GDPR Privacy Policy Update: Upcoming Wordpress Update has 3 GDPR Features

New Version of Wordpress Helps You Towards GDPR Compliance: GDPR Privacy Policy Update

We are currently on Wordpress version 4.9.5 but version 4.9.6 is already in the beta stage and when released [update: now released!] will take care of some of the features such as:

1. GDPR Privacy Policy Update - updated GDPR template, you edit with more information.
2. Export Personal Data: Allows visitors to download their personal data you've collected on them
3. Erase Personal Data: Allows visitors to delete any personal data you've collected on their request.

Such personal data comes from various functions on your site such as comments, plugins like analytics, contact forms, woocommerce. These new features of the Wordpress dashboard take care of 3 of the 6 basic principles of the GDPR that you need to look at:

• They satisfy the privacy policy
• And the right of the person to request their data 'data portability', and also to erase it.

I'll elaborate further on privacy policy you'll see how it ties in with new GDPR clarity, explanation of terms and full disclosure vibe going on in GDPR compliance.

Not Built into the WP Core GDPR Privacy Policy Update: Everyone has different plugins & affiliate programs

It's not just about GDPR Privacy Policy Update folks, there are other issues with security and consent and your personal accountability. There are so many plugins and every website is free to choose different ones, just like we all choose different affiliate programs too, each with their own way of collecting data so each of these has to be GDPR compliant IF they collect personal data eg contact forms, social media, or how affiliate programs use email addresses.These are the other three principles not built into Wordpress but likely will be covered by plugin developers and affiliate platforms and we should be aware of:

4. Consent: contact forms and other means of collecting personal data must be optimized for consent according to GDPR.

5. Explanation of terms: you must be clear about what the collected data is being used for, some of this happens in the privacy policy but some happens on forms.

6. Unsubscribe / Opt out: The person must have the ability to opt out at any time.

And these things are being worked out by developers of the plugins for those forms, for us it will mean choosing those that are GDPR ready.

Accountability is Part of GDPR

Wordpress doesn't update your plugins or activate your SSL: YOU must do that!

Security strategy: there is no privacy without security. WA helps us a lot with security eg free SSL certs for all our sites but you have to make sure you activate it for your site and you also must keep on top of any updates - regularly update your wordpress versions and themes and plugins or you are at risk of a 'data breach', which is one of the big things they want to prevent.

Wordpress does make any potential GDPR audit easier now: This is an important part of the general data protection regulations. If someone were to ask you to show them what you've done to become GDPR compliant ie audit you, you simply tell them what steps you've put in place such as:

• The updated GDPR compliant privacy policy
• The GDPR compliant versions of your favorite plugins and tools that collect data
  
• Your security strategy: updates, SSL, etc etc.

A Closer Look at the GDPR Privacy Policy Update

Settings>Privacy: Under Settings in the WP dashboard there’s a new option that says Privacy, where the GDPR Privacy Policy template lives and it differs from the previous template we had been using on our sites, there is more needed in this one e.g. extra GDPR information and multiple disclosures many of which will be a learning curve for us, in a good way. WP highlights in yellow the stuff we are to change up according to what we are using on the site but leaves some not highlighted to help us out eg many cookies are disclosed.

Below is a summary of all the categories which WP has laid out in it's template, it has instructions written in each box as to what it wants there eg:

· Who we are: I'm hoping our about me page covers this already.

· What personal data we collect and why we collect it: this requires an understanding on their definitions of personal data eg name and surname, email, IP. It applies to contact forms, comments, cookies, analytics, and third party embeds, often via plugins. Also there’s a requirement when uploading images to avoid including location details which could be downloaded by visitors to the site.

· Contact Forms:

• note what personal data is captured, this could vary depending on your choice of form
• how long it is kept [you may need to check with the plugin you are using]
• and how it is used i.e. whether for customer services or marketing
• Note: This is just the privacy policy, elsewhere on your site when it comes to setting up your contact form you need to make sure that it is GDPR compliant too, and they are working on that, there are two new check boxes necessary now, Ts&Cs and Marketing.
  

· Comments: State what data is captured through comments eg if there's a name and surname, email address, IP address, gravatar photo.

