GDPR Privacy Policy Update: Upcoming Wordpress Update has 3 GDPR Features
New Version of Wordpress Helps You Towards GDPR Compliance: GDPR Privacy Policy Update
We are currently on Wordpress version 4.9.5 but version 4.9.6 is already in the beta stage and when released [update: now released!] will take care of some of the features such as:
- GDPR Privacy Policy Update - updated GDPR template, you edit with more information.
- Export Personal Data: Allows visitors to download their personal data you've collected on them
- Erase Personal Data: Allows visitors to delete any personal data you've collected on their request.
Such personal data comes from various functions on your site such as comments, plugins like analytics, contact forms, woocommerce. These new features of the Wordpress dashboard take care of 3 of the 6 basic principles of the GDPR that you need to look at:
- They satisfy the privacy policy
- And the right of the person to request their data 'data portability', and also to erase it.
I'll elaborate further on privacy policy you'll see how it ties in with new GDPR clarity, explanation of terms and full disclosure vibe going on in GDPR compliance.
Not Built into the WP Core GDPR Privacy Policy Update: Everyone has different plugins & affiliate programs
It's not just about GDPR Privacy Policy Update folks, there are other issues with security and consent and your personal accountability. There are so many plugins and every website is free to choose different ones, just like we all choose different affiliate programs too, each with their own way of collecting data so each of these has to be GDPR compliant IF they collect personal data eg contact forms, social media, or how affiliate programs use email addresses.These are the other three principles not built into Wordpress but likely will be covered by plugin developers and affiliate platforms and we should be aware of:
4. Consent: contact forms and other means of collecting personal data must be optimized for consent according to GDPR.
5. Explanation of terms: you must be clear about what the collected data is being used for, some of this happens in the privacy policy but some happens on forms.
6. Unsubscribe / Opt out: The person must have the ability to opt out at any time.
And these things are being worked out by developers of the plugins for those forms, for us it will mean choosing those that are GDPR ready.
Accountability is Part of GDPR
Wordpress doesn't update your plugins or activate your SSL: YOU must do that!
Security strategy: there is no privacy without security. WA helps us a lot with security eg free SSL certs for all our sites but you have to make sure you activate it for your site and you also must keep on top of any updates - regularly update your wordpress versions and themes and plugins or you are at risk of a 'data breach', which is one of the big things they want to prevent.
Wordpress does make any potential GDPR audit easier now: This is an important part of the general data protection regulations. If someone were to ask you to show them what you've done to become GDPR compliant ie audit you, you simply tell them what steps you've put in place such as:
- The updated GDPR compliant privacy policy
- The GDPR compliant versions of your favorite plugins and tools that collect data
- Your security strategy: updates, SSL, etc etc.
A Closer Look at the GDPR Privacy Policy Update
Settings>Privacy: Under Settings in the WP dashboard there’s a new option that says Privacy, where the GDPR Privacy Policy template lives and it differs from the previous template we had been using on our sites, there is more needed in this one e.g. extra GDPR information and multiple disclosures many of which will be a learning curve for us, in a good way. WP highlights in yellow the stuff we are to change up according to what we are using on the site but leaves some not highlighted to help us out eg many cookies are disclosed.
Below is a summary of all the categories which WP has laid out in it's template, it has instructions written in each box as to what it wants there eg:
· Who we are: I'm hoping our about me page covers this already.
· What personal data we collect and why we collect it: this requires an understanding on their definitions of personal data eg name and surname, email, IP. It applies to contact forms, comments, cookies, analytics, and third party embeds, often via plugins. Also there’s a requirement when uploading images to avoid including location details which could be downloaded by visitors to the site.
· Contact Forms:
- note what personal data is captured, this could vary depending on your choice of form
- how long it is kept [you may need to check with the plugin you are using]
- and how it is used i.e. whether for customer services or marketing
- Note: This is just the privacy policy, elsewhere on your site when it comes to setting up your contact form you need to make sure that it is GDPR compliant too, and they are working on that, there are two new check boxes necessary now, Ts&Cs and Marketing.
· Comments: State what data is captured through comments eg if there's a name and surname, email address, IP address, gravatar photo.
- Cookies: List the cookies your website uses, including those set by your plugins, social media, analytics. WP states its own default cookies and provides this info for you, this is already filled in:
- when a comment is left that cookie lasts a year
- temporary cookies that get discarded when you close your browser
- login cookies that last two days
- screen option cookies one year
- 'remember me' makes login cookies last two weeks
- 'log out' removes the remember me cookies
- Publishing cookie has no personal data and expires after 1 day.
