Let’s face it – people can’t trust businesses with their data as they used to. When companies ask for personal data to run their websites, they must be fully aware of the fact that people should decide on their own whether they’ll give away their data or not.
But not everyone is a GDPR expert, and that’s okay. Still, that doesn’t mean you should ignore the fundamentals and assume things, particularly when running your business with Divi in 2023 and beyond.
And just like in web development, staying GDPR-compliant is an ongoing process. Thus, to help you create a powerful Divi GDPR compliance for your Divi website, we wrote this guide as your starting point.
Table of Contents
- GDRP Implications So Far
- Begin With a Gap Analysis
- Strategize the GDPR Compliance Process
- Adjust Your Divi Website
- Stay On the Legal Side of the Coin
- Evaluate, Improve, and Adapt
- Wrapping Up
GDRP Implications So Far
It’s been five years since GDPR stepped into force (as of 25 May 2018). Since then, the regulation continues to govern how companies operate in the EU process consumers’ data.
In essence, GDPR influences companies’ focus on each data processing risk, and protects target users and their rights.
At the time of writing, a total of 1295 fines have been enforced so far since 2018. Regarding personal data processing and respecting the rules and requirements, a DLA Piper GDPR fines survey reveals an improved awareness among companies.
The following are some of the biggest non-compliance fines issued so far:
- Amazon – €746 million: On July 16, 2021, the Luxembourg National CNDP issued the highest fine to date for violating the GDPR in the amount to Amazon Europe Core S.a.r.l. for not complying with general data processing principles.
- WhatsApp – €225 million: On 20 August, 2021, the Irish DPC issued a fine to WhatsApp with €225M for a series of cross-border data protection infringements under the (GDPR). The fine followed a long investigation process dating since 2018.
- Google – €50 million: They were one of the first major companies to be punished with a massive fine in 2019. Regulators from France ruled that Google didn’t make its data processing statements openly accessible to the users.
- TIM – €27.8 million: Two years ago, the Italian authorities issued a €27.8m fine to Tim after countless complaints from users about unexpected promo calls lasting from 2017 to 2019, for which they never agreed to.
- British Airways – £20 million: In 2020, British Airways was fined £20 after website visitors were directed to a counterfeit site, which helped hackers collect the personal data of approximately 400K citizens!
Undoubtedly, the fines above are not a slap in the wrist, and GDPR created an equal playing field for all businesses, despite their size.
Moreover, now everyone is taking an active role in improving legislation and transparency towards the users.
Begin With a Gap Analysis
One of the best ways to gauge how detailed the GDPR compliance of your Divi website is to conduct a data processing gap analysis. More specifically, go through the following steps to uncover the data processing aspects that need improvements:
- Identify if there are any security weaknesses and highlight everything that needs to be ameliorated immediately.
- Assess your risk management procedures and ensure that your team defends people’s rights to freedom and data privacy.
- Decide if your organization needs a data protection officer (DPO). Click here for a checklist that can help you decide on this.
- Evaluate if your team has the necessary GDPR training and resources at hand. Everyone on the team must be knowledgeable of the GDPR rules that keep your Divi site compliant.
- Consider the type of data you need, how you store it, and where that data is shared directly and indirectly (third-party integrations), for that matter.
- Ensure that you have a process for documenting each GDPR compliance activity on your website, with an information security management system in place.
- Check if you can facilitate people’s access to their information and the right for their data to be forgotten.
Strategize the GDPR Compliance Process
When you finally uncover the data processing gaps, it’s time to think about the actions that you must take to close those gaps and take every measurement possible to ensure GDPR compliance.
Considering that every GDPR aspect that touches upon your Divi website requires you to plan across several operational areas, such as data management, security, legal, marketing and advertising, and customer service, and even third-party service providers and other vendors that you outsource work to.
When strategizing your GDPR compliance approach, consider:
- Implementing new data management plan and privacy measurements.
- Planning out the data security controls that need to be established.
- Resolving the current and potential data security vulnerabilities the gap analysis detected.
- Conducting regular website data security audits.
- Planning the introduction of tools and technologies that improve data privacy and security.
Think about the GDPR implementation process. What does the road towards full GDPR compliance look like? How will data privacy aspects must be ingrained in everything that you do as а company?
When you already have your GDPR compliance strategy in place, it’s time to put the plan into action and deploy every step to ensure a firm users’ data security foundation.
Assemble your team, define the GDPR implementation scope and tasks timelines, and get to work.
Scrutinize the Data
You must understand where each data management risk can come from.
Start with several questions about the data you collect that will be answered by each department responsible for customers on your Divi website:
- What type of personal data do you process?
- What is the main purpose of data processing?
- How do you obtain personal data from users?
- Where and how do you store users’ data?
Prepare Your Documentation
When you know everything about the data you collect, you’ll see what you need to introduce within the official documentation. Assemble your policies and processing procedures, such as:
- Data security policies
- Supplier contracts
- Privacy notices
- Breach notifications
- Data inventory process
- Privacy impact procedure
- Privacy notices
Recognize Users’ Rights
Your users have rights, and their rights must be the core to how your process their data. The most important of these GDPR rights are:
- Article 12 – The right to be informed
- Article 15 – The right of access to data
- Article 17 – The right to be forgotten
- Article 18 – The right to processing restrictions
- Article 20 – The right to portable data
- Article 21 – The right of objection
Depending on the data processing legal grounds, you must carefully estimate if you meet each of the users’ rights mentioned above.
