The General Data Protection Regulation (GDPR) came into effect in the UK on 25th May 2018. GDPR is a data protection framework provided by the EU and regulates how organisations store, process and protect people’s data. It replaces the earlier Data Protection Act and is enforced here in the UK by the Information Commissioners Office. This article is aimed at explaining GDPR for small charities.
If you’re a charity using WordPress, and you’re wondering what areas you might need to address to make sure your site’s compliant, we’ve put together this article to help you find the key areas where you can manage your GDPR compliance in WordPress.
We’ll make reference throughout to a couple of GDPR buzzwords, so I thought I’d list them here first to explain what they mean:
On May 17th, WordPress added an update (version 4.9.6, if you’re checking at home) with a lot of new features to help charities and organisations manage their GDPR compliance.
One key area is data access requests; if a person with an account on your WordPress website submits a request for a copy of the data you hold on them retrieving it from WordPress (and Woocommerce) is fairly straightforward with the new tools.
If someone makes a data request, you can use this screen to send them back a link to confirm it on their orginal email address. Once the process is complete, WordPress gives you the option of sending the data to their email address directly or saving it so you can include it with any other data you’ve collected. It’s really important here that you vet data access requests; make sure the person is who they say they are! The kind of data you’re holding may be used to impersonate others, so be cautious; call the person in question, or contact them via some other method, to confirm their request.
If your site has a contact form (or, indeed, any other forms) you’ll want to make sure that you’re storing the data properly and communicating the purpose of storing that data. There are a few plugins out there; our favourite is Gravity Forms but Contact Form 7 is a popular free alternative.
Here are some of the things you can’t do under GDPR:
Some forms plugins store the data submitted to them in the back end of WordPress. It’s a good idea to go in periodically and delete any entries you don’t need to keep any more.
With version 3.4, Woocommerce released tools to help organisations using it to deal with data storage and access requests. They also added tools to help store owners purge older data that wasn’t needed any more. If you have Woocommerce and are looking into GDPR for a small charity, there’s plenty of tools here to help.
Here are some self-help next steps for assessing GDPR for small charities using WordPress:
The list above’s definitely not exhaustive, and you might have other plugins collecting personal data and storing it. Assessing your whole site is important when auditing compliance against GDPR for small charities.
The best way to find out is to audit your site; of course, you can contact us if you’d like a thorough technical audit. Most areas that hold personally identifiable information are held in the back end of WordPress though, so getting familiar with your site and noting down anywhere you see people’s data is perfectly fine too.
As always, if you’d like more information or you need someone to get your website up to date with the latest version of WordPress or Woocommerce just get in touch with us.