- Cookies: List the cookies your website uses, including those set by your plugins, social media, analytics. WP states its own default cookies and provides this info for you, this is already filled in:

• when a comment is left that cookie lasts a year
• temporary cookies that get discarded when you close your browser
• login cookies that last two days
• screen option cookies one year
• 'remember me' makes login cookies last two weeks
• 'log out' removes the remember me cookies
• Publishing cookie has no personal data and expires after 1 day.

*You just need to know if any of the tools you are using use other types of cookies and state that. See my link below in the examples of websites to see an online shop state cookies clearly. Also check SiteContent for any updates to the WA privacy policy on cookie usage.

- Embedded Content from Other Websites:

• Videos, images, articles, etc., behaves as if visitor had visited the other website and they may monitor your interaction including tracking, according to WP.
  

- Analytics:

• state which analytics package you use
• how users can opt out of analytics tracking
• and a link to information on how your analytics provider conforms to eu data protection law *That would be all the recent updates google analytics has been sending out regarding Data Retenton Controls, Data Processing Amendment, Privacy Policy. I did a training and some blogs on that here https://my.wealthyaffiliate.com/training/google-analytics-gd...

• Also apparently there's a feature in google to anonymize the IP address.
  
• They also say to disclose if your hosting is collecting annonymous analytics data
• or if you've a plugin providing analytics, in which case you must provide info for that plugin too.

- Who We Share Your Data With:

• This is only IF you share data with third party providers eg partners, cloud based, payment processors. You'd have to state what type of personal data and what for.
  

- How Long Do We Retain Your Data:

• How long and why, regarding keeping personal data you collect eg how long you keep contact form entries, analytics records, comments personal data, customer purchase, or whatever. Remember the GA Data Retention Controls review default was 26 months unless you make it shorter, and you can leave it at default.
  

- What Rights You Have Over Your Data:

• Explain the rights users have over their personal data eg if they have an account or have left comments they can request to recieve an export file of the personal data being held including any data they provided to us. Wordpress is setting this up Tools>Export Data
• They can also request we delete any personal data. This does not include any data we are obliged to keep for administrative, legal, or security purposes. Options to achieve this include either add a form or put an admin email address where they can submit their request. Wordpress is setting up the erase feature in Tools>Erase Data
  

- Where We Send Your Data: list all transfers of site data outside the eu, the means by which it is safeguarded to eu standards includes hosting, cloud storage, third party serivce. Basically breach prevention. Though they are fine with comment spam filters being abroad.Obviously our hosting and platform will need to supply us with a brief or template on this.

- Your Contact Info: a contact method for privacy specific concerns, only large organizations need DPO's i.e. 'data protection officers' though to some extent we are those now!

- Additional Info: commerical uses, more complex usages...advanced users

- How We Protect Your Data explain what measures you have taken to protect your user's data eg encryption / SSL certs, updates, we are set up pretty well here at WA for this.

- What Data Breach Procedures We Have in Place: explain what procedures you have in place to deal with data breaches - and a couple of other GDPR disclosure categories most bloggers and affiliates don't really need.

Don't Panic!

It's just a template, and who knows how the template here at WA may be updated for us. I'm sure we'll get some questions answered. But at least you know it will be covered going forward

And bearing in mind the scale of a government data breach, which hits our news every so often, it's those large bodies that are being targeted with GDPR too, they aren't just picking on bloggers, it is everyone that comes in contact with Europeans anywhere in the world.

Also regarding 'the massive fines', 4% of your annual website income may not be hell of a lot if you are starting out lol, and I'm seeing they have issues implementing that! As well as a cooling period when they see how the cookie crumbles, pardon the pun! It's your local council and hospital and government and internet provider that will be shaking in their boots at the big fines threat.

But there's no room to be complacent and ignore it or slack off, you'd be in breach of the law, and that is not the side you want to be on. I'm just saying here, don't panic, things are falling into place for wordpress users with the new update one step at a time, and we will pull it all together.

