With the abundance of how-to and blogging tips sites you’d expect to easily find some practical info about GDPR for bloggers and small site owners. But it seems some of these sites offer limited practical tips when it comes to applicable solutions. After having friends asking for advice, I’ve decided to write this article and provide some practical info with the help of some plugins for WordPress sites. The best way to apply these tips, is to read each one carefully, check whether the latest version of WordPress has the functionality built-in (it should if you’re using version 4.9.6 and above) and then see which of the suggested plugins might be useful to you (I’m not affiliated with any of these plugins, so you’re free to look for alternatives).
The boring but important introduction (so that you don’t blame me afterwards)
Before that, I need to stress a few really important things. First and foremost, the fact that you’re going to use a plugin doesn’t necessarily mean that you will make your site 100% GDPR compliant. Many plugin developers also emphasize this in their support pages. You should bear in mind that these plugins cover only a basic fraction of GDPR. Most of the work will have to be done by your website developer and you should ask advice from a lawyer. Second, the plugins discussed seem to offer basic GDPR functionality for the time being (I cannot be held responsible if they add/remove features or lose their functionality in the future). This relates to my third point: a few of these plugins might be obsolete if some of their functionality is included in the future versions of WordPress (UPDATE: indeed, even before I hit the publish for this post, a new WordPress version was out, thankfully covering many GDPR areas. After all, the fewer plugins a site uses, the better).
Most people seem to be ignoring this. Your users should know that you are storing their comments and that they can ask for their deletion if they wish so. Luckily, the new WordPress update (4.9.6) has a GDPR commenting system that offers an opt-in checklist for the users, which they can tick before submitting their comments. Bear in mind that if you’re using the Jetpack plugin in its current version (6.1.1 and below) you need to go to Settings → Discussion and untick “Let readers use WordPress.com, Twitter, Facebook, or Google+ accounts to comment”.
If for any reason you do not have WordPress 4.9.6 installed, or you are using another plugin for your comments, make sure you always state clearly in your comment form that comments and the profile of every user are collected by your site. This plugin seems to do the job for the time being, in case you are using an older version of WordPress or want to use the Jetpack commenting system: WP GDPR Compliance. Among other things, it lets you add a privacy checkbox to your comments. Note: at the moment you need to disable the Jetpack commenting system (if you’re using it) for this to work.
Forms and newsletters
Who doesn’t have a form or another on their site nowadays? Again, forms need to explain that the info the users are providing will be stored by the site and that they can revoke access, unsubscribe from the newsletters, etc. The WP GDPR Compliance plugin mentioned above should work if you’re using Contact Form 7 forms (or you can do it manually as explained here.)
If you’re using Mailchimp for your newsletter you’ll be happy to know that GDPR compatibility is already in place for certain styles of forms only (again, for the time being). To enable them use this simple guide from Mailchimp.
Yes, you do need to tweak some things in Google Analytics for your site to be GDPR compatible. Google has introduced the Data Retention Control mechanism that allows you to select how long Google will be storing your data for. This should be set from here, using this guide. Another thing you should consider is the option to anonymize the IP of your visitors. This can be done by editing your analytics code and adding a line of code as shown here.
If this is too technical for you, don’t worry this plugin seems to provide the option of IP anonymization in its settings: GA Google Analytics.
Otherwise, if you’re using MonsterInsights, the latest version includes the option for IP Anonymity.
Protect your site from cyber attacks
There are many plugins that protect your sites from malicious attacks and unauthorized access. One of the most popular is the Wordfence security plugin, the free version of which seems to offer the basic functionality needed by some users.
At this point, SSL is crucial
With Chrome announcing it will start marking sites without an SSL certificate as non-secure and with GDPR already in place, you have no excuse not to install an SSL certificate on your WordPress site. What you probably don’t know is that there are some free SSL alternatives like Let’s Encrypt, that offer the basic protection only but at least you have a site that is marked as secure. Most hosting providers should provide some of the free SSL alternatives as part of their service through their control panels (you should probably ask for their availability first). If not the Let’s Encrypt site has a guide for manual installation.
And the most important thing of all
You have to make sure of the following: That you cannot store any personal IP data from your users without them knowing and without them using your consent. This extents to 3rd-party plugins that you use on your site, all tracking cookies, analytics services, comments and anythign or anywhere your user details might be recorded. If the users asks for their data to be sent to them or completely removed from your site you should be able to do this. Again, the latest version of WordPress (4.9.6) has two new options: Data Export and Data Erasure.
In order for your site to be fully GDPR compliant you need to speak with a lawyer and your website developer. The instructions in this post are just for basic guidance and do not fully extend to all aspects of the GDPR scheme. Even to the areas which these tips cover, further work will probably be needed for them to have full GDPR compatibility. Again, I repeat: Your site will not be 100% GDPR compliant if you just follow the instructions of this post.