Let’s face it – people can’t trust businesses with their data as they used to. When companies need personal data to run their websites, users must be fully aware of that fact so they can decide on their own whether they’ll stay browsing or not.
Not everyone is a GDPR expert, and that’s okay. Still, that doesn’t mean that you should ignore fundamentals and take the guesswork, especially when planning to run your business on top of Divi in 2021 and beyond.
Just like web development, staying GDPR-compliant is an ongoing process. To help you create potent data protection and privacy strategy for your Divi website, we’ve prepared this guide as your starting point.
The GDRP Implications So Far
It’s been more than three years since GDPR stepped into force (as of 25 May 2018). Since then, the regulation continues to govern how companies operate in the EU process consumers’ data.
GDPR influences companies to focus on each data processing risk and protect the target users and their rights. The regulation has completely altered how businesses and regulators conduct personal data risk assessments.
At the time of writing, a total of 692 fines have been enforced so far since 2018. Regarding personal data processing and respecting the rules and requirements, a DLA Piper GDPR fines survey reveals an improved awareness among companies.
The following are some of the biggest non-compliance fines issued so far:
- Google – €50 million: They were one of the first major companies to be punished with a massive fine in 2019. Regulators from France ruled that Google didn’t make its data processing statements openly accessible to the users.
- TIM – €27.8 million: Last year, the Italian authorities issued a €27.8m fine to Tim. The fine was imposed after countless complaints from users about unexpected promo calls lasting from 2017 to 2019, for which they never agreed.
- British Airways – £20 million: In 2020, British Airways was fined £20 after website visitors were directed to a counterfeit site, which helped hackers collect the personal data of approximately 400K citizens!
Undoubtedly, GDPR created an equal playing field for businesses, despite their size. Moreover, upgrading data security strategies reduces data breach risks, and now everyone is taking an active role in improving legislation and transparency towards the users.
Start With Process Gap Analysis
One of the best ways to gauge the GDPR compliance of your Divi website is by conducting data gap analyses. The following steps can uncover any GDPR aspects of your website that need improving:
- Identifying if there are any security weaknesses and highlight everything that needs to be ameliorated immediately.
- Assessing your risk management procedures and ensuring that your team defends people’s rights to freedom and data privacy.
- Deciding if your organization needs a data protection officer (DPO). Click here for a checklist that can help you decide on this.
- Evaluating if your team has the necessary GDPR training and resources at hand. Everyone on the team must be knowledgeable of the GDPR rules that keep your Divi site compliant.
- Considering the type of data you need, how you store it, and where that data is shared directly and indirectly (third-party integrations), for that matter.
- Ensuring that you have a process for documenting each GDPR compliance activity on your website, with an information security management system in place.
- Checking if you can facilitate people’s access to their information, and the right for their data to be forgotten.
Strategize the GDPR Compliance Process
When you finally uncover the processing gaps, it’s time to think about the actions that you must take to close those gaps and take every measurement possible to ensure GDPR compliance.
Considering every GDPR aspect that touches upon your Divi website requires you to plan across several operational areas, such as data management, security, legal, marketing and advertising, and customer service.
Think about your entire business, including third-party service providers and other vendors that you outsource work to.
When strategizing your GDPR compliance approach, consider:
- Implementing new data management plan and privacy measurements.
- Planning out the data security controls that need to be established.
- Resolving the current and potential data security vulnerabilities the gap analysis detected.
- Conducting regular website data security audits.
- Planning the introduction of tools and technologies that improve data privacy and security.
When you already have your GDPR compliance strategy in place, it’s time to put the plan into action and deploy every step to ensure a firm users’ data security foundation. Assemble your team, define the GDPR implementation scope and tasks timelines, and get to work.
Think about the GDPR implementation process. What does the road towards full GDPR compliance look like? How will data privacy aspects must be ingrained in everything that you do as а company?
Scrutinize the Data
You must understand from where each data management risk can come from. Start with several questions about the data you collect that will be answered from each department responsible for customers on your Divi website:
- What type of personal data do you process?
- What is the main purpose of data processing?
- How do you obtain personal data from users?
- Where and how do you store users’ data?
Prepare Your Documentation
When you know everything about the data you collect, you’ll see what you need to introduce within the official documentation. Assemble your policies and processing procedures, such as:
- Data security policies
- Supplier contracts
- Privacy notices
- Breach notifications
- Data inventory process
- Privacy impact procedure
- Privacy notices
Recognize Users’ Rights
Your users have rights, and their rights must be the core to how your process their data. The most important of these GDPR rights are:
- Article 12 – The right to be informed
- Article 15 – The right of access to data
- Article 17 – The right to be forgotten
- Article 18 – The right to processing restrictions
- Article 20 – The right to portable data
- Article 21 – The right of objection
Depending on the data processing legal grounds, you must carefully estimate if you meet each of the users’ rights mentioned above.
