GDPR Blog Preview

GDPR: Here’s the Breakdown

As your trusted web partner, we thought we’d give you the breakdown of what Europe’s GDPR (General Data Protection Regulation) might mean for your business.

The GDPR is comprehensive privacy policy, developed by the European Union, that went into affect on May 25, 2018. This policy aims at giving consumers full discloser of their data. You have probably noticed several emails from companies that you have subscribed to or have done business with, letting you know that they have updated their privacy policy. This was a direct result of the GDPR, and you can certainly expect more companies to follow in suit.

At the moment only businesses operating in or with individuals in Europe have to disclose to its users how their business collects, uses and stores users’ personal and sensitive data, such as names, home addresses, the users’ IP address, location data, cookies, etc. Users are also able to ask those same companies to delete their data.

While you may not be doing business in the EU, you should note that the GDPR compliance is a complex process and is likely to influence US privacy laws, such as HIPAA, in the near future. And while complying with the GDPR is preparation for what’s likely to come, it also helps to foster a safer internet.

Below are some practices that we already have in place, as well as, some practices that you may want to put in place if you would like to make your website more GDPR compliant.

How Our Data Centers Handle & Protect Data

  • Confidentiality
    • HTTPS and SSL Certificates to encrypt information as it travels from the user’s computer to our server
    • Utilizing pseudonymization by obfuscating entries of PII (personally identifiable information) from other identifying information
    • Utilizing encryption to protect data in use and at rest
  • Integrity/Accountability
    • Controlled methods of access (logins, facility access) for individual users
    • Compartmented, or need-to-know, access to information and all additions, changes, or deletions of data is logged
  • Availability
    • Redundant systems such as internet services, utilities, HVAC, and hardware with no single point of failure
    • Reviews and audits of hardware and infastructure to ensure that it is capable under expected loads
  • Compliance
    • Continuous internal and external audits of compliance with common security and privacy standards such as HIPAA, FERPA, SOX, SOC, or PCI DSS, all of which have similar requirements to the GDPR
  • Data Minimization
    • Not receiving or storing information unless it is absolutely necessary

GDPR Updates our Product Developers Have Made

  • WordPress Has Rolled Out Some New GDPR Compliance Tools in their Recent Update
    • A new privacy page generator has been added that allows you to generate a privacy page with WordPress default and suggested information. Or you may also add your own privacy policy if you would rather do that. To adequately fill this out you need to meet with a developer to identify and help trigger these listed processes when consent has been given, and a lawyer, or GDPR, expert to ensure that all policies that need to be listed have been included.
    • A user data request, export, and deletion option has been added for WordPress. An admin may input an email address into a field prompting WordPress to send the user their data (only including registered user information and comments) through email and confirm deletion if necessary. This may not include 3rd party plugin information such as form data.

  • The Avada WordPress Theme Has Made Some Updates for Improving GDPR Compliance
    • Users now have the option of hosting Google fonts locally to reduce transfer of IP address information.
    • Privacy settings have been added for embeds such as YouTube, Facebook, Twitter, etc. This will help users to opt into these cookies collected by these services before interacting with videos or feeds.
    • A custom registration message option has been added for new user registration forms so that an opt-in statement may be included.
    • More transparency has been added by the theme about when your data as a theme user is being collected.

If you have one of these in place on your website, but do not have access to these capabilities in the new updates, get in touch with us and we will help you make use of these new features.

Updates That Can Be Made To Your Existing Website

  • Add Opt-in Check Boxes to Existing Forms
    • If you have existing contact, career, or other forms existing on your site, a checkbox can be added to the existing form enabling users to opt-in to their data being stored when the form is submitted.

  • Update Your Existing Privacy Policy and Add an Option for Users to Opt-in to These Terms
    • Meet with your legal counsel, or GDPR expert, and contact your Account Manager to narrow down all the ways your site is transmitting data and collecting cookies so that you may draft up an adequate privacy policy stating all that is required in the GDPR regulations.

  • Set Up Google Analytics to Track Only After Explicit Consent Has Been Given
    • If you have Google Analytics on your website, users need to be able to opt-in to their data being tracked as well as have the right to request it be deleted. Google recently made some updates to make this easier, but it also requires a more integrated approach to tracking with tag manager and an opt-in form involved. Meet with a developer to better integrate google analytics in an opt-in friendly format as well as a legal counsel or a GDPR expert to identify all the changes your company needs to make.

Plugins That May Be Utilized to Make Your Site More GDPR Friendly

GDPR WordPress Plugin Logo GDPR

        • This plugin can help you in the process of identifying cookies and third party communications on your site through their documentation and setup.
        • It allows you to create a sticky consent form with links to your privacy policy and specific cookies uses with an express consent button. It also allows you to turn off these cookies until users consent to them being collected, provided a developer sets this up within the plugin.
        • It allows users to request download and deletion of their personal data through forms on the website and allows you to automate the process through WordPress. *However, this may not help you identify all data, associated with a user if you collect data through 3rd party plugins such as forms.
        • Allows for mass emails to users when a data breach occurs as well as adding version control to privacy policies for updated consent.

GDPR Compliance For MailChimp WordPress Plugin Logo WP GDPR Compliance

        • This plugin provides a helpful guide to setting up your privacy policy for specific integrations such as Contact Form 7, Gravity Forms, WooCommerce, WordPress Comments, etc.
        • It also provides short codes to add forms and privacy policies that users can opt-in to and use to request download or deletion of their related data from the following integrations.

GDPR Cookie Consent WordPress Plugin Logo GDPR Cookie Consent

        • This plugin allows users to opt-in to cookie collection on your site by displaying a sticky message at the top or bottom of your page with a link to your full privacy policy and an opt-in button. Developers can use this button value to set cookies to activate only after this box is checked.

GDPR Shariff WordPress Plugin Logo (2)

Shariff

Some share buttons collect user information by default regardless if the user clicks the share button or not. This share button does not submit data unless the user clicks on the button.

WP GDPR Compliance WordPress Plugin Logo GDPR Complaince for MailChimp

***Using these plugins alone does not guarantee that your site is GDPR compliant. These plugins are simply helpful suggestions to push companies in the right direction and will require the assistance of a web developer, legal counsel, or GDPR expert.

Likewise to Forbes, we at Firefly Marketing Inc. believes that

It all comes down to trust and transparency. Customers want to know they can trust companies to take care of their personal information and not sell it or use it inappropriately. Companies that can demonstrate customer trust will be much more successful than unprepared companies inundated with customer deletion requests.

More Information: