GDPR – How to create a Data Protection Policy page?

In case your website doesn’t have a Data Protection Policy page, you definitely need to create one to comply with the GDPR regulation. Why do you need it if you are not located in Europe you say? Because it applies to any website / company / organisation dealing with European citizens, even one. So if one European citizen visits your website, you need to be ready!

Let’s dig into it…

First go to Pages > Add New

Give it a title (e.g. Data Protection Policy).

Copy/paste the following content in text mode (see below):

<h3>Introduction</h3>
On May 25th 2018, the General Data Protection Regulation is active for any website that stores information about an EU citizen. In order to comply to this regulation, here are the ways Serve the City is storing and using information.
<h4>Information collected by Serve the City may be used to:</h4>
<ul>
 	<li>respond to requests for information</li>
 	<li>disseminate information such as newsletters or details of events</li>
 	<li>engage with volunteers and make the appropriate organisational arrangements for serving.</li>
 	<li>process any donations or pledges of donations.</li>
 	<li>keep a record of Volunteer and client contact details</li>
 	<li>inform clients, donors and volunteers of any current or future information about our work, events, campaigns and activities, or any other features of <strong>Serve the City</strong>.</li>
 	<li>business purposes, such as data analysis, audits, fraud monitoring and prevention, enhancing, improving or modifying our services, identifying usage trends, determining the effectiveness of informational and operating and expanding our serving activities.</li>
 	<li>as we believe to be necessary or appropriate: (1) under current applicable law, (2) to comply with legal process; (3) to respond to requests from public and government authorities (4) to enforce our terms and conditions; (5) to protect our operations; (6) to protect our rights, privacy, safety or property and/or that of others; and (7) to allow us to pursue available remedies or limit any damages that we may sustain.</li>
</ul>
It is the commitment of <strong>Serve the City</strong> that any use of collected information will be in accordance with the data protection principles of good practice. This means that it will be:
<ul>
 	<li>processed fairly and lawfully.</li>
 	<li>processed for limited purposes and in an appropriate way.</li>
 	<li>adequate, relevant and not excessive for the purpose.</li>
 	<li>Accurate and, where necessary, kept up to date.</li>
 	<li>not retained any longer than necessary for the purpose.</li>
 	<li>processed in line with data subjects’ rights.</li>
</ul>
be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information,
<ul>
 	<li>not transferred to any third parties outside <strong>Serve the City</strong> organisation without adequate protection.</li>
</ul>
In addition<strong>, Serve the City </strong>will ensure that:
<ul>
 	<li>It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection,</li>
 	<li>Everyone processing personal information understands that they are contractually responsible for following good data protection practice,</li>
 	<li>Everyone processing personal information is appropriately trained to do so,</li>
 	<li>Everyone processing personal information is appropriately supervised,</li>
 	<li>Anybody wanting to make enquiries about handling personal information knows what to do,</li>
 	<li>It deals promptly and courteously with any enquiries about handling personal information,</li>
 	<li>It describes clearly how it handles personal information,</li>
 	<li>It will regularly review and audit the ways it hold, manage and use personal information</li>
 	<li>It regularly assesses and evaluates its methods and performance in relation to handling personal information</li>
</ul>
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the General Data Protection Regulation.
<h4>Website Statistics</h4>
Serve the City uses Google Analytics in order to measure the audience of its website. Information about the location and age of visitors may be stored for a limited time on Google Analytics' servers but any identifiable information will be automatically deleted after 14 months. Google Analytics follows the GDPR guidelines and you can read more about this <a href="https://privacy.google.com/businesses/compliance/#?modal_active=none" target="_blank" rel="noopener">here</a>. In no case will the information collected be shared with a tier.
<h4>Website security</h4>
To prevent hackers to get into the website (and to keep your data safe), we are using the third party <a href="https://www.wordfence.com/help/general-data-protection-regulation/" target="_blank" rel="noopener">Wordfence</a> with who we have a data processing agreement. None of the data that you fill in the forms is transmitted to Wordfence. What Wordfence collects is your IP address (to check it against blacklisted IPs), the URL accessed (to verify that no extra malicious code is inserted in there) and some browser headers. You can read more about this on their page. This data is only collected to ensure that people with bad intention stay out and cannot have access to the backend and to your data!
<h4>Newsletter</h4>
We use MailChimp as our marketing automation platform. By subscribing to our newsletter, you acknowledge that the information you provide will be transferred to MailChimp for processing in accordance with their <a href="https://mailchimp.com/legal/privacy/" target="_blank" rel="noopener">Privacy Policy</a>and <a href="https://mailchimp.com/legal/terms/" target="_blank" rel="noopener">Terms</a>. In no case will the information collected be shared with a tier.
<h4>Storage of information</h4>
Unless specified otherwise, the information you provide is stored either on Salesforce (<a href="https://www.salesforce.com/gdpr/overview/" target="_blank" rel="noopener">read Salesforce's commitment to GDPR</a>) or our server at Infomaniak (<a href="https://news.infomaniak.com/en/general-data-protection-regulation/" target="_blank" rel="noopener">read Infomaniak's commitment to GDPR</a>).

In the case of an online payment, some information will be stored on our payment processors (either <a href="https://stripe.com/guides/general-data-protection-regulation#stripe-and-the-gdpr" target="_blank" rel="noopener">Stripe</a> for credit card payments or <a href="https://www.paypal.com/us/webapps/mpp/ua/privacy-full" target="_blank" rel="noopener">Paypal</a>), depending of your choice. This information is kept secure and only for the purposes of processing the payment. We do not store any credit card information on our servers.
<h4>Cookies</h4>
Cookies are used on this site to give you a better browsing experience. The best way to prevent all cookies to be registered is to modify the settings of your browser.
<h4>Embedded content from other websites</h4>
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.
<h4>What rights you have over your data</h4>
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Now go back into visual mode and edit the parts that need editing (e.g. the name of “Serve the City Cityname legal status”, if you use a different payment processing method, or a different newsletter system, …).

Now that your page is published, let’s add it to the bottom navigation

To do this, go to Appearance > Menus.

If you don’t have one yet, create a new navigation for the footer by clicking “Create a new menu”.

Enter the name (e.g. “Footer”) and click the button Create menu.

Now, select the newly published page, add it to the menu, indicate the menu is located in the footer, and save the menu.

You’re all set!