*These are entirely my views, and I’m not a lawyer or GDPR expert. Please do your own research or consult a lawyer if you’re unsure about anything.
Well let’s face it the world can be a bit of a nasty place. Personal data is really valuable, and in the wrong hands it can be used to powerful effect (Facebook/ Cambridge Analitica???) People are always trying to hack your site, yes your tiny wordpress site. And are you storing people’s personal data (you may be surprised at how much).
So while it’s a right royal pain, I’m not that sad about GDPR. And even if you don’t operate in the EU, I expect something similar will be heading your way, or maybe you’re marking yourself out as someone to do business with as you’ve taken the time to care about the information you hold on people.
The good news is while GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.
Does it apply?
But I’m not in the EU – do I have to do this? Most likely. Unless you are using IP blocking to block EU countries from your website. If anyone comments on your blog from the EU then you become obligated. Here’s a list of other potential ways you will end up storing data:
- Do you use google analytics? YES – You’ll be using cookies
- Do you have a contact form? YES – You store customer data contact form submissions in your email program. who provides your email program?
- Do you have a newsletter sign up? YES – you’ll be collecting data (email at a minimum) – it will most likely be stored with your newsletter provider service, eg mailchimp, convertkit)
- Do you sell products and services on your site? YES – you will be storing name, email, address information, and a users order history
- Do you let people comment on your blog posts, use a Comments plugin or Facebook comments? YES – your using peoples names, email and sometimes their image
- Do you use any other tracking plugins for advertising? Like Facebook pixel, or Google Adsense. YES – these will store cookies on a users device
- Do you use Security plugins? YES – they do add cookies on a users whereabouts and usually have settings where you can turn these off
- Do you have some kind of membership functionality? YES – then you store usernames, passwords and often other information.
- There’s likely more I can add to this list, but that’s a minimum for now.
What do I actually have to do – GDPR website checklist
The following checklist contains links where I expand upon these sections more.
- Update any plugins and wordpress to the latest versions – wordpress developers are working like crazy to make their offerings compliant so you’ll be seeing loads of updates. Keep on top of them.
- Cookies: Check what cookies your site stores
- Plugins: Install and customise Cookie Compliance Plugin – see my cookie section below.
- Content: If you sell things you probably want to put in a Terms and Conditions policy (https://termsfeed.com/terms-use/generator/).
- Mailing lists: If you have a newsletter provider – Mailchimp or Convertkit or similar – sign their Data Agreement policy (even if you’re not doing GDPR, you should still do this!)
- Mailing lists: Go through your mailing list providers GDPR info and follow their directions to clean your list.
And you’re done! Until I think of something else!!!
For Photographers – offline GDPR
So a few other questions you might want to think about consider…this is less likely to effect you if you’re not in the EU, but not a bad idea to think about anyway.
- How long do you store your clients photos after a shoot? Do you have this written anywhere?
- How do you store written contracts of your clients safely?
- How long do you keep written contracts with your clients personal data?
- How do you keep order information? Do you delete this periodically?
You may want to draw up a little policy on all this offline stuff too, as GDPR doesn’t just relate to what’s online.
Data you store
- Look through your plugins – update those you use, delete or turn off any you are not currently using.
- What data do you store on people?
- Where is it stored? – in your wordpress database? Don’t forget contact form submissions may be stored in your email program, who provides your email program?
- Do you need to store it still?
- Delete anything you don’t still need.
- Create one
Add in information on:
- Your contact form submission process (what info is collected, where is it stored (link to security policy of email provider), who can access the email account (just you or staff, or your web developer), when are emails deleted, how would a person get their emails deleted if they wanted too?)
- Any store related information eg how long you keep order data
- Any newsletter related info – eg who you use for this and you can link to their security policy too.
- Your security measures
- How can a person request their data?
- How can a person request deletion of their data?
- If you have membership site then add about this here too.
- Link it in your menu somewhere (I’d suggest footer for now)
- Add information about how long you store information, when you delete information and how can someone get in touch to have their data deleted.
