Knowledge Base

GDPR Action Items

General Data Protection Regulation, EU Law. Compliance required by May 25, 2018. All EU citizens, even retroactively, must have special protections in place to guard their data privacy. This applies to anyone who might have an EU citizen’s data stored in their email marketing, ecommerce, subscriber/comments databases, etc. Fines for non-compliance are potentially up to €20 million or 4% of annual global revenue. Here is the actual law: https://gdpr-info.eu/

Email Marketing

• Make it clear to people what they are opting in for. 
  

• You need to ask them if they want to receive regular mailings about x,y,z topic. They need to check a box or opt in in some very clear way. You can’t offer them a Content Upgrade and just put in small print (oh, and we’ll also email you from time to time). Pre-checked checkboxes are a violation.
  

• It’s not clear to me, but saying “Sign up for my regular mailing list, and you’ll also receive…” might comply?
  

• For Mailchimp: They now have GDPR compliant form options. 
  

• These are only certain form types, not embedded or pop-up.
  

• They also have a Data Privacy addendum to their agreements that let you legally transfer data from EU citizens to MailChimp US: Fill out here.
  

• Will probably not integrate yet with Opt-in Monster or other Pop-up plugins we’re using
  

• Opt-in Monster says they’re working on GDPR compliance and should be there by mid-May
  

• For Active Campaign
  

• They are taking a more manual approach. Encourage users to:
  

• Use double-opt-in
  

• Know how to export and delete data if asked
  

• Reach out to existing subscribers before May 25 for permission
  

• Include content blocks on forms specification data usage policies
  

• You can request to use their Data Process Agreement by filling out this form: https://ac.activehosted.com/f/2176
  

• This is retroactive: consider deleting EU subscribers if you’re not sure you collected their addresses in a compliant manner. 
  

• If no address data, possible to tell by IP of subscription? Of course, EU citizens can subscribe from anywhere so this is not foolproof.
  

• Or, before the end of May, email everyone and ask for consent. Can use MailChimp GDPR forms for this.
  

• Make sure we use double-opt-in. This is a big protection for you because it’s a clearer record of consent.
  

• Ensure people have a clear option for both unsubscribing and updating their personal information In mailings.
  

• Ensure people who unsubscribe are fully deleted from the list so you never accidentally mail them again.
  

• If you sign people up manually, make sure you keep the physical records that indicate they consented to your list.
  

• Have a Privacy Policy. Make sure:
  

• You link to it.
  

• Better yet, people have to check a box to consent to it.
  

• It explains what you do with their data, how you protect it, who has access to it.
  

• It explains how 3rd party vendors use their data or it disclaims responsibility for 3rd parties.
  

• Consult lawyer for this, but:
  

• some advice here: https://termsfeed.com/blog/privacy-policy-email-newsletters/
  

• Good walkthrough of components here.
  

• Possible contract templates for purchase
  

• https://thecontractshop.com/
  

• http://karen-taggart.com/templates
  

• UK toolkit for creation with a free trial
  

• Free template
  

• https://seqlegal.com/free-legal-documents/privacy-policy
  

• How to update existing Privacy Policy to add GDPR items.
  

• Note: small organizations do not need a Data Protection Officer (DPO)
  

• Note: One theme developer argues that it’s better to just declare everything in your privacy policy under “legitimate interest” and forget about trying to get consent for everything. 
  

Websites

• Use https: to protect data in transit (this can mean WP subscriber/member data)
  

• If you’re not sure what all is happening with data collection on a site, a security audit plugin can help. https://wordpress.org/plugins/wp-security-audit-log/
  

• You must notify users if there is a data breach within 72 hours. 
  

• Practically speaking, use Wordfence and turn on notifications
  

• You must provide users with:
  

• Right to know how their data will be used (privacy policy)
  

• EU Citizens must be informed and give consent before you take their data, every time
  

• Right to completely erase their data (manual or plugin)
  

• Possibly: Delete Me plugin: https://wptavern.com/delete-me-wordpress-plugin-assists-website-owners-in-granting-the-gdpr-right-to-be-forgotten
  

• Right to access and transport a full copy of their data (manual or plugin)
  

• Wordpress and all plugins will need to provide the ability to export for the user and erase their data
  

• Consider these data collection points and more:
  

• user registrations/membership signups,
  

• comments,
  

• contact form entries,
  

• analytics,
  

• any plugins that log user data,
  

• security tools and plugins
  

• For String this means, at minimum (add to list)
  

• WooCommerce
  

• Now had a compliance guide here: https://woocommerce.com/gdpr/
  

• Gravity Forms
  

• Guidance here.
  

• Jetpack
  

• They now have a privacy policy helper
  

• Other Contact Forms plugins
  

• Memberships plugins
  

• Wordpress Comments
  

• Addressed in 4.9.6 release, but needs configuring
  

• Akismet:
  

• Compliance promised
  

• Now has a feature you must enable if you have EU visitors, where you can turn on privacy notice on comment forms
  

• Wordfence
  

• Compliance completed: Info on their terms and cookies set.
  

• Social Warfare:
  

• SW doesn’t store user data. Date goes through APIs to individual social media services and UTM identifiers to Google Analytics. https://wordpress.org/support/topic/gdpr-compliance-163/
  

• CleanTalk
  

• OptinMonster
  

• Wordpress should be updating to add consent to comments and ability to export data: https://make.wordpress.org/core/2018/02/19/proposed-roadmap-tools-for-gdpr-compliance/
  

• Wordpress is up to date: info on new release here. Needs configuring.
  

• Wordpress under Settings > Privacy will generate a partial privacy policy for you from template. It needs a lot of data filled in, however, so other templates listed in this doc may be easier
  

• Other plugins should be adapting soon
  

• 3rd Party Plugins that can help:
  

• https://wordpress.org/plugins/wp-gdpr-compliance/
  

• https://nl.wordpress.org/plugins/wp-gdpr-core/
  

• https://gdpr.createit.pl/
  

• Google Analytics
  

• If you’re passing any personally identifiable information to Google, you’d be out of compliance
  

• Most String Customers’ sites will have some EU traffic.
  

• A GA auditing tool to be sure you’re not passing personally identifiable data to GA: https://www.littledata.io/features/audit
  

• For String:
  

• Consider where customers might be passing identifiable data to GA
  

• Consider reviewing to be sure all GA properties are under ownership of clients, not String
  

• Concise new guide for Wordpress site owners here.
  

Enforcement of GDPR:

• EU authorities can fine US companies through existing methods of international law
  

• Fines for non-compliance are potentially up to €20 million or 4% of annual global revenue
  

• There are already precedents using pre-GDPR EU privacy laws
  

• No one knows how hard-line of a stance various EU countries will be in enforcing the GDPR for countries in the US accidentally taking EU data
  

• Source
  

Global String Consideration:

If a client is collecting EU data incorrectly using tools that are under String memberships or licenses, could string be accountable? Perhaps we need some sort of “hold harmless” clauses in contracts for data privacy practices of clients that refer specifically to GDPR if we don’t have something that already covers that.