GDPR Essentials

Let’s get straight to what is definitely required and some useful security tips without too many confusing details of how to do it.

This guide will help ensure you are working towards your WordPress site being GDPR compliant.  I have also added a few tips on general security for your WordPress which, is what the GDPR is mostly concerned with and about.

DISCLAIMER: We are not legal professionals and this post is to enable readers to understand the steps they are required to take. This does not guarantee your site will fully comply with GDPR requirements. Always make a full backup of your site before making changes or adding plugins.

1: Update to the Latest WordPress Version

WordPress developers added built-in GDPR settings to the core. If you are already updated you will have noticed some new notification windows and may have followed the directions in them. Here are the important features for you to take action on no matter what kind of service you provide:

  • Comment Opt-in
    This is now in the comment section by default so no need to do anything.
  • Privacy Policy Generator
    Define your policy page.   You can use the “Create a New Page” but you will need to edit that policy template to disclose all of the cookies and data being collected by your website.  You will also need to add further information or delete sections that do not apply.
  • Data Export and Erase
    Visitors email a request via a clear link or contact form on your site. You will be notified and have 30 days to respond by either sending them their data or, deleting it.  There are new menu items under Tools/ to help you achieve this.

Screenshots below to help you recognise access to the new features, click to open.

2: Personal Data – Contact Form Opt-in Checkbox

  • Failsafe
    If you are not collecting personal data this can be tackled a different way, but should you want to cover all eventualities for now and in the future and, are not concerned over the “extra click”, this method is a failsafe.
  • Unchecked
    If you are collecting personal data you must add an “unchecked” box and an html text link to your Privacy Policy page (to open in a new window or popup window).  Most people will not read your Privacy Policy but the law is that the visitor must tick the box themselves to accept your terms before sending their information.  Most contact form plugin developers have added the feature but it isn’t always an automatic process.
  • Privacy Policy
    This is different to a Privacy Statement. A Privacy Policy is internally focused telling employees what they may do with personal information while a Privacy Statement is externally facing telling customers, regulators, and other stakeholders what the organisation does with personal information.
  • reCatptcha
    Most contact form plugins now have reCaptcha integration.  Contactform 7 is one of the more popular ones and you will see the reCaptcha options in the Integration menu option.  Click on the link and follow the instructions to get your reCaptcha credentials of Site Key and Secret Key then, paste them in the fields in the settings panel.

3: Securing Forms and Anti Spam Advice

  • Input validation
    This is the checking of data type submitted.  For example only numbers in a telephone field and valid email addresses in the email field.
  • Challenge Response
    You will certainly have seen these on many forms and, similar verification methods.  These methods mean a visitor has to manually complete a task such as a mathematical sum (2 + 7 = ?) or selecting relevant images to prove they are not an automated spambot.reCaptcha.  There is now very simple new reCaptcha method also from google, it is a simple rectangular module with a checkbox and “I am not a robot” text
  • Double Opt-In
    This is not something that can be applied to the web form,it is in either controlled though your plugin settings or your eMarketing provider settings.  This methods means the subscriber has to confirm the subscription twice by clicking on a confirmation link sent by email.
  • Honeypot Method
    The most common example of this is the a single input field which is hidden from visitors. Spam bots still pickup the presence of the field field and input text which leads to the submission being automatically rejected. As the visitor cannot see the field it is a clean and aesthetic anti-spam method.

4:  Functional Cookies Awareness

  • Failsafe
    Most WordPress sites need at least one non-functional cookie but who doesn’t have a Google Maps, analytical statistics or social media interaction etc. A visitor to your site needs to be aware of how your site is tracking their usage data before they continue past the first page they land on. Similar to the option checkbox for contact forms a visitor must manually accept your cookies even if they do not choose to read your policy.
  • Cookie Policy Page
    Your Cookie Policy must contain clear information about how your visitors activity is logged, analysed and more.  It must also contain a list of the cookies being used.  There are plugins and online resources which can help with generating cookie policies but be aware, it is impossible to guarantee 100% perfection.
  • Google Tag Manager
    This is another option many larger sites may use albeit rather complex for the layperson.  You would need to update these tags as your cookie deployments increase due to plugin installations, or visitor forms change and more.
  • 3rd Party Plugin
    Complianz have developed a free and pro version of their plugin which has a cookie detector feature which then populates a Cookie Policy, plus adds a cookie banner for your visitors.  You can visit their site here for the Pro version or find the free version in the WordPress repository here.

5: Data Requests/Breaches

  •  Wordpress Update
    Mentioned at the beginning of this article WordPress have added a feature to enable site admins to facilitate requests.
  • Make it Easy
    With or without plugin assistance, you have to make it easy for visitors to request what personal information you hold on them or, to delete their data entirely. Even leaving a comment on your site requires data storage. In order for them to perform their request you will need to create a simple method for them to get in touch such as a dedicated contact form on a page called Privacy Tools.  A link to this page should also be clearly available throughout your site, preferably in the header but acceptable in the footer.
  • Privacy Policy and Privacy Statement 
    How to get in touch should be clearly outlined in the Privacy Policy and Privacy Statement with a link to your Privacy Tools page.  The Pro version of Complianz has a wizard that can generate these important pages.
  • Data Request Response
    You must respond to requests within the time limits outlined by current law.
  • Data Breach
    In the case of a data breach you must notify the ICO as outlined in the GDPR. Depending on the severity of the breach consider whether to notify your customers. In any event you must record all details in your own breach log.
  • 3rd Party Plugins
    Data Requests can also be managed by a number of recently developed plugins. They offer autogeneration of policies, a data request form page and more.  Some automate the whole process with various options.

6: SSL Certificate

  • Encryption
    An SSL (Secure Sockets Layer) certificate authenticates the identity of a website and encrypts any information sent to the server.  Though there is currently no specific text on the use of SSL certificates, GDPR has clear requirements that can only be addressed through the use of SSL certificates.
  • Obtaining SSL Certificates
    Your hosting provider can usually help you purchase a certificate and quite often they are free if you pay for a year of hosting in advance. It is a straightforward process which also helps validate that  your site is legitimately owned by an individual or business.

7: WordPress Admin Login

  • Radically Decrease Brute Force and other Hack Attacks 
    Change the default www.yourdomain.com/wp-admin/ url too something not so obvious but memorable, such as www.yourdomain.com/web-bus/
    There are a number of lightweight plugins that can do this and it is surprising it is not part of WP core features.
  • Admin Username
    When setting up WordPress for the first time do not use the default “admin” username. If you already have “admin” as a username, setup a new user with full administrative controls and then delete the original user.  If your installation does not allow this action there are plugins that can change the admin name – don’t forget to delete the plugin after success.

8: Whole Site Security Plugins

Though the GDPR does not set out much about how you can protect your site and does not endorse any particular hosting companies, server models, software, plugins etc., it does say you must make considerable efforts to ensure the safety of user data and, tell your users and visitors how you’re doing it.  The plugins below are just a handful of the better known and more widely used, the tip of the iceberg.  Some have free versions which you can upgrade for more features so, have a look through the WordPress Plugin Repository and test drive a few before making your mind up.

9: WooCommerce Checklist Link

By now you will be quite overwhelmed, even though I have attempted to keep these steps as short as possible. When you feel ready to look at the further requirements for Woocommerce GDPR I recommend this article at www.businessbloomer.com.(link opens in a new window).

Leave a Reply

×

Basket