By now, you’ve probably brushed up on what the General Data Protection Regulation (GDPR) is and what it means for your business, so I’m not going to rehash that here. What I will say, however, is that GDPR is good because it protects the end user and provides guidance to businesses on how to adhere to strict privacy policies (which are already very strict in Germany).
With the GDPR deadline on May 25, it seems like everyone is rushing to get their websites compliant with the new EU regulation. Because we at Page Builder Framework take your privacy very seriously, I wanted to use today’s post to talk you through what I’ve done to make our website and Page Builder Framework GDPR-compliant.
How we made our website GDPR-Compliant
Before we delve into the changes made to the Page Builder Framework and website, I want to state that I am not a lawyer and all changes made were based solely on research.
Our plugin of choice is to handle Cookies is Borlabs Cookie.
The plugin offers a lot more features that I’m not going to cover in this post. Learn more about Borlabs Cookie.
Your web host is storing data, so it’s a good idea to have a data processing agreement (DPA) with them. Here’s the mail we received from DigitalOcean on this:
There are two ways in which GDPR advises businesses to protect user data: encryption and tokenization. By using an SSL certificate and transferring your website to encrypted HTTPS, you’ll be well on your way to GDPR compliance.
WordPress Plugins & Theme
It’s important to know that some plugins and even themes can store data, especially contact form, backup, and security plugins. If you’re unsure of whether any theme or plugin you use stores data, make sure to ask the developer. Page Builder Framework is now 100% GDPR compliant! Read more about below.
In terms of what we did for our site, we removed all backups from external servers and now only host them locally. Our backup plugin of choice is Snapshot by WPMU DEV.
Now, with security plugins this can get a bit more complex. Audit logging is something we wouldn’t want to do with the new GDPR regulations. IP lockouts, though, can be very beneficial.
If you use this feature, it’s important not to store any data on external servers and to clear data on a regular basis (if possible, automate it for every 7 days or so). As far as I can tell, using a feature like this falls under the classification of “justified interest”. Our security plugin of choice is Defender by WPMU DEV.
Image Compression Plugins
Image Compression plugins that use and send images to their servers can be problematic with the new regulation. Some providers delete images right after compressing them, so before you toss your optimization plugin, verify with the developer that they do indeed delete the files. Alternatively, use a plugin that handles compression directly on your server (can take a lot of resources).
The list of WordPress plugins (and themes) to be mindful of doesn’t stop there. I’d suggest you go through each of your plugins as well as your theme, and do your own research and verification.
Because Google Analytics is a service built around user data, there are a number of things you have to do as a customer of Google.
First, you must review and accept Google Analytics’ data processing contract. This is the one we used for our Germany-based business. After reviewing this contract, I sent two signed copies to Google in Dublin, Ireland. Use this one if your business is based in the United States.
Secondly, accept Google’s amendment in-app. To do this:
- Log into your Google Analytics account.
- Go to the Admin menu.
- Under the Account column, select Account Settings.
- Locate the Data Processing Amendment
- Review the Amendment. Then hit Accept.
- Update your settings and save the changes.
Finally, Google Analytics is going to ask you to review and save your web property’s Data Retention settings. It’s a good practice to change retention to 14 months and turn off “Reset on new activity”. You can make this change by doing the following:
- Log into your account.
- Go to the Admin menu.
- Under the Property menu, select Tracking Info > Data Retention.
- Update your settings and save the changes.
For spam protection, we’ve stopped using Google ReCaptcha and installed Contact Form 7 Honeypot.
For your blog, we’d suggest using an Akismet alternative called Antispam Bee since it can be configured for GDPR compliance.
3rd Party E-Mail clients
Our E-Mail client of choice is zoho. We have signed a Data Processing Addendum with them.
In terms of what we’ve done with our blog, we have stopped storing IP addresses for comments and also removed existing IPs from our database. Also, be sure to deactivate Gravatar if you’re using it.
