Ensuring My Client’s Site Is GDPR Ready

I built a site for a client residing in the UK. Wei (not her real name) had her clients focused primarily in the UK. This meant that the GDPR would directly affect her and I was responsible to ensure her site was GDPR ready.

Her site had a blog where she posted information on her products and accepted comments. She posted products to be sold and required buyers to provide a shipping address to have these products delivered. Customers could also rate her products and services as well as leave comments on her products and blog posts.

Wei requested her site be connected to Mailchimp, so she could email her customers from time to time. That meant that customers who purchased a product or who just created an account would be automatically added to a mailing list in her Mailchimp account. There were other mailing lists that were created, one altered people when she was ready to launch the site and another for people who signed up just for newsletters (not registered customers).

I never realised how much data she was poised to collect until I had to do some reading on the GDPR requirements. I create a checklist to ensure she (or I could say we) were ready and good.

The Checklist

1. Determine all platforms used
2. Determine the data collectors in each platform
3. Make sure each data collector is GDPR ready
4. Ensure customers are told what their data will be used for before they give it.
5. Ensure notices are well written (no legalese) and easy to find

The Platforms Used

These are all the tools we setup for the site+blog+shop:

• WordPress – the core for the site and the blog
• MailChimp – used to handle newsletters and mailing lists
• Drift – for live chat on the site

The Data Collectors

WordPress

• The site’s core: the content management system came with a lot of data collectors:
• Woocommerce: collects buyer’s information such as addresses, emails, phone numbers and names. This information is stored in the WordPress database.
• Contact Form 7: collects form data that visitors filled when visiting the site. These includes the MailChimp signup form and the review form.  CF7 does not store the information however – the information is either stored in the WordPress database or sent to MailChimp.
• Blog Comments: visitors who comment on blog posts had their names and email addresses collected. This information is stored in the WordPress database.
• Google Analytics Tracking Code: stores information on users such as their IP address, location, browser and operating system.

MailChimp

Stores information received by the Contact Form 7 plugin as mentioned above.

Drift

Requires a visitor to provide their email address if Wei isn’t online for a live chat for follow-up.

Great! All platforms were identified with the data collected and the data destination.

Getting GDPR Ready

I followed a guide I found on Willows Consulting on the GDPR for ecommerce. These were the tasks to be carried out:

Update the Privacy Policy Page

The Privacy Policy required to state the following:

1. We needed to specify the data that was collected at each collection point.
2. State what we will do with the data collected and with which processors had access to it.
3. The Data Protection Officer’s contact information will need to be specified.
4. Data subject access request had to be lodged.
5. Specify how long we held personal information.

Remove all automatic opt-ins on the site

Every opt-in on the site was switched to double opt-in. That meant that you had to agree to sign up for a subscription even after providing your name and email and clicking on the “Sign Up” button.

Collect only information you require to run the client’s business.

We had to make sure that the forms collected just what was needed for customer signups and other registrations.

All data breaches need to be recorded and actioned with a preventative measure within 72 hours.

If for any reason personal data was passed to a party that isn’t GDPR compliant, the data subject must be notified. This included a site hack.

Have a data breach process and plan in place.

So, what happens if there is a data breach? I had to come up with a plan and test run it as well to make sure it works. I will talk about this process in another post in the future.

Have a process in place for when someone is looking for a copy of their data.

So, what if someone says he wants all his data I have collected on my site? I must be ready to provide their data and their data alone to the person within 20 days. WordPress has that implemented since version 4.9.6.

Right to be forgotten requests.

The Delete Me plugin was installed on the site to allow Customers delete their information without the need to make the request. An email will be sent to the Data Protection Officer and Wei to alert us both.

Withdrawal of permission to process personal data after an ecommerce transaction.

I will have to flag a user’s information as not to be used for data mining or marketing.

Request for personal data in a portable transferable format.

That has also been provided by WordPress 4.9.6.

The Other Areas

This covered most of the things I had to do on the site. Was there anything else I did? Sure, there was!

Google Analytics IP anonymization with gtag.js

IP addresses of visitors are collected using the Google Analytics. It would make it easier if I collected these IPs anonymously to keep my visitor’s identities private. What it does is it changes the last octet of an IP address to zero. This allows Google Analytics know where the IP is coming from without being specific. This was done by following this guide here.

A Google Analytics code looks like this:

<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=<GA_TRACKING_ID>"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());

gtag('config', '<GA_TRACKING_ID>');
</script>

What I needed to do was add a code that enabled anonymization. The original tracking code looked like this:

gtag('config', <GA_TRACKING_ID>);

The code was then changed by adding

{ 'anonymize_ip': true }

in the function on the last line, making it look like this:

gtag('config', '<GA_TRACKING_ID>', { 'anonymize_ip': true });

Setting up Data Privacy Consent on Drift

Drift has made it possible and easy to get consent from users who provide their email addresses to the chat bubble if you are offline and unavailable for a chat. I followed their guide to make sure I was using Drift and following the GDPR guidelines making this bit GDPR ready.

Conclusion

This was sort of easy but lengthy to carry out, but I was glad I did the research and applied the measures to make sure my client took care of her customers’ data. They keep her business running and making sure their data is kept safe and not abused will further build their trust in her!