- You may want to keep your Privacy Page open on the edit screen as you go through you’ll probably end up adding to it.
Cookies and Cookie Policies
- Check what cookies your site stores
http://www.cookie-checker.com/ You might want to google some of them if you don’t recognise their names and turn off plugins that are adding cookies if you don’t use them.
- Install Cookie compliance plugin (Why this one? I have seen the owners of this company talk and they are well regarded in the WordPress Community)
- Customise Cookie compliance plugin
For the one I’ve linked too:
- Add your logo
- Choose your site colors.
- Click on Third Party cookies – add in any scripts you have from your header file, so Google analytics, sumome, facebook pixel. Then turn this on. NB: it won’t turn on if you don’t add any code into the boxes.
- Click on Strictly necessary cookies – add any explanation here, like if you have membership content and people turn this off they won’t be able to access it. as their login details won’t be remembered across the site.
- Click on Additional Cookies – add any you’ve found that meet this criteria but don’t fall under third party or strictly necessary. For example if you allow comments on your site WordPress have added a checkbox to the comment form that will store a cookie if checked.
Yep we want to know what pages everyone looks at and where they go next, but technically we don’t have a right to collect that without permission.
- Find your Google Analytics code: You will have your google analytics code somewhere on your site, it might be in a plugin, or in a header snippet or in your theme customiser.
- Remove it from the plugin/header etc
- Add it into Third Party Cookies head section in the Cookie Compliance plugin
- Make sure you’ve added that you use it to your Cookies Policy
- what info is collected
- where is it stored (link to security policy of email provider),
- who can access the email account (just you or staff, or your web developer),
- where is data processed (is it just you in your own country or do you have a VA in another country working on it)
- when are emails deleted,
- how would a person get their emails deleted if they wanted too?
NB: This checkbox has to be ticked before the form can be sent, but weirdly it’s not included in the contact form validator by default. So when you set up your Contact form, click on Additional settings on the form and add in this bit of code. Then if your user tries to send without clicking it, they’ll be prompted to do so.
Other contact plugin providers have probably added something similar.
When you contact us using our contact form we collect your name, email address and message information. If you are booking classes we will also collect your booking preferences. These are stored in our email system (please see NAME OF YOUR EMAIL PROVIDER HERE Security policy PUT A LINK HERE TOO). This information is accessible and processed by WHOEVER in COUNTRY. It is deleted periodically. If you would like your data deleted after it’s processed please state this in the message body.
There is a whole mine field here about what you can offer/ can’t offer etc in exchange for email addresses and I’m not going to go into that here. Here’s what you need to do in the first instance to get your mailing lists up to scratch. I expect there’ll be a lot of clever people scrambling to explain how to do your optins coming soon!
ConvertKit and GDPR:
- Follow this: https://convertkit.com/gdpr/
- Data Agreement Policy
Mailchimp and GDPR:
- Segment mailchimp list based on EU subscribers https://kb.mailchimp.com/lists/manage-contacts/about-geolocation
- Send email campaign to EU subscribers https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms Use links of the left and go to COLLECT CONSENT for instructions
- Send follow up if necessary
- Remove non subscribers from your list prior to 25th May
- Sign Mailchimps Data processing agreement https://mailchimp.com/legal/forms/data-processing-agreement/ Info about that here: FAQ -legal requirement
Questions to ask yourself
- How long do I keep order information for? So it’s lovely to see all your orders, and who has purchased from you in the past. But you don’t have an automatic right to hold this information indefinitely. Once the order is fulfilled and any return/refund dates have passed you should delete personal data held on the order.
- Can someone update or delete their information I hold? They have a right to do this.
- Where is data held? In most cases this will be in your website database (security controlled by a) your own security plugins, and b) security of your host)
- Do I automatically add people who purchase goods to my mailing list? You can add plugin that do this – but you now need to make sure there is an UNCHECKED tick box for people to agree to being added to the mailing list before the submit order button.
Questions to ask yourself
- Am I collecting any unnecessary data on an individual?
- If a member leaves how and when do I delete their personal data?