So… there has been a lot of fuss about this new GDPR regulation that the European Union issued. Needless to say that it came into full effect on the 25th of May 2018 and many WordPress website owners are still not sure what’s it all about, how it applies to them and what are the consequences for not becoming compliant, but still, everybody needs a good GDPR compliance solution for their website, regardless.
NOTE: details on how you install CLYM.io on your WordPress website will be described at the bottom of the post.
Long story short: GDPR IS PROBABLY ONE OF THE BEST THINGS THAT COULD HAPPEN. It simply paves the way for a more secure and standardized internet. No more can shady websites simply just sell your data away or simply do whatever they feel like doing with it. You can now rest assured that if you use a GDPR compliant website you are dealing with a legit business, that treats its self and its users or clients seriously and respectfully.
Now for the long story…
Regulations regarding the way website owner handle personal data have been in place for a long time. This is not the first one to come. However, since the ~you know what~ incident, the EU felt like it’s time for a change, therefore ALL businesses that handle EU citizens’ personal data must follow the GDPR compliance rules… and this time the EU means business too. Looks like the fines for not being compliant are something to consider: 20 Mil (yes… that is “million”) EUR or 4% of the annual revenue… or at least they say.
Anyway, here are just a few of the things a website owner should do in order to be compliant, and what GDPR compliance solution we have found for most of the issues:
The user must voluntarily express his consent
I may be wrong, but I don’t think that phrases like “by navigating or scrolling on this website you express your consent” hold any longer. Your users now have to be able to actively manage their consent. And here is where CLYM.io steps in. Just check the Consent Widget on their website and imagine it on your website … better yet, stop imagining, sign up to CLYM.io and start using it!
The best part?
CLYM.io does the cookie management for you so you don’t need to put any coding efforts in to create conditional functionality!
Obtaining user consent on forms
Starting of 25th May 2018, ALL the points of entry on your website (that is just a fancy word for forms) must get user consent if they pick up any kind of personal information. We are not going to get into the ‘sensitive personal information’ subject; most WordPress website owners do not handle that. this pretty much means any kind of data that makes a person identifiable, like name, email, physical address, phone. IP addresses count if together with other piece of information can lead to the identification of a person. That basically means that all your forms, be them generated by your website, or even embedded (like a MailChimp opt-in form for example) must have a checkbox (that should NOT be initially checked!!!) informing the user that that form is going to gather his or her personal information and how you are going to use it.
Now, hold your horses a bit. This doesn’t mean that you can bully your users into consenting to anything in order to use your website.
Here is an example: Let’s say you use Contact Form 7 for your website contact form and you also use the Contact Form 7 MailChimp Extension plugin, which picks up your users first name, last name and email and sends them to your MailChimp list for later marketing. You can not force your visitor by making that checkbox required; in other words, you can not force him to accept to get into your marketing list in order for him to be able to use that form on your website. The core principle is that he must be able to choose if he wants to get listed, by checking that checkbox.
Find a GDPR compliance solution that helps prove you have obtained that consent
So, in regards to the above, one must audit those consents and have prof that a user actually gave the consent on anything. And here’s a cool thing CLYM implemented: Consent Receipts. Apparently they are a new standard and they can save you a ton of trouble. They are document basically, and pretty much look like any receipt, but instead , they are a written version of your users consent, which you can even print out and file if you like. How cool is that?
Granting of user rights
Now, people have several rights and you need to be able to manage these as well.
- The right to data accuracy – this means that it is your responsibility to maintain the accuracy of your user data. Obsolete data must be deleted or renewed.
- The right to be forgotten (or data erasure) – unless required by Law or having other kind of lawful justification (like a contract), a user now has the right to ask for it’s data to be erased or at least anonymized
- The right to port their data – this measure is enforced order to make changing suppliers more easy apparently
- The right to be informed – yes… you actually need to tell people exactly what you are about to do with their data and you also need to inform them in a timely manner (as in almost a.s.a.p.) of any data breach.
- The right to object – this mean people should be able to change their preferences at any given time, with no restriction whatsoever.
All of the above need to be managed and audited. And guess what? Clym.io helps you do that as well!
Protect your user’s data
It would be ideal for the user data to be encrypted, but that is not always feasible. Never the less, you must be able to prove that you took some necessary steps to protect your users data in case of an audit. Nothing new here, but i am pretty sure that if you don’t even have a simple SSL Certificate on your website, you will probably have some explaining to do. Ideally, you should be able to somehow separate your users private data from their business data, since you are safe to keep business data without any restrictions (this may vary to your jurisdiction, not sure, but it is definitely outside the scope of GDPR). wooCommerce websites would have an issue here, but with the last WooCommerce update, you can now at least anonymize user data on orders after a given period of time.