Adjust Your Divi Website
If you run a WordPress website on Divi, and you’re worried about how GDPR would affect how you handle users’ data, you must pay attention to how you gather data through forms, how you share data with third parties, and, most importantly, how you keep people’s information safe.
Arguably, one of the simplest ways to collect targeted user data is via contact forms. However, under GDPR rules, for each of your contact forms and plugins, you must:
- Receive unequivocal consent from users.
- Inform users why their data is collected.
- Inform users of how long their data is stored.
- Let users know who controls their data.
- Inform users on how they can access their data.
Luckily, we have just the right popup plugin for Divi websites. With PopUps for Divi, your popups will be as they should be. We provide you with the ultimate popups creator, allowing you to:
- Remodel each section into a popup.
- Include popups on every page.
- Trigger popups via button or link.
- Won’t have to configure, simply install and use.
Furthermore, if you’re running an eCommerce business on your Divi website, you already collect information from your customers, such as their billing address and credit card.
To protect this financial data, make sure to follow the rules that we recommended in the section above, as well as:
- Obtain consent before sending promotional newsletters or special discounts.
- Let customers know that they cancel any newsletter and recurring service anytime.
- Use GDRP-compliant third-party payment gateways to collect financial information.
- Inform customers and authorities when a data breach occurs immediately.
In WordPress, updates and new features are more than welcome, so you need to make sure that each of your third-party services and vendors implements GDPR best practices as well.
For example, in our Divi Areas Pro plugin, we’ve included a GDPR-compliant usage tracking for all Areas!
List each of your plugins that collect consent and user data and plugins that track users’ behaviour on your site.
Open each plugin’s official page and open the documentation to see what the developers have done to meet the GDPR requirements.
If one of the plugins is not compatible with GDPR, look for an alternative or delete the plugin from your website.
INTRODUCING: GDPR Cache Scripts & Styles
At Divimode, we continue helping Divi website owners protect visitors’ privacy with our very own solution – GDPR Cache Scripts & Styles.
The plugin scans every URL that is enqueued via wp_enqueue_script() and wp_enqueue_style(), and when detecting an external URL, that file is saved to your uploads-folder and served from there.
It also scans the contents of CSS files for external dependencies and saves those files to your uploads-folder!
This plugin does not add any “output buffering”, but it scans the URLs which are enqueued via recommended WordPress functions.
As a result, GDPR Cache Scripts & Styles doesn’t impact your website’s response time and performance, no matter how massive your website is.
We’ve tested this plugin with the following themes and plugins:
- Block Editor (embedding Google Fonts via the Customizer’s “Additional CSS”)
- Divi (see “Configuration for Divi” in the plugin’s documentation)
- Jetpack (especially with Performance options like “site accelerator”)
- Fonts Plugin | Google Fonts Typography
Most other plugins and themes will work with this plugin as well.
You can download the plugin directly from the WordPress plugin directory. If you encounter any issues, please let us know, so we can improve our GDPR plugin!
BONUS: If you want to learn more about how we’ve created the plugin, read: Can I Create That Plugin in 24 Hours?
Stay On the Legal Side of the Coin
Regardless of whether you’re already aware that you’re collecting people’s personal information when they access your website, you must have legal grounds for doing so. To collect and process user data, you must fulfil at least one of the following statutory conditions:
- Mutual Agreement: If users ask you to fulfil something so they can agree to you using their data for advertising, as well as for agreeing to become your clients, you have a contractual obligation towards them that needs to be fulfilled. Always have a ready contract in place in case your future customers explicitly ask you to hand them one.
- Legal Accountability: You can collect and process user data only if supported by a statuary document or legal obligation. There are also numerous tax laws and rules for maintaining customer and expenses records that can differ depending on the country you operate in.
- Explicit Permission: We can’t stress this enough. Before you start collecting and processing user data, explicit consent must be provided by the users. The consent must be provided consciously by users only after they’re informed about the purpose of collecting their data.
Keep in mind that with GDPR, each information has a legal retention time. Google Analytics, for instance, implemented that rule immediately.
You need a straightforward procedure to allow users to recall their consent and ask you to either delete their data or transfer it to a third-party.
Above all, you must guarantee data safety but be ready for a possible data breach at the same time as well. Therefore, the entire process of collecting and processing data must guarantee the users an impeccable security level.
Evaluate, Improve, and Adapt
Let’s get one thing straight – the GDPR compliance work will never be done. The entire process of integrating the proper security, privacy, and data management practices is a cycle that needs to be continuously reiterated and improved upon.
Thus, evaluating how your efforts bring results through crystal-clear performance indicators will always uncover where you need to improve and adjust, as well as document for the potential new employees managing the users on your Divi site.
Moreover, there will always be innovations that you can integrate to evolve the data management process on your site, such as plugin updates, cloud technology, and Big Data or the IoT. Review each of your data management procedures repeatedly to be certain that they cover users’ rights. Steps to take:
- Develop and deploy data breach reporting process.
- Align internal data processing procedures with GDPR.
- Safeguard EU citizens’ data with adequate actions.
- Verify if every data transfer is GDPR compliant.
The information above is an excellent way to start on the right foot towards GDPR compliance. As a business, acknowledging the transparency in using and protecting people’s data, and defining the purpose for which you collect information, is now required by law.
Besides saving you from legal troubles, validating GDPR on your Divi website will provide your target customers with peace of mind and the feeling that they can trust you with their data.
GDPR will bring even more transparency in the future, especially with the developments of new technologies such as IoT and Big Data. Make sure that your team is prepared!
*Work with our partner agency to take your Divi GDPR compliance to the next level!