Lately, you may have received an influx of emails from various businesses informing you about changes to privacy policies. These emails are frequent, and often ignored. This time around, there is a common cause for these emails, a cause that may affect your business. We should talk about it.
After reading a few of these emails, you’ve probably noticed the term “personal data” used repeatedly. This is due to a new European Union (EU) regulation called General Data Protection Regulation (GDPR), designed to protect the personal data of individuals within the EU, as well as give those individuals more control over their personal data.
GDPR’s official implementation date is May 25, 2018. Businesses around the world (literally) have made strides to meet the new requirements by the implementation date. The emails you have received, whether explicitly mentioning GDPR or not, are most likely written to inform you of changes made to meet GDPR requirements.
As an Easy Digital Downloads user, it is likely that you need to meet GDPR requirements as well. Not only does the Easy Digital Downloads plugin collect information from customers that is categorized as personal data, but you may also be using other plugins or tools that collect personal data from your website visitors.
Your business does not have to be based in the EU for this new regulation to affect you. If there is a possibility that an EU resident will visit your website, you’ll want to be GDPR-compliant.
Below, we’ll discuss what this means for your website, what Easy Digital Downloads has done to help you meet the new requirements, and how to make sure you are taking advantage of all available tools.
Understanding GDPR
GDPR is a set of guidelines that regulate how data controllers (businesses that have your personal data) manage your personal data and what rights you have in regards to knowing what is done with your personal data as well as removing your personal data upon request.
Here’s a general list of requirements that must be met under GDPR:
Disclose what personally identifiable information is collected on your website (via Privacy Policy).
Disclose why your website collects the personally identifiable information (via Privacy Policy).
Disclose how long personally identifiable information is retained for (via Privacy Policy).
Disclose whether or not personally identifiable information is shared with third-party entities (via Privacy Policy).
Provide access to personally identifiable information upon request (via export).
Provide a means for erasure of personally identifiable information upon request.
Inform individuals of their rights under GDPR (via Privacy Policy).
Meeting those requirements takes a specialized set of tools, detailed information in your Privacy Policy, and a clear understanding of what kind of data is being handled.
GDPR’s overall focus is to create a standard for personal data collection and handling.
WordPress and GDPR
Easy Digital Downloads is a WordPress plugin. While it collects personal data through functionality like the checkout system, WordPress still plays a significant role in not only collecting personal data, but also storing, managing, and using that data through your website’s ecosystem.
That said, WordPress itself has taken steps to provide the tools needed to meet GDPR requirements.
WordPress 4.9.6 Privacy and Maintenance Release
The first step towards GDPR compliance as a WordPress user is to update your website to WordPress 4.9.6 (or higher), which is a release focused mainly on functionality needed to meet GDPR requirements. You can read about the release here.
New tools for creating and displaying a Privacy Policy Page, allowing commenters to decide if their personally identifiable information will be displayed with public comments, and personal data handling have been implemented in this release.
The Privacy Policy Page functionality gives you the ability to designate one page as your Privacy Policy, link to that page automatically from your login and registration forms, and even copy suggested Privacy Policy text from plugins and themes that have taken the time to provide an overview of what kind of personal data is collected from your website visitors/users as they interact with your website (more on this later).
The data handling functionality gives you the tools needed to either export or delete personal data upon a user’s request. While WordPress itself is prepared to handle data according GDPR requirements, it is also extensible, allowing plugins and themes to include collected data in the export and deletion processes.
While it is possible for these tools to be implemented in a custom manner, we highly recommend that your first step to GDPR compliance is updating to the latest version of WordPress.
All Easy Digital Downloads GDPR enhancements are accessed through functionality provided in WordPress 4.9.6 or higher. Please update.
Now let’s have a look at Easy Digital Downloads and its tools for GDPR compliance.
Easy Digital Downloads and GDPR
Easy Digital Downloads collects personal data about customers, mainly through the checkout process and related functionality. Personal data includes things like name, email address, address (when necessary), IP address, and more.
While WordPress has provided tools to easily export and delete personal data, it does not automatically have knowledge of additional data collected by Easy Digital Downloads. Instead, we’ve worked to integrate our plugin with WordPress’ tools. Those enhancements are available in Easy Digital Downloads 2.9.2 (or higher).
Easy Digital Downloads 2.9.2 Release
The first step towards GDPR compliance as an Easy Digital Downloads user, once updated to WordPress 4.9.6 or higher, is to update Easy Digital Downloads to version 2.9.2 or higher. You can see the 2.9.2 Changelog here.
To make Easy Digital Downloads compliant with GDPR, we have made the following general enhancements:
Added support for WordPress Core Privacy Exporter and Eraser, ensuring that all personally identifiable customer information is included in the WordPress export and delete processes.
Added a sample template for WordPress Core Privacy Policy editor, providing you with suggested Privacy Policy text that outlines what personally identifiable customer information Easy Digital Downloads will collect, and why it is collected.
Added new Privacy settings to the Easy Digital Downloads Settings screen, allowing more control over how your store handles personal data and how it displays your Privacy Policy to customers.
As you may be thinking, it can be quite difficult to maintain an accurate history of your business transactions if your customers are requesting that their information is erased. That’s a valid concern, which is why it is important to understand data anonymization.
Anonymizing customer data
In Easy Digital Downloads 2.9.2, all personally identifiable customer information has been structured so that exporting or erasing all of the data at once is an easy task. While exporting the data may require no change to the data itself, deleting data during erasure requests could disrupt the reporting history of your store. This is where we introduce data anonymization functionality, a method of encrypting or removing personally identifiable information. This allows us to only remove personal data while purchase amounts and other non-personal data remains.
Under GDPR, a customer has the right to request that all personal data be removed from your website. Our data anonymization functionality allows your store to maintain things like a historical payment records and financial data while anonymizing all personally identifiable customer information, effectively erasing a particular person or entity from your data history.
Using our tools, you can anonymize customer records, payment records (by payment status), file download history, and more. You may also choose to fully delete such data if you deem it necessary.
Easy Digital Downloads extensions that collect personally identifiable customer information have also been updated to be included in the export and delete functionality. If you have questions or concerns about an official extension, please feel free to open a support ticket.
Again, these tools are only available on WordPress 4.9.6 (or higher) and Easy Digital downloads 2.9.2 (or higher). For more information about Easy Digital Downloads GDPR tools, please see the documentation.
What you should do next
While this information may be new to you, making sure your website is GDPR-compliant does not have to be a complicated process. Get the ball rolling by following the steps below.
Do your own general research to learn more about GDPR. The European Commission’s Data Protection page is a great place to start.
Consider hiring legal counsel to help you meet all GDPR requirements based specifically on your business. General tools can only get you so far. It is up to you to ensure that your business is fully GDPR-compliant.
Before updating WordPress or Easy Digital Downloads, back up your database and files. If you need help performing a back up, see the WordPress Codex.
Update your website to WordPress 4.9.6 or higher. Familiarize yourself with the new tools and functionality.
Update your website to Easy Digital Downloads 2.9.2 or higher. Read the documentation to understand how to use the new enhancements.
Make any necessary adjustments to your Privacy Policy page and inform your users of the policy changes if necessary.
As usual, if you have any questions feel free to leave a comment below or open a support ticket.
Developer information
For details about how to integrate your extensions and custom functionality with the new tools, please read our development blog post.