Have data protection agreements with your 3rd party providers, like your host for example.
Not may hosts are eager to jump into signing anything BUT for those who are, CLYM.io has a special section for Data Centers where you can actually list these in order to inform your customers. This is not limited to your host. If you use any kind of third party service, where you may send your user’s data to. Say a task management service such as Asana, like we do, where we use the client email to invite them to a project. Lucky enough, most big companies out there that any of us use, like MailChimp, Trello, Asana, Slack, and the list could go on forever, filled our email boxassuring us that they are GDPR compliant as well… but still, as it is your user’s right to be informed, you must let them know if you are about to do so and CLYM.io is here to help with that too.
Having a clearly written privacy policy
Just take a look at our Privacy Policy for a second please. Tell me you did not understand a word in it? Of course you have. Because it is written by human (well … not to brag, but heroes in our case 😛 ) for humans. Nothing more to add here really. The days of terms and condition and privacy policy pages written in dense and tiny type that is super hard to read are gone. Along with the lawyer-ish language meant to confuse people. From now on, it needs to be a simple as reading the newspaper. Not only this but it needs to be versioned also and your users must re-consent to it each time it changes and updates, as you are obligated to inform them of those changes too.
Get rid of shady WordPress plugins and replace them with GDPR compliant ones
Yep… as they pretty much fall into the ‘3rd party providers’ category, and some of them may grab your user data without the user consent. Apparently plugins developers need to focus on a Privacy by Design approach as well. This section of the article can get pretty big very fast so we are not going to cover it here, but apparently even something simple, like backup plugin would be an issue, if it sends the backups to a 3rd party server for example, an you don’t really have any guarantee or control over what that server owner is going to be doing to your data next. Also, there are various plugins that perform illegal connections which you need to prevent, mostly social ones.
Serve consent-based functionality
CLYM.io helps you manage your cookies so that if a user is not ok with you performing analytics on him, it automatically removes the Google Analytics tag for example. This is a huge time saver as you no longer need to edit your website to integrate conditional functionality. just think of the development costs on that one alone.
WooCommerce website owners
Read this to start with: https://woocommerce.com/2017/12/gdpr-compliance-woocommerce/
As a side note, we strongly feel that WooCommerce should separate the customer from the user altogether, somehow, and it would be very helpful for B2B companies to keep hold of the billing info even if they need to scrap the user data part from it. We will raise a suggestion for this.
A bunch of other stuff…
All websites are unique; there is no ‘one fits all’ solution to this problem. you, as a website owner, are responsible of making your own WordPress website GDPR compliant, the best one can do is offer some pointers. As we initially said, we believe that CLYM.io is the best starting point for this as it manages all of the user interactions with your website.
In terms of the actual website and how it is built, we find this guide from RAIDBOXES to be extremely helpful and we advise you to have a read on it. You may find some things to be rather surprising and realize you need to take action in the areas you least expected.
Integrating the CLYM.io GDPR compliance solution with your WordPress website.
First thing’s first: you will need to signup to CLYM.io in order to grab your embed code.
Sign up to CLYM.io
and
DOWNLOAD THE PLUGIN
Now, after you have signed up to CLYM.io you need to grab the embed codes. You can find your embed code in your CLYM account, by going to PROPERTIES. At this stage, you would need to add your first Property, which is your website.
We assume you should have no trouble in installing the CLYM.io PLUGIN, so we are not going to cover that. If you do have any issues though, just drop us a line; happy to help.
This plugin will simply generate a menu item under Settings tab of your admin dashboard, called CLYM.io. There you will have to paste your CLYM embed code and select your preferred location for the script. Usually, it would be a good idea to select the Footer as your desired location, but it really depends on your WordPress setup.
All set and done, now it’s time to paste the embed code into the CLYM settings page on your website.
That’s pretty much it for now. You have a GDPR compliance solution up and running on your website in a few easy steps. Once you get the hang of it, trust me, you will see the amount of time it saves you managing this kind of stuff. And how easy it is too.
We will write a follow-up post soon enough that will guide CLYM users through the dashboard, so up until then, enjoy using CLYM 🙂 You’ll love it!
P.S.: If you find this post to be useful, consider sharing it and spread the love 🙂
DISCLAIMER: Yes, this is both an educational and marketing article at the same time. We feel strongly that we have found the best and simplest to use GDPR compliance solution out there, and we feel the need to share it, as we use it too, and even joined their partner program. CHECKOUT CLYM.io !
Also, this is NOT legal advice, this is just a small guide that may help you in your efforts; all website owners should seek accredited legal advice in this matter in order to see how these new regulations specifically apply to them!