With the General Data Protection Regulation (GDPR) in full effect on May 25, 2018, we’re working toward understanding what this new rule means for us, as well as our clients with whom we’ve partnered on website development.

What we know for certain—the deadline for compliance is May 25, 2018. What we don’t know—the nuts and bolts of the specific changes that need to be made to our websites. Though it’s not cut and dry, this law is not something to ignore even though it’s coming out of the European Union. It applies to website traffic from any individual located in a European country, which our sites can easily have, especially if you’re a CVB.

Getting Informed

This law basically looks at how data is collected and handled. For us, and most of our clients, this means collecting contact information in the form of email or physical addresses for newsletters or visitors guides (as an example). The overall goal should be to enact measures of complete transparency with how, and why, you’re using data collected from your website.

There’s no shortage of information to be found on this topic, so a good first step is getting some base knowledge of GDPR. Here are a few helpful links:

• The official GDPR informational site
• A high level overview for GDPR and WordPress
• A step by step guide along with free plugin for WordPress

Some Considerations

Since all websites are different, utilizing different analytics and plug-ins, there’s not a one-size-fits-all approach to this so knowing what steps to take can be understandably confusing. We’d suggest contacting a lawyer to remove all the guesswork. Once you know a list of things that will need to be updated, contact us and we’ll determine how we can help.

Privacy Policy

Every site should now have a detailed privacy policy in place. It should include specifics on what information you collect, how it’s collected and how it will be used. Examples include any cookies your site may be adding, why they are added, what they do, how you handle form submission data, if you store it somewhere and what it is used for, etc.

Forms, including Newsletter Signups and Comments

• Required Consent – All forms, even newsletter signups, should contain a consent checkbox that states users are providing consent to submit their data and agree to your terms. It could be helpful in some cases to link directly to your privacy policy or a specific page detailing what you will be doing with the data from that form.
  • Example: “I consent to my submitted data being collected and stored to fulfill my request.”
  • You may not pre-check consent boxes on forms, all boxes must be unchecked by default and require the user to check them for the form to submit.
• Data Minimization – One of the points regarding collecting personal data under GDPR is data minimization. This basically means you should only be asking for data that you specifically need to process the request. One of the first things you should do is review your existing forms and remove any fields that aren’t specifically necessary for the task.

User Data Information Requests

One of the key pieces of this new legislation is the ability for users to be able to request from a site all data that has been stored on them and then either request it be deleted or edited. This could be done with fancy code or plug-ins based on what information is stored, or could be a manual edit or deletion that someone on your team handles when a request comes in. The main point is that a user needs the ability to request this, whether that is as simple as submitting your contact form, emailing you, or more elaborate technical solutions.

Bottom Line

Thankfully, WordPress 4.9.6 was just released and has a ton of new changes for GDPR built in—such as automatic privacy policy page selection in core, exporting/deleting user data from supporting plug-ins, comments, etc.

Though we aim to stay current on industry standards for any service we offer, this is a complicated issue. We don’t yet have all the answers regarding what it means for projects we’ve developed or how we’ll need to evoke measures to make sure future ones will be compliant. We can ensure that we’re working to get up to speed in order to continue to help our clients to the best of our ability.