Chamber Dashboard and GDPR

 What is GDPR and how
does it affect my WordPress website?

Hopefully by now, you are aware that on May 25, 2018, the General Data Protection Regulation (GDPR) (external link) recently enacted by the EU will come into effect.

This new law applies to all companies collecting data belonging to EU citizens, even if this is done outside of the EU. This includes organizations using a web site or app that collects and processes data of EU citizens.

Disclaimer: We are not attorneys. All advice given is based on our research and best understanding of GDPR requirements. We recommend seeking legal council to ensure your site is fully compliant with the GDPR.  This post is intended as a guide to using Chamber Dashboard plugins in compliance with GDRP, it is not intended to cover every nuance of GDPR. We recommend reviewing the official GDPR website (external link) carefully, making note of the specific details that apply to your organization’s website and consulting with an attorney if legal advice is required.

The goal of GDPR is to increase security of personal data and protect EU citizens from privacy and data breaches.

GDPR also grants to EU citizens rights to their personal data. Personal data is any data that can be used to identify an individual, including the obvious like name, email, or social security number, but even an IP address could be considered personally identifying if when combined with additional data it could result in identifying an individual.

Does GDPR apply to my organization?

Any organization using a website, database, CRM, newsletter platform or even email that collects the personal data of EU citizens is said to be the Controller of that data and is therefore responsible for how the data is stored and processed. (This includes a responsibility to keep the data secure!)

There are several ways a WordPress site may collect personal data, including:

  • comments
  • form entries
  • user registrations
  • analytics

In addition to personal data you are collecting on your website, you as the website owner, are responsible for data collected by any 3rd party sites or apps with whom you are sharing data, for example the newsletter platform you are using.

How can I make my membership site GDPR Compliant?

Documenting your organization’s process for storing and processing any personal data you are collecting and ensuring you are doing everything you can to keep that data secure are key components to GDPR compliance.

Step 1: All WordPress websites should have these:

Data Encryption – On today’s internet, all sites should be using HTTPS (install an SSL certificate), such that all data entered into the site are encrypted.

Site Security – Install a security plugin such as Wordfence security plugim (external link) to help you monitor activity on and access to your site.

Step 2: Complete the following: 

  1. Assign a Data Officer who will be responsible for overseeing data collection and storage for your chamber or membership organization.
  2. Audit your data collection processes. Map the collection, security and storage of all personal data collected on your site.
  3. Do an audit of any 3rd party plugins, apps or software you are using. Map the collection, security and storage of all personal data collected. Reach out to the 3rd party developer to review their GDPR compliance practices.
  4. Review & revise data collection practices. Don’t collect or store data that is not serving a purpose. Set a timeline for data deletion.
  5. Update your organization’s privacy policy. Make it available to anyone who visits your site and easy to understand.
  6. Add explicit consent to all forms on your site.  Make sure these are not checked by default as this violates GDPR.  More about explicit consent… (external link)
  7. Setup data management process for your members to:
    • View their data
    • Request a copy of their data
    • Request their data be deleted

Are Chamber Dashboard plugins GDPR compliant?

All data collected by Chamber Dashboard plugins is stored in the WordPress database for the website where the plugins are installed. No member data is collected or stored on the website. If you have members or website visitors who are EU citizens, your organization is responsible for their data and should follow the steps above. Below are the answers to some commonly asked questions regarding Chamber Dashboard plugins and GDPR.

How can I gain explicit consent from new member and new editors?

The Member Manager ‘Join Now’ form includes an optional consent statement. Activate GDPR Consent in Chamber Dashboard.

How can I prevent CD plugin from storing data?

CD plugins store data in your site’s WP database to be displayed in your Business Directory. The Business Directory cannot be used without storing data. Members who do not wish to have their data stored, should not enter their data at all.

How can my members view their CD data?

Your members can view their Directory Listing or register to view and edit their data with the Member Updater plugin.

How can my members edit their CD data?

Using Member Updater plugin, your members can register to edit their data as needed.

How can my members request a copy of their CD data?

Depending on which Chamber Dashboard plugins you are using, user data may be located in several places. We recommend adding the Exporter plugin to your site so that you can export member data as needed.

How can my members delete their CD data?

Because member data is tied to financial records that your organization may need for tax purposes, we recommend adding a form to your site so your users can submit a request to have their data deleted.  This gives your organization the opportunity to record any necessary tax information prior to deleting user records.

Your Policy on Privacy

GDPR is about transparency and informing individuals about what data are being collected, how the data are being used, by whom and for how long. Your Privacy Policy should be published on your website and it should cover the following in plain, easy to understand language:

  • What personal data are being collected?
  • How will the data be used.
  • Who has access to data? Including any 3rd party platforms.
  • How long will data be stored?
  • How data will be protected.
  • How users can change or delete their data.
  • How users will be notified of changes to the policy.

Additional Resources