*You just need to know if any of the tools you are using use other types of cookies and state that. See my link below in the examples of websites to see an online shop state cookies clearly. Also check SiteContent for any updates to the WA privacy policy on cookie usage.
- Embedded Content from Other Websites:
- Videos, images, articles, etc., behaves as if visitor had visited the other website and they may monitor your interaction including tracking, according to WP.
- Analytics:
- state which analytics package you use
- how users can opt out of analytics tracking
- and a link to information on how your analytics provider conforms to eu data protection law *That would be all the recent updates google analytics has been sending out regarding Data Retenton Controls, Data Processing Amendment, Privacy Policy. I did a training and some blogs on that here https://my.wealthyaffiliate.com/training/google-analytics-gd...
- Also apparently there's a feature in google to anonymize the IP address.
- They also say to disclose if your hosting is collecting annonymous analytics data
- or if you've a plugin providing analytics, in which case you must provide info for that plugin too.
- Who We Share Your Data With:
- This is only IF you share data with third party providers eg partners, cloud based, payment processors. You'd have to state what type of personal data and what for.
- How Long Do We Retain Your Data:
- How long and why, regarding keeping personal data you collect eg how long you keep contact form entries, analytics records, comments personal data, customer purchase, or whatever. Remember the GA Data Retention Controls review default was 26 months unless you make it shorter, and you can leave it at default.
- What Rights You Have Over Your Data:
- Explain the rights users have over their personal data eg if they have an account or have left comments they can request to recieve an export file of the personal data being held including any data they provided to us. Wordpress is setting this up Tools>Export Data
- They can also request we delete any personal data. This does not include any data we are obliged to keep for administrative, legal, or security purposes. Options to achieve this include either add a form or put an admin email address where they can submit their request. Wordpress is setting up the erase feature in Tools>Erase Data
- Where We Send Your Data: list all transfers of site data outside the eu, the means by which it is safeguarded to eu standards includes hosting, cloud storage, third party serivce. Basically breach prevention. Though they are fine with comment spam filters being abroad.Obviously our hosting and platform will need to supply us with a brief or template on this.
- Your Contact Info: a contact method for privacy specific concerns, only large organizations need DPO's i.e. 'data protection officers' though to some extent we are those now!
- Additional Info: commerical uses, more complex usages...advanced users
- How We Protect Your Data explain what measures you have taken to protect your user's data eg encryption / SSL certs, updates, we are set up pretty well here at WA for this.
- What Data Breach Procedures We Have in Place: explain what procedures you have in place to deal with data breaches - and a couple of other GDPR disclosure categories most bloggers and affiliates don't really need.
Don't Panic!
It's just a template, and who knows how the template here at WA may be updated for us. I'm sure we'll get some questions answered. But at least you know it will be covered going forward
And bearing in mind the scale of a government data breach, which hits our news every so often, it's those large bodies that are being targeted with GDPR too, they aren't just picking on bloggers, it is everyone that comes in contact with Europeans anywhere in the world.
Also regarding 'the massive fines', 4% of your annual website income may not be hell of a lot if you are starting out lol, and I'm seeing they have issues implementing that! As well as a cooling period when they see how the cookie crumbles, pardon the pun! It's your local council and hospital and government and internet provider that will be shaking in their boots at the big fines threat.
But there's no room to be complacent and ignore it or slack off, you'd be in breach of the law, and that is not the side you want to be on. I'm just saying here, don't panic, things are falling into place for wordpress users with the new update one step at a time, and we will pull it all together.
Perspective
- I'm also seeing some contradictory advice and hype out there as I wade through the research, people rushing onto youtube to put up videos for traffic and plugins for example saying you need this or don't need that, yet they clearly haven't read the official documents closely or noted the inbuilt features of the new wordpress update.
- Then there's some really exaggerated stuff with people shouting 'data breach' if the visitor enters the wrong email on a contact form! As if that random email address lost in cyberspace could be equated with a sensitive information medical records data breach that hits the news headlines. Sometimes it's just up to us to drive interpretation towards common sense and sanity, while appreciating some dodgy practices are being stopped eg some types of big marketing out there harvesting our data in eerie ways.
- We also need a bit of perspective in that they are not waiting to pounce on us for one lost email, they are expecting some dodgy practices in some parts of cyber space to be phased out, and at the same time maybe the rest of us taking on a bit more responsibility than we are used to and being able to demonstrate that we are doing that.
- Don't be scared of 'big fines' if you make a proper effort to comply, and don't be overwhelmed at the new stuff happening right now, we will walk through it calmly here at WA with multiple resources.
- Update: if anyone would like to listen to the RSA conference 2017 which is a close look at the official rules I'm just listening to what seemed to me pretty common sense @27 mins in they talk about not getting fined for minor breaches, just record your compliance efforts.
