Recently we discussed user privacy and the GDPR; what it is and who needs to take note. The word’s getting around and some folks are wondering ‘now what do we do?’. So today we’re going to look into actions needed to take place to achieve GDPR compliance.
As a side note, just in case it’s not obvious, HyperWeb is not a law firm, so this isn’t legal advice. We can help you understand what’s involved in running a GDPR-compliant website, but if you need some help with the wording of your Privacy Policy or security breach action plan, your lawyer would be the right person to talk to.
Here’s what you need to have in place to achieve GDPR compliance (which you must have if you ever collect data that could be used to identify an EU resident):
- Someone within your business who is in charge of privacy. If you’re a sole trader, that’s going to be you.
- A GDPR-acceptable Privacy Policy. You need to disclose how and why you collect personal data, how long it is retained for, and who it is shared with.
- Processes for dealing with:
- “Right of Access”, “Right to Rectification” and “Right to Erasure” requests; and
- Security breaches.
As a WordPress / WooCommerce user, you’re already off to a good start. The latest version of WordPress includes new privacy settings (under Settings > Privacy
) and will give you a basic Privacy Policy template to start with. Alternatively, you could start with an Australian template, like this one offered by Business Victoria (hit up Google for many others). For guidance on what to include, check out this WooCommerce post, or contact your lawyer.
Bear in mind that WordPress plugins may pass information you collect on your website to third-party services and the companies that operate them. Payment gateways and shipping extensions are obvious candidates, but you should check that you haven’t enabled any unnecessary plugins that might be inadvertently sharing data with third parties. Your Privacy Policy should explain any necessary data sharing to your users, and you should check that the companies you’re sharing data with are themselves GDPR-compliant.
As for access / rectification / erasure requests: WordPress has new tools that will help if a user requests a copy of all of their data, or asks you to update or erase all data that relates to them. Check out Tools > Export Personal Data
and Tools > Erase Personal Data
. Instructions on how to verify and process these sorts of requests are here and here.
You’ll also need a plan that outlines what you’ll do if you ever discover that your website has been compromised (i.e. if user data collected by your website has been accessed, or might have been accessed, by unauthorised users). For GDPR compliance, there are specific responses that are required, and they have associated time limits. To help you prepare your security breach action plan, check out the recommendations here.
For our regular marketing clients Mailchimp has already taken steps to ensure their systems are GDPR friendly, with contact tools that easily allow you to modify contacts’ personal data, and if you are required to delete a contact from your list you can replace all their identifying info into your reports with anonymized activity data.
Meanwhile, take practical steps to keep your site secure. Ask us about our maintenance plans to keep your WordPress, WooCommerce and other plugins up-to-date with the latest security fixes and GDPR tools; disable and delete unnecessary plugins and themes; use strong passwords; don’t share your login details with others (set up separate accounts instead); and ensure your entire website and database is being backed up daily (site backups are included if your website is hosted with HyperWeb).