GDPR for Small Charities (and big ones too!) using WordPress

The General Data Protection Regulation (GDPR) came into effect in the UK on 25th May 2018. GDPR is a data protection framework provided by the EU and regulates how organisations store, process and protect people’s data. It replaces the earlier Data Protection Act and is enforced here in the UK by the Information Commissioners Office. This article is aimed at explaining GDPR for small charities.

If you’re a charity using WordPress, and you’re wondering what areas you might need to address to make sure your site’s compliant, we’ve put together this article to help you find the key areas where you can manage your GDPR compliance in WordPress.

We’ll make reference throughout to a couple of GDPR buzzwords, so I thought I’d list them here first to explain what they mean:

GDPR General Data Protection Regulation
DPA The date protection act; the legal framework for data protection up until GDPR came into law.
Right to Access Request Under GDPR, everyone has a right to request access to all the data you hold on them. You’re legally obliged to provide this to them.
Data Storage The act of taking someone’s personal data in and saving it, whether that be in something like MailChimp, WordPress, or even just an email inbox.
Personally Identifiable Information Data that can be used to identify an individual or individuals. This can be a name, date of birth, address etc, but it also includes technical details like an IP address.

WordPress

On May 17th, WordPress added an update (version 4.9.6, if you’re checking at home) with a lot of new features to help charities and organisations manage their GDPR compliance.

One key area is data access requests; if a person with an account on your WordPress website submits a request for a copy of the data you hold on them retrieving it from WordPress (and Woocommerce) is fairly straightforward with the new tools.

A screenshot of the The Export Personal Data screen of WordPress — The “Export Personal Data” screen of WordPress

If someone makes a data request, you can use this screen to send them back a link to confirm it on their orginal email address. Once the process is complete, WordPress gives you the option of sending the data to their email address directly or saving it so you can include it with any other data you’ve collected. It’s really important here that you vet data access requests; make sure the person is who they say they are! The kind of data you’re holding may be used to impersonate others, so be cautious; call the person in question, or contact them via some other method, to confirm their request.

Forms plugins

If your site has a contact form (or, indeed, any other forms) you’ll want to make sure that you’re storing the data properly and communicating the purpose of storing that data. There are a few plugins out there; our favourite is Gravity Forms but Contact Form 7 is a popular free alternative.

Here are some of the things you can’t do under GDPR:

Add the person’s email to an email newsletter without their explicit consent
Store their email/name/address etc for longer than it takes to deal with their query
Pass on the information added to the form to any third party, unless it’s made clear you’ll do so and/or you have to in order to fulfill their request

You can, however, store their data for as long as it takes for you to resolve their request. It’s still a good idea to have a privacy policy though, and it’s also worth adding a checkbox to your form so it’s 100% clear you’ve got their permission to store their data (make sure the forms submission requires they’ve ticked this box, too).

Some forms plugins store the data submitted to them in the back end of WordPress. It’s a good idea to go in periodically and delete any entries you don’t need to keep any more.

Woocommerce

With version 3.4, Woocommerce released tools to help organisations using it to deal with data storage and access requests. They also added tools to help store owners purge older data that wasn’t needed any more. If you have Woocommerce and are looking into GDPR for a small charity, there’s plenty of tools here to help.

First, Woocommerce added an “Accounts & Privacy” tab to the settings page (“Woocommerce” -> “Settings” in your admin menu) that allows you to control things like the Privacy Policy and how long you’d like to retain personal information on orders before it’s automatically removed. It’s worth reviewing these settings and making use of them if they’re helpful.

A screenshot of the Data Protection Settings in Woocommerce; useful when assessing GDPR for small charities — The Accounts & Privacy settings in Woocommerce

Final Steps for GDPR for small charities

Here are some self-help next steps for assessing GDPR for small charities using WordPress:

Review the back end of your site for any personally identifiable information.
Review your emails; they may also hold personally identifiable information if you receive contact form entries.
Review Woocommerce’s Account & Privacy tab; check the settings are correct and a Privacy Policy is in place.
Review any form plugins you have for old data that needs removing.
Add checkboxes for users to opt-in to your privacy policy on any forms; ensure these are required to submit the form.
If you don’t have a privacy policy, use WordPress’ built-in Privacy Policy generator to build one.
Check your privacy policy is linked in the footer and mentioned against each of your forms.

Other Plugins

The list above’s definitely not exhaustive, and you might have other plugins collecting personal data and storing it. Assessing your whole site is important when auditing compliance against GDPR for small charities.

The best way to find out is to audit your site; of course, you can contact us if you’d like a thorough technical audit. Most areas that hold personally identifiable information are held in the back end of WordPress though, so getting familiar with your site and noting down anywhere you see people’s data is perfectly fine too.

As always, if you’d like more information or you need someone to get your website up to date with the latest version of WordPress or Woocommerce just get in touch with us.