Examples of Websites Approaches to Privacy and GDPR
1. For those of you having a minor GDPR panic attack right now here's a great example of an updated privacy policy I received today from a webshop, it looks very like the new wordpress , some modifications because they are a shop, you can see how transparent everything is, and they list their cookies clearly too, you might enjoy reading it as it explains the sort of stuff we do all the time but never quite think about :D
https://www.wearethought.com/thought-clothing-privacy-policy...
2. I saw on an American membership website this week, once I entered the student area I saw a banner with a link to a page they had dedicated to their GDPR strategy simply stating 'we are taking this seriously for our European users and are in the process of complying'. It is actually a process right now, even Wordpress and your plugins and services are just going through it themselves, so they simply need to see you are on board and applying things one by one.
GDPR Compliance Costs: $1350 price tag for the basics!
All of this is achievable without the $1350 tag I'm seeing floating about: $675 for the basic foundation info 'what is GDPR' and another $675 for a 'basic audit', and a basic audit is something that with a little guidance and mutual help from more experienced members all of us in here should be well able to do ourselves. Though everyone do their own risk assessment here, were I earning 6 figures a month like some people in here, I might be tempted to also talk to a lawyer at some point. And bear in mind my blogs are for educational purposes, they are not legal advice or expert advice i.e. my disclaimer.
*Interesting that different companies seem to have put a price tag of about £500 for any basic GDPR info, shows the arbtirary nature of the opportunity. They double that for anything more than basic while at the same time emphasizing that no one knows how this is going to go once implemented, it will need to settle down and evolve and hence the requirement for you to show you are engaged in the process, to 'demonstrate' what strategy you've in place if anyone ever audits you.
Meanwhile, don't forget to update your google analytics for GDPR and keep an eye on any of the tools and resources that you use as they become GDPR compliant, such as autoresponders, social media, plugins
Remember: it's your job to keep a record of the steps you take towards GDPR compliance, any and all steps that you take including:
- Some advice I've seen was even keeping records of asking questions to official GDPR websites in your country for information and their replies.
- Getting the green date when you accepted the amendment to your GA data processing terms is one more step in that direction.
- As well as updating your privacy policy, your security, all your data collecting tools, etc
https://my.wealthyaffiliate.com/training/google-analytics-gd...
I'll be doing one more walkthrough training on GDPR soon pulling this together.
references:
https://ec.europa.eu/info/law/law-topic/data-protection_en
https://ec.europa.eu/digital-single-market/en/news/eprivacy-...
youtube.com/watch ?v=Y_tiSljl0Vo&t=3s<---this guy is good for the 4.9.6 beta wordpress demo of the new GDPR features added to the wp dashboard, but be aware that he links off to an expensive GDPR audit which isn't necessary for most bloggers and seems very basic for the price. He is very helpful for the new GDPR privacy policy update and disclosures and as always, remember in your research to look at a number of opinions and especially go to the original sources.
Mary
Update: for the 'in a nutshell' summary of GDPR and how it's more than just a GDPR privacy policy update and cookies, here's my recent blog
https://my.wealthyaffiliate.com/mozmary/blog/summary-of-gdpr...
Recent Comments
58
This GDPR is beginning to become a real time waster. This issue appears to be beyond the scope of most Wealthy Affiliate members and should be addressed by an official authority.
Trevor
1. wordpress is taking half the load on itself
2. the official website is there for you to read yourself
3. if it is beyond people's scope then they can hire someone, prices start at $675 to be introduced to the basics
4.or they can trawl the web and WA for other people to explain it to them for free
5. or go to the only authority and that is a lawyer
'an official authority' is a belief system that such a thing exists, outside of a lawyer there is no one else to pass the buck to in this matter and it affects all global data, there is no escape, like I said it is not limited to bloggers, every time you give details to an organization for your taxes, medical records, driving license, grocery delivery you are in the system.
I told you here to get some perspective on it, it is not about fines for bloggers at all, it's about taking more responsibility, and taking time to take it seriously - you'd get a fine for a parking ticket so you are being asked to take responsibility online with your traffic
GDPR is the new rules of the road, that was a rite of passage learning to drive first time round, the good news is wordpress is doing half the work now, and you've been told for free here what to focus on - like I said, that info is available for $675 for a basic introduction and if you'd like someone to check you've done it right you can pay another $675 to someone else, that is the going rate and you can bet brick and mortars out there are paying even more
instead of expecting it on a plate I'd like to see peeps put it on a plate...
Wow...that's a lot of information. I'll really have to take some time to understand it all. Really appreciate you and other WA members guiding us through this. Thanks.
