Meeting Your GDPR Obligations With Awesome Support
The GDPR and similar privacy obligations from various jurisdictions from around the world requires that organizations large and small put individual privacy front and center in their business practices. For smaller businesses and sole proprietorships this primarily means a focus on website operations.
The majority of these regulations require some combination of the following:
- Affirmative acceptance of privacy policies
- Ability to consent to certain business practices involving a users personal data
- Ability to withdraw from consent for certain business practices involving a users personal data
- Ability for a user to request that stored personal data be deleted or anonymized (“right to be forgotten”)
- Ability for a user to request a copy of any stored personal data
- Tracking of user requests related to any “right to be forgotten” regulation
- Tracking of dates or other proof of affirmative consent to certain business operations, data storage and data transfer practices
Organizations are finding that they need a central place for users to be able to accept and withdraw consent and to submit related requests such as requests for personal data or for data to be deleted. What better place to handle this than inside a business’s existing help desk?
Overview Of Awesome Support’s Privacy Tools
Awesome Support allows the administrator to enable a new PRIVACY button in a users ticket dashboard. This button allows the user to:
- Opt-in or opt-out of consent items
- Send requests for personal data to be deleted or annoymized
- Download personal data
Administrators can also configure consent items that users must opt into before completing registration and to opt into items on a user’s behalf. And, administrators can use WordPress’s EXPORT PERSONAL DATA and ERASE PERSONAL DATA tools (available in WP 4.9.6 and later) to delete or export personal data stored in Awesome Support.
Managing Opt-in and Opt-out Items on Registration
Before a user can complete an Awesome Support registration form on your website you need to provide certain disclosures. And, the user needs to affirmatively agree with these disclosures before being able to complete the registration process.
Awesome Support allows you to configure up to FOUR of these disclosures (or “consents” as we like to call them). The first one will be your terms and conditions. Your others can be similar to:
- Consent for data transfers outside of your current jurisdiction
- Consent to add to mailing lists
- Consent to transfer data to 3rd party managers
Or any other type of consent you might need under your jurisdiction’s privacy regulations.
In all cases you need to provide a bona-fide reason for needing to do these things. Which usually means that you need to provide some sort of short explanation for each item on the sign up form. Awesome Support fully supports your ability to configure these items.
In the image below you can see the text that administrator has configured for two of these consent items.
Your end users can mange their consents after the fact with the new PRIVACY button:
In the image above, notice that users can opt out of last two of the items after opting-in. But they cannot opt-out of the first item. Administrators can configure whether opting out is possible after-the-fact. And they can opt-in or out of items on the user’s behalf in the WordPress user profile:
Handling “Right To Be Forgotten” Requests
“Right to be forgotten” regulations generally means that an organization needs to delete any personal data about a customer upon request – if there is no bona-fide reason for keeping it. Awesome Support includes a “Right To be Forgotten” request form in the PRIVACY area:
This form creates a support ticket that will be routed to a support agent. And, if WordPress version 4.9.6 or later is installed, it creates a DELETE request inside the TOOLS->ERASE PERSONAL DATA screen.
Administrators or other authorized agents can then contact the user to confirm their identify and the validity of the request before processing it. Though, in many cases, WordPress automatically sends out a confirmation request to the user whenever a DELETE request is received on a WP 4.9.6 ERASE PERSONAL DATA screen.
For Awesome Support, ticket data will be deleted along with other WordPress data if the data delete request is processed in the TOOLS->ERASE PERSONAL DATA screen available in WP 4.9.6 or later. Otherwise the admin/agent/manager will need to manually locate and delete the users tickets from inside the TICKETS screen (which is easy to do with our flexible ticket-list search filters).
Exporting Personal Data
Awesome Support allows users to export their data using the screens available under the PRIVACY button:
Users can use this button to get a .zip file that include their tickets in XML formats along with attachments. Each ticket that contains attachments will have a separate folder inside the .zip file where the attachments will reside.
On the back-end in wp-admin, administrators are allowed to export files on behalf of users which will result in a file with the same format:
In WordPress 4.9.6 and later, the options under TOOLS->EXPORT PERSONAL DATA will export data from WordPress. Any plugins that support the hooks, including Awesome Support, will have their data exported as well.
WordPress exports the data in PDF format so users end up with a comprehensive report of data across all their plugins (at least the ones that support the WP 4.9.6 hooks).
Hooks and Filters For Developers
Hooks and filters allow other developers to integrate into the Awesome Support ticket deletion process. There are two new hooks that available today with more are on their way.
- The wpas_before_delete_ticket_via_personal_eraser filter hook allow developers of Awesome Support add-ons to erase Awesome Support data related to a single ticket as Awesome Support is processing its own data erasing operation on that same ticket. This hook can also prevent Awesome Support from going through with a data erase operation on a particular ticket, returning informational messages that will be seen by the admin instead.
- The wpas_allow_personal_data_eraser filter hook runs before the Awesome Support data erase process is started and can be used to completely terminate the erase process before even a single ticket is examined.
The WordPress Plugin Challenge
Just about every plugin that handles data in the WordPress ecosystem will eventually have some form of opt-in checkbox. And, given that many sites might have 10 or more of these plugins, organizations running WordPress might end up with a consent tracking nightmare. For example, a typical website might have:
- Form plugins such as Gravity
- e-Commerce plugins such as WooCommerce
- Popup plugins
- Mail opt-in form plugins such as Bloom
- Quizes and other top-of-funnel plugins
- Cookie consent plugins such as cookiebot
Admins will be collecting consents from all the user interfaces for each of these plugins. But how will all these consents be shown to the user in a user friendly manner? And how will the user be able to withdraw consent?
The only solution is, you guessed it, another plugin that is aware of all these consent sources and can provide a unified interface for withdrawing and re-accepting. Awesome Support is working on hooks and filters that can be used to present opt-in and opt-out consents from various plugins on one unified user interface. With Europe and Australia sporting strong privacy laws and California passing their own, its only a matter of time before most countries have similar regulations. The need for a unified management interface to both users and admins is only going to become greater! The next versions of Awesome Support aim to provide the tools necessary to help you provide these for your end user.
Are you a plugin author? Contact us via our contact form to learn how you can integrate your opt-in/opt-out process with Awesome Support.