Definition and context of GDPR
The General Data Protection Regulation (GDPR) will be applicable on 25 May 2018 throughout the European Union.
To whom the GDPR is addressed
- All companies
- organizations with HR data
- to the users of your website!
- these Internet users are placed at the heart of the GDPR system and their rights are thus secured:
- information obligations on the part of companies
- restrictions in terms of obtaining consent
- right to data portability
- right to erase.
What are the objectives of the GDPR
- To have common rules in all EU countries on data protection regulations
- Make companies more responsible by developing self-control
- Strengthening the rights of persons concerning:
- access
- the oblivion
- portability…
1 – The internal data processing register
Internally, you must have complete documentation that certifies that you are in compliance with the RGPD. A data mapping to show your rigour and your good faith.
You can draw inspiration from the registry model that the CNIL. Your register will have to answer three key questions about your data processing:
- WHO ? List the internal people who process data and, if necessary, your sub-contractors, making sure that they are also in a process of compliance with the DPMR and planning to revise your contracts
- WHAT ? Mapping the processing of personal data carried out by your structure (type of data collected, purposes of processing, proof of consent collected, information brought to the attention of the persons concerned, etc.)
- HOW ? Verify how this data is processed (transfer abroad or not, hosting or not, archiving or deletion of data, etc.) and which security measures are implemented internally.
This internal data processing register must be kept up to date at all times.
2 – The ‘confidentiality policy’ page
In your legal notice, the privacy policy often located in the footer, should explain concretely what you do with the data.
See what should appear
- your details
- the publisher of the site
- the host.
What kind of data you collect in your forms, whether it is contact, registration or order data on your website?
- names
- first names
- phone
- postal address
- mailing address
- IP address…
Why do you collect this data: newsletter communication, invoicing, behaviour and statistics on the use of Internet users.
How long do you store this data: you can store marketing data for up to 3 years, and order billing data for up to 6 years.
The security measures you have put in place to ensure the protection of these data, as well as the manner in which they can exercise their right to modify or delete these data.
All of these elements must appear in a page integrated into your footer, but also at each moment when your users share their data (typically, in forms).
3 – Obtain express consent with the cookies band
These old messages “By continuing your navigation, you accept…”. are no longer valid. The Internet user must have the possibility to refuse or accept the collection of data with actions.
As long as the Internet user has not clicked on “I accept” or clicked on “I refuse,” all the services concerned must be deactivated. Examples of this are :
- Google Analytics
- Facebook, Twitter, Instagram integration…
- A Google Map
- …
WordPress forms and the GDPR
Add one or more additional checkbox(es) in your forms. For example :
- Add checkboxes indicating that the user agrees to share his or her data “I authorise company X to save my data” and/or “I have read and accept the privacy policy of this site” (by including a URL link to the “Privacy Policy” menu in your legal notice)
- Specify the reason for collecting the data (Enter your email address to receive our newsletter)
- Provide users with the option to unsubscribe or access their data easily and at any time.
Please note that these checkboxes should not be pre-ticked!
WORDPRESS comments and the GDPR
Either a user must be registered and logged in to post comments, or you add a consent message “I have read and accept the privacy policy of this site”.
- The extension: WP Comment Policy Checkbox, which will add a checkbox next to the “Send” button, and issue an error message if it is not done. As this extension is not translated into English, you can use Loco Translate, to translate it easily.
Security and data effectiveness
With the GDPR, each type of data now has a specific legal retention period. You no longer have the right to keep customer or user data indefinitely without using it.
Your users have the right to withdraw their consent at any time in a very simple way for:
- accessing their data
- change them
- ask to delete them
- requesting to transfer them to a third party (“right of portability”).
A page and a specific email box will allow the centralisation of requests for the exercise of personal rights. Then, on receipt of the requests:
- Withdrawal of consent, it will be necessary to delete or modify the user’s personal data as soon as possible and in all storage locations (including backups of your WordPress site)
- If you have data portability, you will have to export all the data you have in a computer format (CSV format is preferred).