Debbie
it's just new Debbie, as with the training here when we first get introduced it can seem overwhelming but it will suddenly click and when wordpress and the plugin developers and theme developers come on board to make forms and things compliant then it will be easier too.
We'll just have some basic stuff to do like keep on top of security - and bear in mind we at WA are doing a lot of things other people never did - there's a ton of websites with no SSL, who do not regularly update their wordpress and plugins and leave themselves open to hacks, we at WA installed a privacy policy otheres never were told about it, it is basically cleaning things up and getting people on the same page but with some tweaks to make sure no underhand usage of people's personal data, and we all know that will ultimately be a good thing.
It's the big guys like google and fb and huge marketing campaigns that were abusing the personal data in the first place anyway
Just got from Wordfence:
"This morning we're sending out a further update on our progress preparing Wordfence for GDPR and the May 25th deadline, which arrives Friday next week.
We are on schedule. Wehave applied for the Privacy Shield certification program for both EU-US and Swiss-US and are now waiting for our application to be processed. We expect to be processed by Monday next week.
Once the Privacy Shield application is processed, on Monday, we plan to roll out Wordfence plugin updates, website updates, policy updates, new ‘Help’ content and a further blog post explaining the updates. Most of this work is already completed, we just need to completethe application process and the rollout."
We'll find out how that all works soon.
THanks for the update about wordfence and privacy shield DiannaBee!
So you are hosted outside WA with that extra security? For sure security is one of the things people have to keep on their toes with now to prevent 'data breach', but at least most of us won't be breaching much at all even in the worst case scenario compared to medical records or tax details or entire life profiles falling into the wrong hands like with some of the big biz out there!
ps oh yes, that is part of the whole thing, they know it's going to be a process that will get worked out as we go along...so they sort of emphasize 'showing we are making the effort' at this point
D*mn EU, with this rules they should send every website owner an appropriate Privacy Policy to add to their website, with the notice, if you've got this on your website, your covered.
yes Loes, it is way over the top and not going to be interpreted easily by visitors anyway, could be reverse , they could see it as more serious than it is...for us anyway
4% of annual income? I'm hearing they are going to find it hard to implement those fines at first and they aren't sure how a couple of things are going to play out at this point yet, but we do have to log our efforts to prove we've done everything possible at this time. There's a lot of threats in the air with them, some of us are nursing a couple of email addresses lol compared to what other huge companies are doing...
I'm thinking of people with 300k traffic and tons of requests coming in from visitors to access their personal data - ouch, even deleting it is an extra job, mulitplied by x100, x1000!!?
yes, for sure, the bigger organizations need data processing officers, whether new or whether they designate someone already there - but that is time and extra work and even on a small website I can see that is potential work, so I'm eager they define it to 'personal' data and not a diary or log people might actually want
update on the fines Loes, they make allowances for 'minor breaches', and they aren't chasing us as a priority because we are not processing 'sensitive data' :)
More to do! Personally I think most peeps that go on line won't be asking for their data back. On line = zero privacy.
But we'll see!
Thanks for sharing!
I'm seeing people interpret that differently eg they wander away from 'personal' data to all data the person contributed as in comments, and shopping carts - that I could see people would want and that would be hell, so they need to keep it strictly 'personal' imo or everyone will want a personal diary handed to them :o
I really don't see any reason WAers should pay for updating their GDPR policy. Just update in line with what most of us get via our emails - use some relevant words. Most will not be relevant, as what we do mainly is collecting email addresses for ultimate conversion. This should be easy enough.
we don't have to pay, but we do have some work to do on that policy unless the WA powers that be want to show us a nicely filled in template in SiteContent which seems a little hard to do a one size fits all if people are using different types of things on their websites that they need to disclose
I don't like that our visitors can request data at any time, one more job to do...
there's actually a few other tweaks people have to do regarding consent and not everyone received the google analytics email for accepting the amendment to the data processing terms...
what's nice in a community is we can ask this or that, if we were a lone blogger out there we could well think we had to pay out for a big audit...
See more comments
When is this going to be OVER.
Wake me up when there is an updated Privacy Policy so I can change mine!
Thanks for your generous help and information, keeping us on top of it all. If anyone wants 4% of my earnings they can have it because I don't have any ;)
lol yes about the 4% for so many people and thing is, they have bigger fish to fry!
I'm gonna do a walkthrough putting it together so peeps can calm down, some heads melting at the moment in the comments, but best to know what's happening and have a strategy than for us to get caught in the stampede out there :)
Thanks Mary, my head has melted already and I agree. It's best to know what's happening.
I can't wait for this to be over!