts
We normally use WooCommerce at Navitas Design. Their recommendation is very much like the advice above. As all sites are set up differently go through the process of assessing what information is gathered, at the collection point advise users that their information is going to be collected. If possible a check box to get consent from the user is the best way to show you gained consent. Have a plan in place if your website is breached to make your users aware.
Members areas are normally storing a similar set of variables as a shopping cart however there can be more personal details stored and maybe "sensitive" personal data as members areas are often geared towards personal development, learning and hobbies.
While we have done research for this article we are sure that more will to come to our attention so we will refresh this article as and when get further recommendations or find useful articles.
Gravity Forms: Gravity Forms, and GDPR Compliance
Mailchimp: Getting ready for GDPR
WooCommerce: GDPR Compliance - WooCommerce