Just one month remains until the new GDPR regulations come into effect. And we are totally unprepared for this!
Before we begin, I must state that this blog post (and the future posts regarding GDPR implementation) gives no legal advice. Instead, is a record of my personal experience with the ups and downs of making the blog GDPR-compliant. All the products, including legal documents, WordPress plugins, my code, were tested on this blog, either in the staging environment and the live version. This doesn’t necessarily mean they will work for you, as there is no way to test any possible plugin combination.
Updating the legal documents
I’m an electronics engineer; I can’t do everything by myself. Sometimes I have to call for specialized help.
At some point, I have switched to the “The Big 3” package from https://www.disclaimertemplate.com/, and I found it to be well-suited for my blog. I paid for it 129$ + VAT, and it included one year of updates. Each year after is $29.95 per year. This legal package can be installed on three websites, a bonus for owners of multiple blogs.
That was the easy part.
The real difficult part is to change the way user data is collected and processed in WordPress.
Until GDPR comes into effect, cookie consent was just an annoying banner, and there are even Firefox and Chrome plugins that block those banners.
The way I see the new GDPR and ePrivacy regulations, only functional cookies can be placed before user consents. So a simple cookie notice is no longer enough, one must actively block any unnecessary cookies until the user gives explicit consent. Another aspect is that any user must be able to revoke the consent any time he wishes.
For a long time, I’ve been using the Cookie Notice by dFactory plugin. It does its job well. One can use a bit of PHP programming to restrict loading of some areas of the site until the user consents with cookies (such as blocking advertising and Google Analytics). As a downside, it doesn’t include a way to revoke consent. I have also found that sometimes it interferes with the caching system, and it does not collect Analytics data even after the user has hit the “I agree” button. A test with all the options enabled resulted in only 30% of the traffic being recorded by Google Analytics.
Considering those issues, I have switched a paid plugin, the WeePie Cookie Allow, which you can see working on the blog.
It does a very good job of blocking both my own and most third party (advertising and analytics) cookies. It can block iframes (usually the ads are in iframes). It allows the collection of anonymized Google Analytics data before the user consents. It has a button to revoke cookie consent. As a downside, there are a few cookies that are still active despite the cookie blocking option being active, but I hope this will be solved in the next updates. Overall, it’s the best cookie blocking plugin I have found so far.
Consent to WordPress comments and on using contact forms
To meet GDPR regulations, the user must consent to the processing of its personal data, including IP and email before commenting or sending a message using the contact form. I’ve implemented this feature using the (free) WP GDPR Compliance plugin from WordPress repository. With this plugin active, the user must click on a checkbox to be able to post comments and send contact form messages.
Processing user data
Here comes the most difficult to implement part of GDPR: processing user data. Two of the most aspects are Data Access and Right to be Forgotten. Also, informing users regarding a data breach has to be implemented here.
This is still a work in progress, as I had some disappointing experiences with the available plugins. Most work here is done in a staging environment, so it’s not visible on the blog.
First, I tried the free GDPR plugin from WordPress repository. On my first attempt to delete some data it messed up the whole database. Lucky me, I was working in staging. All I had to do was to destroy that staging environment and start all over again.
Right now I’m testing another plugin, but I feel it’s not ready to be moved to live: the Ultimate GDPR Compliance Toolkit for WordPress. It’s a paid plugin, it costs 39$ + taxes. It promises to cover all the GDPR aspects. Still needs some testing, and I will tell you more about this in the next few days.