Adjust Your Divi Website
If you run a WordPress website on Divi and you’re worried about how GDPR would affect how you handle users’ data, you must pay attention to how you gather data through forms, how you share data with third parties, and most importantly, how you keep people’s information safe.
Arguably, one of the simplest ways to collect targeted user data is via contact forms. However, under GDPR rules, for each of your contact forms and plugins, you must:
- Receive unequivocal consent from users.
- Inform users why their data is collected.
- Inform users of how long their data is stored.
- Let users know who controls their data.
- Inform users on how they can access their data.
Luckily, we have just the right popup plugin for Divi websites. With PopUps for Divi, your popups will be as they should be. We provide you with the ultimate popups creator, allowing you to:
- Remodel each section into a popup.
- Include popups on every page.
- Trigger popups via button or link.
- Won’t have to configure, simply install and use.
Furthermore, if you’re running an eCommerce business on your Divi website, you already collect information from your customers, such as their billing address and credit card. To protect this financial data, make sure to follow the rules that we recommended in the section above, as well as:
- Obtain consent before sending promotional newsletters or special discounts.
- Let customers know that they cancel any newsletter and recurring service anytime.
- Use GDRP-compliant third-party payment gateways to collect financial information.
- Inform customers and authorities when a data breach occurs immediately.
In WordPress, updates and new features are more than welcome, so you need to make sure that each of your third-party services and vendors implements GDPR best practices as well.
For example, in the latest version of our Divi Areas Pro plugin, we’ve included a GDPR-compliant usage tracking for all Areas!
List each of your plugins that collect consent and user data and plugins that track users’ behaviour on your site. Open each plugin’s official page and open the documentation to see what the developers have done to meet the GDPR requirements. If one of the plugins is not compatible with GDPR, look for an alternative or delete the plugin from your website.
Stay On the Legal Side of the Coin
Regardless of whether you’re already aware that you’re collecting people’s personal information when they access your website, you must have legal grounds for doing so. To collect and process user data, you must fulfil at least one of the following statutory conditions:
- Mutual Agreement: If users ask you to fulfil something so they can agree to you using their data for advertising, as well as for agreeing to become your clients, you have a contractual obligation towards them that needs to be fulfilled. Always have a ready contract in place in case your future customers explicitly ask you to hand them one.
- Legal Accountability: You can collect and process user data only if supported by a statuary document or legal obligation. There are also numerous tax laws and rules for maintaining customer and expenses records that can differ depending on the country you operate in.
- Explicit Permission: We can’t stress this enough. Before you start collecting and processing user data, explicit consent must be provided by the users. The consent must be provided consciously by users only after they’re informed about the purpose of collecting their data.
Keep in mind that with GDPR, each information has a legal retention time. Google Analytics, for instance, implemented that rule immediately.
You need a straightforward procedure to allow users to recall their consent and ask you to either delete their data or transfer it to a third-party.
Above all, you must guarantee data safety but be ready for a possible data breach at the same time as well. Therefore, the entire process of collecting and processing data must guarantee the users an impeccable security level.
Evaluate, Improve, and Adapt
Let’s get one thing straight – the GDPR compliance work will never be done. The entire process of integrating the proper security, privacy, and data management practices is a cycle that needs to be continuously reiterated and improved upon.
Thus, evaluating how your efforts bring results through crystal-clear performance indicators will always uncover where you need to improve and adjust, as well as document for the potential new employees managing the users on your Divi site.
Moreover, there will always be innovations that you can integrate to evolve the data management process on your site, such as plugin updates, cloud technology, and Big Data or the IoT. Review each of your data management procedures repeatedly to be certain that they cover users’ rights. Steps to take:
- Develop and deploy data breach reporting process.
- Align internal data processing procedures with GDPR.
- Safeguard EU citizens’ data with adequate actions.
- Verify if every data transfer is GDPR compliant.
The information above is an excellent way to start on the right foot towards GDPR compliance. As a business, acknowledging the transparency in using and protecting people’s data, and defining the purpose for which you collect information, is now required by law.
Besides saving you from legal troubles, validating GDPR on your Divi website will provide your target customers with peace of mind and the feeling that they can trust you with their data.
GDPR will bring even more transparency in the future, especially with the developments of new technologies such as IoT and Big Data. Make sure that your team is prepared!
How are you going to prepare your Divi website? What are some of the other ways to make your website GDPR compliant? Share your experiences in the comments below!