GDPR, short for General Data Protection Regulation, is a European Union law that you have likely heard about and came into effect May 25, 2018. We have received dozens of emails from users asking us to explain GDPR in plain English and share tips on how to make their WordPress site GDPR compliant.

So, as an Australian company who provides online products/services, should you be worried about the GDPR laws? And, for those who think they are compliant by using Double Opt-In option consent for Email Marketing, you would be wrong. Let us first define what it means to “gain consent”. In the marketing world, this means that you, the marketer, have permission to capture someone’s data and use it (i.e., email newsletters, nurturing campaigns, etc.) Many marketers believe double opt-in gives them the consent needed to put a user in a drip campaign or on specific email lists. Here’s the harsh reality: It doesn’t. When a user fills out a form and is then sent an email with a confirmation link to complete their subscription, it does not provide the consent needed to be compliant with the GDPR.

GDPR is serious business. Organisations will face fines of more than AU$30 Million, or 4% of their annual global revenue, for non-compliance. However, it’s not all doom and gloom. The GDPR is an evolution in data protection and is meant to put consumers back in control of their data. Companies already obeying existing data protection laws, are most likely well on their way to compliance.

Firstly, does it apply to you?

The Australian government in the following link make the statement:

From 25 May 2018 Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.

The Australian government has also made it your initiative to ensure you are compliant. So if you are a marketer who has/may have online business dealings with EU countries, with the added regulations coming into play, you can expect a lot to change in the way you are acquiring, handling, and using EU data.

Here’s what marketers should be aware of and how they can prepare for the upcoming changes. 

1. Collecting data: for starters, the way marketers collect data will shift. Currently, marketing can rely on a pre-checked box to collect consent for marketing communication. But under the GDPR, that will no longer be an acceptable way to collect data. As the GDPR requires that consent is ‘freely given, specific, informed, and unambiguous,’ marketers must now be more deliberate in the way they are opting consumers in.
2. Consent requirements: clear consent is a more stringent requirement under the new GDPR. Marketers will not be able to hide consent for data processing with generic statements like ‘we may process your personal data to improve our services.’ For consent to be considered valid under the new regulations, marketers will need to clearly indicate what personal data will be processed; how, when and who will process it; and for what purpose.
3. Breaking down valid consent: GDPR applies to all new and existing data. If requested, users will be required to prove that they have consented to use personal data. For marketers, this means being able to provide an accurate and up-to-date breakdown of new, current, lapsed, active, and inactive customers and email subscribers. Marketers must be mindful of how long their relationship could be considered valid. In addition, they must be prepared to prove consent among the aforementioned groups whose data they want to hold on to.
4. Proving consent: under GDPR, marketers must prove consent before sending any communications to contacts. Consent applies to all data collection practices including offline methods such as mail and telephone. When collecting data and consent, marketers must ensure they capture and store the date and time of consent, method of consent and a referential copy of the sign-up form, including its wording.
5. Privacy policy: as previously mentioned, GDPR will require greater transparency from marketers around consent. They will have to ensure that the individual is giving you ‘informed consent’ and that those individuals understand who they are giving consent to and why their data is being processed.
6. Marketing to an existing database: before sending any marketing communication to an existing database, marketers will need to make sure that all that data is compliant with GDPR. This includes checking that there are existing consent records that prove marketing had permission to send a communication to each individual contact. This permission needs to be explicit across each channel, not just email.

By default, WordPress used to store the commenters name, email, and website as a cookie on the user’s browser. This made it easier for users to leave comments on their favorite blogs because those fields were pre-populated.

Due to GDPR’s consent requirement, WordPress has added the comment consent checkbox. The user can leave a comment without checking this box. All it would mean is that they would have to manually enter their name, email, and website every time they leave a comment.

If your theme is not showing the comment privacy checkbox, then please make sure that you have updated to WordPress 4.9.6 and are using the latest version of your theme. Also please make sure that you are logged-out when testing to see if the checkbox is there.

If you are new to WordPress, we recommend following the steps as outlined by the WPBeginner site to help ensure you comply:

http://www.wpbeginner.com/beginners-guide/the-ultimate-guide-to-wordpress-and-gdpr-compliance-everything-you-need-to-know.

WordPress also now comes with a built-in privacy policy generator. It offers a pre-made privacy policy template and offers you guidance in terms of what else to add, so you can be more transparent with users in terms of what data you store and how you handle their data.

If you are running plugins, then make sure they are all updated as most plugins have also added the GDPR requirements.

Not only will marketers need to provide users the ability to manage how their data is used (i.e., subscribing only to what they want), but they must also provide users the ability to revoke consent.

This is also a great time to re-address your Privacy Policy on your website. When was the last time you actually took the time out to read it? Now is a great time to do so!

Wish to chat with someone further on the subject? Just fill in the form below.