What is GDPR?
GDPR is a massive data privacy law in European Union countries that went into effect on May 20, 2018, and you have some work to do to get in compliance. The acronym stands for General Data Protection Regulation. The law was passed in 2016.
Why Do I Care?
The fines for not complying are up to 4% of annual global revenue or 20 million euros ($23,714,240 U.S. dollars), whichever is greater! The GDPR will affect any sites which collect data from EU citizens and not just EU companies, meaning as a US company you can also get busted.
Also, protecting your user’s data and giving them a clear choice to allow you to use their data is a generally good thing to do ethically. The way companies are using their users data has been the topic of much controversy and it is a great idea to be on the safe side when it comes to hot topic issues.
What Do I Do?
Luckily it is not rocket science to get into compliance especially on WordPress. The main thing is to be as transparent as possible. Here is a short list from CMDS:
- Edit all forms by asking for their company name and adding a description of what the user is signing up for.
This is pretty self-explanatory. Just go into Gravity forms or Contact Forms 7 or Ninja Forms or whatever form you have on your WordPress Site and add a field collecting the Company Name and add a statement somewhere on the page above the form describing what the form is collecting and how it will be used. - Ensure all forms and other data collection methods on websites are explicitly opt-in (note, a tick-box must not be pre-ticked).
If using Gravity Forms 2.4 or greater you can simply add the consent checkbox as a field under the advanced fields section to the end of your form. It is a good idea to link to your privacy policy.
If using Contact Form 7 you can insert an acceptance tag above the submit button followed by something like “I agree to the privacy policy”. You need to be sure that you close the acceptance tag. The whole tag could look something like this
[acceptance consent-checkbox] I agree to the <a href=”/privacy-policy/”>privacy policy</a>[/acceptance]
If using Ninja Forms add a single checkbox field at the end of your form and label it something like I agree to the privacy policy. Be sure it is not pre-checked. Again it is a good idea to link to your privacy policy. - Make it easy for users to opt-out or unsubscribe.
For this step, I would recommend adding an unsubscribe to all emails/confirmations sent to users whom you have captured data from on your site. This can be done a variety of ways.
WordPress has added the Export Personal Data and Erase Personal Data tools. As of Gravity Forms 2.4, a new Personal Data tab has been added to the Form Settings to provide integration with these tools. See the article Personal Data Settings for more details. (credit https://docs.gravityforms.com/wordpress-gravity-forms-and-gdpr-compliance/) - Add a cookie alert banner.
Again, there are many ways to get this done, However, there is a plugin that makes it really easy for you called GDPR Cookie Consent Banner. You simply install the plugin and then navigate to settings > cookie consent. From there you can make style and content decisions in a really easy to understand way. - Update privacy policy/ terms and conditions to reference GDPR terminology.
This step could be the most time consuming and I would recommend erroring on the side of transparency. Here are some questions you should answer in your privacy policy to be safe. I got this list from commands.gg:
- what data we collect from you
- why we collect data from you (how we use it)
- how we collect data from you
- third parties that have access to any data we have collected, and why it is shared with those third parties
- how long we keep your data for
- the ways in which you can have any and all of the data we have collected from you deleted
In conclusion, these 5 steps are really not that difficult and it could save you a big headache. This law was set in place for big business and they are not planning to target small entities, however, they could. So the risk is up to you. If you would like my knowledgable, trustworthy team to help you get GDPR compliant please reach out and start a conversation today. We would love an opportunity to serve you.