Here’s a clause that should be included if you’re using Google Fonts without hosting them on your own server:
“The use of Google Web fonts is done in the interest of a uniform and attractive presentation of our website. This constitutes a justified interest pursuant to Art. 6 (1) (f) DSGVO.”
Visitors that want to share your content on social media also need to be GDPR-compliant. To do this properly, I’d suggest using a social sharing plugin like Shariff.
We use MailChimp at Page Builder Framework, so the following may not exactly apply to you. However, if you’re using a mail or newsletter service, this will give you an idea of how to approach GDPR compliance for this.
To start, since data is processed by MailChimp, we needed a data processing agreement with them.
Next, we decided to no longer use a plugin (MailChimp for WordPress by ibericode) to let visitors subscribe to our list. Instead, we opted to create our own form using MailChimp’s embedded forms feature. We used the Naked template and later styled it with CSS.
The good thing about this embedded form is that it doesn’t actually sign people up to your mailing list. Instead, it forwards users to MailChimp’s signup form.
You’d also want to make it very clear what people sign up for. In our case, subscribers will receive emails only about new features and updates. We also only ask for peoples email address to keep the collected data at a minimum. Later, on the MailChimp sign-up form, they can also enter their name (optional).
Finally, if you are using a GDPR-compliant newsletter system like MailChimp, make sure to configure settings within the app. In MailChimp, you do this by navigating to Settings > “List name and defaults”. Then, check “Enable GDPR fields”.
This will make the MailChimp signup form look like this:
This also adds a GDPR badge next to your form.
Video Hosting Services
Embedding videos means that data is being processed between your website and a video hosting service (like YouTube and Vimeo). This is actually similar to Google Fonts in that it may be another case of “justified interest”. However, we have taken steps to ensure that your sites remain in compliance.
Borlabs Cookie for instance crawls your content area for iframes (e.g. Google Maps, YouTube & Vimeo videos, etc.) and gives you the option to opt-in. No iframes being loaded before the visitor actually opt’s in.
Page Builder Framework is 100% GDPR Compliant!
I’m happy to announce that Page Builder Framework is now fully GDPR Compliant! We were going the extra mile to ensure you’re save using Page Builder Framework and comply with the new Data Protection Regulations.
For your WordPress site, you can now host Google Fonts locally using Page Builder Framework. With the latest update, you can quickly enable this by ticking off the “Download font-family to server instead of using the Google CDN” checkbox.
With the Premium Add-On for Page Builder Framework, you can add responsive YouTube and Vimeo Videos with a shortcode. With the latest release, there’s a new tag called “opt_in”. This lets visitors choose whether they want the video to be loaded by default or not. This means that a connection to the video hosting servers will not be established until the user clicks on “Load Video”. This is similar to the Borlabs Cookie feature explained above.
[wpbf-responsive-video src="https://www.youtube-nocookie.com/embed/qII-SDZzvD8" opt_in="true"]
Also, notice the youtube-nocookie.com link we’re using in the shortcode. All embedded videos should be embedded with the YouTube nocookie domain. To do that, check the “Enable privacy-enhanced mode” option.
The GDPR deadline is upon, which means there’s no time to waste. If you haven’t taken steps to get the above items compliant with the new regulation, do it now. For those of you already using the Page Builder Framework – which is 100% GDPR-compliant – we’ve already simplified much of this for you. Just use the checklist above to ensure you hit all the required points.
Again, just a reminder: I am not a lawyer, so I am not advising you on the legalities of conducting business within the EU (or with customers based in the EU). I am simply providing guidance on how to bring your WordPress site in line with new privacy rules.
This list is by no means perfect. However, I hope it gives you some useful insights on how we’ve tackled GDPR compliance and are hoping to equip our users with a tool that helps them do the same. There are still a few more compliance matters we hope to take care of, but we’ll address those as time goes by and we gain a better understanding of the new regulation.
Question for all of you: How is GDPR compliance going for you? If you’ve already taken steps with your website, is there anything we missed that you would like to recommend to our readers?
Stay in the Loop!
Sign up for our Newsletter & be the first to get notified about new updates & features!