WordPress compliance – GDPR tips for New Zealand businesses

I am going to keep things very topline here.  There is soooo much information on the internet around the GDPR, what it is and what to do to ensure your business complies.  The problem is, there is too much information – it can be a bit of an overload… especially when you look at everything else on your to-do list.  I have been doing a lot of reading, and this is a snapshot of how you can make adjustments to your WordPress website and other GDPR tips for New Zealand businesses.

Disclaimer: this is by no means legal advice and is based entirely on my findings of this subject so far. It’s likely that many things could change regarding the law or that plugins could become updated. Please seek proper legal advice on the subject if required and remember to check for the latest WordPress updates.

What is the GDPR?

One of the hottest topics at the moment, GDPR (General Data Protection Regulation), comes into effect on 25th May 2018 and will see changes to the way in which businesses and organisations handle and process our personal data.  Although it is an EU law, you will be required to comply with GDPR as long as you are engaged in storing or processing personal data of EU citizens, even if you are not an EU citizen.

I am in New Zealand though – why does this impact me?

This law encompasses all citizens of the EU, regardless of where in the world they are.  Even if you only offer NZ shipping, your customers may still be EU citizens – whether they live in NZ or are just visiting.  Therefore, it impacts all of us.

What do I need to do for my business?

1. 1. Make a list of all of the ways that your business collects information from people.  Examples include:
      • Ecommerce checkout
      • Membership or subscriber sign up
      • Client onboarding form
      • Contact forms
      • Newsletter sign up forms
      • Cookies on your website to assist with user journey
      • Google Analytics (yep – more info on that soon)

1. 1. If you don’t already have a Privacy Policy on your website, you now absolutely need one.  Where can you get a policy?
      • contact your lawyer
      • use the privacy statement generator tool on the Privacy Commission website: https://www.privacy.org.nz/further-resources/privacy-statement-generator/

1. Search for any specific GDPR information that your third party providers have offered to help you – e.g. Mailchimp (or other email marketing system you use), Google Analytics, etc.  This information will help populate your Privacy Policy correctly.

Making changes to my website

Add this helpful plugin

This GDPR plugin will add additional functionality to help you with overall compliance: https://gdpr-wp.com/
Free version: https://wordpress.org/plugins/gdpr/

SSL certificate

If your website still does not have an SSL certificate, this is now essential, especially if you collect any personal information (including contact forms!). Please contact your host for more information on how to action this.

Adding your Privacy Policy

Ensure that your Privacy Policy is easily accessed.  The footer of your website is a fairly standard location for this to go – and many WordPress themes have a specific Footer navigation option for menu placement.

Include a link to your Privacy Policy from your Terms & Conditions – which should also be located within this footer menu.

Woocommerce changes are being released on May 23rd (yes running fine to the deadline!) that should allow for the Privacy Policy to be easily added to the checkout in the way that Terms & Conditions are already.  If you link to your Privacy Policy within your existing T&Cs though, this will help in the interim.

Woocommerce

Checkout

Within the e-commerce checkout process, we are obviously collecting a lot of customer information.  Woocommerce are working to have compliance tools included (latest update is to be released 23rd May).  More info here: https://woocommerce.wordpress.com/2018/04/10/how-were-tackling-gdpr-in-woocommerce-core/

This will include ways for customers to request a copy of their information, and to have it deleted permanently.

If you have customers currently being automatically added to mailing lists or databases based on their purchases, you will need to amend this to gain their permission within the process.
Similarly, if you have a checkbox to join your mailing list – this can no longer be pre-ticked. Customers need to tick this box themselves.

Guest checkout vs Accounts

Customers who checkout without creating an account will leave a data trail that they cannot log back in to access, delete or update. Your should have the option for customers to create an account active within your Woocommerce checkout. This way, consumers have the choice to be able to manage this information in the future, without discouraging those customers who do not wish to set up an account.

Abandoned cart

Abandoned cart emails are a very grey area and I would proceed with caution. The GDPR requires you to gain explicit consent before storing or using personal information. If a visitor to your site abandons their cart, this means that they have not completed the transaction (which is where you have an acceptance of your Privacy Policy). Without this was consent given?

You could have a form at the top of the checkout page with a tick box asking for their consent to abandoned cart data collection… but I wonder if this would this act as a deterrent to transaction completion as a whole?

Contact forms

On contact forms, you are obviously collecting information from people.  You therefore need to add a checkbox for people to agree to you using this information.

Contact Form 7 is a plugin that I use on a lot of client websites.  This shows how to add this checkbox to a contact form: https://contactform7.com/acceptance-checkbox/.  Other contact form plugins will also have something similar.

Mailing list sign up forms

When collecting details for mailing lists, you need to ensure that you are detailing what their data will specifically be used for, how they can unsubscribe, and how their data will be stored.

For those of you using Mailchimp (or other similar system), your Privacy Policy will need to refer to the Privacy Policy of these specific third party providers too.  e.g.

We use Mailchimp for our marketing automation platform. By joining our mailing list you acknowledge that the information you provide will be transferred to Mailchimp for processing in accordance with their Privacy Policy and Terms.

Joining our mailing list is optional, although recommended. If you have signed up to our mailing list and would like to unsubscribe, simply email us at email address with “Unsubscribe” in the subject area, and you will be removed immediately. Alternatively, all emails sent via Mailchimp also have an unsubscribe link in the footer.

Website backups

Hopefully you are making regular backups of your site, and storing them away from your website and host. These backups contain the personal information of your customers too, and now they are stored away from your website…
You can add additional protection to this data by ensuring that your backups are encrypted.

UpdraftPlus Premium is one plugin which offers this functionality:

One thing you need to ensure is that your backups of your customer’s private data are protected. To help with this, UpdraftPlus Premium can encrypt the data in your backups. It has an industry-standard AES encryptor keeps all of the sensitive WordPress installation data (e.g. passwords, lists of users, secret keys, etc.) stored in your database completely secure.

Google Analytics

While Google Analytics does not collect personal information that can identify website visitors individually, it is still tracking their activity, and as such, comes under these new rules.

A blog I read referred to the Australian Government Privacy Policy, and I really like the simplicity of the way they have written this portion:

Our website uses Google Analytics, a service which transmits website traffic data to Google servers in the United States. Google Analytics does not identify individual users or associate your IP address with any other data held by Google. We use reports provided by Google Analytics to help us understand website traffic and webpage usage.

By using this website, you consent to the processing of data about you by Google in the manner described in Google’s Privacy Policy– external site and for the purposes set out above. You can opt out of Google Analytics if you disable or refuse the cookie, disable JavaScript, or use the opt-out service provided by Google– external site.

I hope this has been helpful – and I would appreciate feedback on any additional constructive actionable points that I may have missed.
My goal is to create a resource to assist business owners in their compliance when there is so much information overload.

*This post does include affiliate links to some recommended plugins. This does not incur any additional costs to you, but I may earn a small commission