5. Setting up the Privacy Policy
Chapter 5
One of the core requirements of GDPR is that you must provide data subjects detailed information about their rights related to their data as well as how exactly their personal data is used. You might be tempted to skip or hurry through this part – who reads the legal mumbo-jumbo anyway? Don’t do that. In the context of GDPR, the Privacy Policy is now a Very Important Thing.
In the Policy, you’ll need to explain:
What data is gathered
Why is it gathered
For how long is it stored
On what legal grounds are you gathering the data
In addition to this, you’ll basically need to explain the whole GDPR – all data subjects rights, who they can contact in case of problems, etc.
The GDPR Framework provides a privacy policy template that covers a wide array of potential uses of data and automatically displays some additional required information, for example the contact information of your country’s Data Protection Authority. You will definitely need to modify the template to suit your website. (You are also free to use a different Privacy Policy.)
Note that you must take into account how any of the WordPress plugins on your website process personal data. You (as the controller) are ultimately responsible for what the plugins on your site are doing. More on that below.
Background
Obligation to give information (GDPR Art. 13 & Art. 14)
Depending on whether data is collected from the data subject (art 13) or from another source (art 14), you have the obligation to provide the following information to the data subjects:
Controller’s contact (e.g. identity; name, address);
Data Protection Officer’s contact (if you have one);
Purpose of processing data;
Legal basis for processing (e.g. consent, legitimate interest, law – see art 6(1));
Recipients of personal data (who you are sharing the data with or who has access to it);
How long data is stored;
Information about data subject’s rights (right to rectification, erasure, access, portability; right to withdraw consent any time; right to submit a complaint to a supervisory authority including the contact information of that supervisory authority);
If data is gathered for contractual obligation or other statutory reason, then information about the obligation and whether the data subject is obliged to give personal data and what are the consequences of failing to do so;
If any automated decision making or profiling is used, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
Information about personal data being transferred to third countries (outside the European Economic Area), the legal grounds for doing that and safety measures taken.
Note that if you are using legitimate interest as the grounds for processing data, then this has to be explained briefly.
If you do not know the exact period of storing personal data, then the criteria affecting it also have to be explained briefly.
If you gather any personal data about a data subject from an external source, then you must provide the data subject information regarding the source of the data.
What you should do now
The GDPR Framework provides a Privacy Policy template for you as a starting point. It covers (almost) everything needed for a vanilla WordPress site. But because every site is different, you need to review it and add or remove content specific to your website and business.
Right now, you can configure and set up most of the Privacy Policy. If you know which data your plugins gather and why, then also add that information.
Both the Setup Wizard and Dashboard > Tools > Privacy > Privacy Policy pages allow you to fill in some fields and generate a Privacy Policy template. The generated template contains multiple places marked with [TODO] – edit these as you see fit.
Let’s go over each section, explain why it’s there and what you need to change (if anything).
Section 1: Definitions
This sections establishes clear definitions for certain terms used in the Policy.
Ideally, you should look up the legal definition of a “child” in your country (this varies between EU countries) and edit the age there if necessary. You probably don’t need to change anything else here.
Section 2: Data Protection Principles
This section covers the principles of GDPR. You don’t need to change anything here.
Section 3: Data Subject’s Rights
This section covers the rights granted to data subjects by GDPR. The contact information of your local supervisory authority as well as your Data Protection Officer (if you have one) have automatically been inserted. You don’t need to change anything here.
Section 4: Information we gather
This section describes the information your website gathers from data subjects. The default text covers a very wide set of information, however it’s not very specific. You should edit it to be as specific as possible. You can remove everything that doesn’t apply to your site and instead, describe which data your site gathers and in which situations it does so.
If you don’t know what data your website and plugins gather, the safest solution is to ask help from a developer. (We can help!)
Section 5: How we use your Personal Data
This section describes how you actually use the personal data your website gathers. Again, the default text is very wide. However, in this case might not want to remove anything. It’s better to have as many reasonable options here as possible. However, if anything important is missing, you should add it there.
Section 6: Who else can access your Personal Data
Fill in the list of partners you share data with. You should use their full business name here and ideally describe which data you share and why.
Processing partners are everyone who can access the data you have gathered, such as your web hosting provide or your web developer. Read the definition of a Processor here. This list should probably not remain empty.
Business partners are basically any other companies you do business with and share personal data. (If there aren’t any, you can remove this section.)
Connected third parties are everyone else who don’t fit the above categories. (If there aren’t any, you can remove this section.)
Section 7: How we secure your data
Review this section and describe additional security measures, if you have any.
Section 8: Children
If you do target children with your services, you should remove this section. In this case, make sure to read our knowledge base post on providing services to children under GDPR.
Section 9: Cookies
The template contains a notice about using Google Analytics. If you’re using other tools provided by Google such as the advertising tools, review this article for more information on what you should add to your Privacy Policy.
What you should do in May
Check back here and be prepared to add additional information to your Privacy Policy.
We’re hoping that by that time, WordPress will start asking plugin developers to include information regarding which data their plugin gathers, how it’s used and anything else that should be mentioned in the Privacy Policy.