Perspective

• I'm also seeing some contradictory advice and hype out there as I wade through the research, people rushing onto youtube to put up videos for traffic and plugins for example saying you need this or don't need that, yet they clearly haven't read the official documents closely or noted the inbuilt features of the new wordpress update.
• Then there's some really exaggerated stuff with people shouting 'data breach' if the visitor enters the wrong email on a contact form! As if that random email address lost in cyberspace could be equated with a sensitive information medical records data breach that hits the news headlines. Sometimes it's just up to us to drive interpretation towards common sense and sanity, while appreciating some dodgy practices are being stopped eg some types of big marketing out there harvesting our data in eerie ways.
• We also need a bit of perspective in that they are not waiting to pounce on us for one lost email, they are expecting some dodgy practices in some parts of cyber space to be phased out, and at the same time maybe the rest of us taking on a bit more responsibility than we are used to and being able to demonstrate that we are doing that.
• Don't be scared of 'big fines' if you make a proper effort to comply, and don't be overwhelmed at the new stuff happening right now, we will walk through it calmly here at WA with multiple resources.
• Update: if anyone would like to listen to the RSA conference 2017 which is a close look at the official rules I'm just listening to what seemed to me pretty common sense @27 mins in they talk about not getting fined for minor breaches, just record your compliance efforts.
  

Examples of Websites Approaches to Privacy and GDPR

1. For those of you having a minor GDPR panic attack right now here's a great example of an updated privacy policy I received today from a webshop, it looks very like the new wordpress , some modifications because they are a shop, you can see how transparent everything is, and they list their cookies clearly too, you might enjoy reading it as it explains the sort of stuff we do all the time but never quite think about :D

https://www.wearethought.com/thought-clothing-privacy-policy...

2. I saw on an American membership website this week, once I entered the student area I saw a banner with a link to a page they had dedicated to their GDPR strategy simply stating 'we are taking this seriously for our European users and are in the process of complying'. It is actually a process right now, even Wordpress and your plugins and services are just going through it themselves, so they simply need to see you are on board and applying things one by one.

GDPR Compliance Costs: $1350 price tag for the basics!

All of this is achievable without the $1350 tag I'm seeing floating about: $675 for the basic foundation info 'what is GDPR' and another $675 for a 'basic audit', and a basic audit is something that with a little guidance and mutual help from more experienced members all of us in here should be well able to do ourselves. Though everyone do their own risk assessment here, were I earning 6 figures a month like some people in here, I might be tempted to also talk to a lawyer at some point. And bear in mind my blogs are for educational purposes, they are not legal advice or expert advice i.e. my disclaimer.

*Interesting that different companies seem to have put a price tag of about £500 for any basic GDPR info, shows the arbtirary nature of the opportunity. They double that for anything more than basic while at the same time emphasizing that no one knows how this is going to go once implemented, it will need to settle down and evolve and hence the requirement for you to show you are engaged in the process, to 'demonstrate' what strategy you've in place if anyone ever audits you.

Meanwhile, don't forget to update your google analytics for GDPR and keep an eye on any of the tools and resources that you use as they become GDPR compliant, such as autoresponders, social media, plugins

Remember: it's your job to keep a record of the steps you take towards GDPR compliance, any and all steps that you take including:

• Some advice I've seen was even keeping records of asking questions to official GDPR websites in your country for information and their replies.
• Getting the green date when you accepted the amendment to your GA data processing terms is one more step in that direction.
• As well as updating your privacy policy, your security, all your data collecting tools, etc

https://my.wealthyaffiliate.com/training/google-analytics-gd...

I'll be doing one more walkthrough training on GDPR soon pulling this together.

references:

https://ec.europa.eu/info/law/law-topic/data-protection_en

https://ec.europa.eu/digital-single-market/en/news/eprivacy-...

youtube.com/watch ?v=Y_tiSljl0Vo&t=3s<---this guy is good for the 4.9.6 beta wordpress demo of the new GDPR features added to the wp dashboard, but be aware that he links off to an expensive GDPR audit which isn't necessary for most bloggers and seems very basic for the price. He is very helpful for the new GDPR privacy policy update and disclosures and as always, remember in your research to look at a number of opinions and especially go to the original sources.

Mary

Update: for the 'in a nutshell' summary of GDPR and how it's more than just a GDPR privacy policy update and cookies, here's my recent blog

https://my.wealthyaffiliate.com/mozmary/blog/summary-of-gdpr...