WordPress & GDPR Compliance: Everything You Need To Know About
The completely new and far-reaching privacy legislation, known as The General Data Protection Regulation (GDPR), will come into effect across Europe on 25th May 2018. Developed by the European Union (EU), the new law not only replaces the previous 1995 Data Protection Directive but also unifies all the European data privacy laws in order to provide users a better control over the collection, use, and storage of their personal data online. In the simplest terms, GDPR is the new global standard for data protection.
Although GDPR applies primarily to businesses and citizens of the European Union and Great Britain, it will also cover website owners and developers outside Europe as long as they are tracking, collecting and storing data from any citizen of the European Union (EU). Since WordPress now powers over 30% of global websites, a huge number of websites will undoubtedly get affected by the new data protection law. However, if you already know what the GDPR initiative is and how to prepare your WordPress site for it, you can easily cope with this big change.
GDPR – Key Changes
The main purpose of GDPR is to protect and empower the data privacy of all EU citizens in today’s increasingly data-driven world. To improve data privacy and facilitate greater user control over personal data, several changes have been proposed to the regulatory policies. Mentioned below are the most relevant ones to website owners and web developers:
Increased Territorial Scope:
The whole world is now covered by GDPR! However, the only condition is whether the concerned business or organization processes the personal data of any EU citizen. In other words, if you accept traffic from the European Union, GDPR compliance matters regardless of where in the world you or your website’s servers are physically located.
User’s explicit consent for the use of personal data is at the core of the new GDPR regulation. According to the new law, any EU citizen whose data you process or collect must consent to you doing so. Consent must be clear and provided in a plain and easily understandable language.
If you don’t comply with the new GDPR regulation, you may face a penalty of up to 4% of your annual global turnover or 20 million Euros – whichever is greater. If you’re an individual developer or a small organization, that’s a huge amount.
Redefines What Personal Data Is:
Previously, it was enough to inform users they were being tracked via cookies, but no longer. GDPR has come up with a much broader scope to cover everything that could possibly be linked back to a person’s real identity.
Expanded Rights of Individuals
Apart from the above-listed changes, GDPR introduces several new Data Subject Rights to the people of the European Union, providing them a better control over the collection, processing, and storage of their personal data online. These are:
Right to be informed:
Every user has the right to be informed about the processing, collection, use, and storage of their personal data. As a website owner, you must inform individuals about the same at the time you’re going to collect their personal data.
Right of Access:
Individuals have the right to know what data about them is being processed and used, how, where, and for what purpose. As an organization, you’re obliged to provide an electronic copy their personal data free of charge, within 40 days of the request.
Right to Rectification:
The new GDPR regulation gives individuals the right to have any inaccurate personal data rectified or completed if it is not complete. The request can be made either verbally or in writing and you have one month to respond to a user’s request. In certain circumstances, you’re allowed to refuse only the rectification request.
Right to Erasure:
Also known as the right to be forgotten, the right to erasure empowers users with the ability to leave your website and ask you to delete any personally identifiable information you have collected about them so far.
Right to Restrict Processing:
According to this right, an individual will be able to restrict or suppress the processing of his/her personal data. In such a situation, you will be allowed to store user’s personal data, but will not be able to use it. This right applies only in certain circumstances.
Right to Data Portability:
The data portability clause of the GDPR gives users an option to download their personal data in a readily accessible, machine-readable format and re-use it for their own purposes across different services.
Right to Object:
Individuals have the right to prohibit the use of any particular data. In other words, you must stop processing or using any personally identifiable information for direct marketing purposes as soon as you receive an objection from the user.
Right to be informed About Data Breaches:
In cases of data breaches, the organization must legally notify both supervisory authority and concerned people within 72 hours of becoming aware of the breach. Failing to notify a breach may attract a significant fine up to 2% of your annual global turnover or 20 million Euros.
Revision of Automated Decision Making or Profiling:
The GDPR frees you from being a subject to automated individual decision-making – a decision made without the involvement of any human. You’re restricted to make solely automated decisions, including profiling, having legal or similarly significant effects.
What Kind of Information Does GDPR Apply To?
The GDPR applies to any personal data (in any format) that can be used on its own or in conjunction with any other data to identify a living person. As already mentioned above, the new regulation extends the definition of personal data to count information like an IP address as personal data. Some data known to be personal include:
- Physical address
- Email address
- Mobile number
- Social security number
- Location data
- IP address
- Online Behavior (Cookies)
- Profiling and Analytics Data
Moreover, the GDPR also applies to sensitive personal data that needs to be more carefully handled and could potentially link back to the identity of a person, such as, but not limited to:
- Health status
- Sexual orientation
- Religious beliefs
- Political views
- Financial data
- Behavioral data
- Biometric Data
- Genetic Data
In a nutshell, the new law will apply to both personal and sensitive personal data.
How Will GDPR Affect a WordPress Site?
As far as WordPress is concerned, there are three main ways in which GDPR can affect WordPress site owners:
The way how you collect data via various ways like contact form entries, user registrations, comments, newsletter signups, analytics, etc will play a vital role in determining whether or not your WordPress site is GDPR compliant. Under the new law, if you’re collecting data through your WordPress site, you must have to clearly tell users who you are, what data you’re collecting, why you’re collecting it, how long you’re going to store it, who will be able to access it and for what purpose. Explicit consent of users is now mandatory to collect and process personal data.
Themes and Plug-ins:
Being a WordPress site owner, you solely are responsible for all data collection and storage methods used by a theme, plug-in or third-party software. Hence, it’s crucial to audit all third-party plug-ins and themes before the release of the new regulation. To check whether or not your theme and plug-ins are in compliance with the GDPR rules, you can use WP GDPR Compliance plug-in that helps you identify key issues related to GDPR compliance.
If your WordPress site is using WooCommerce or any other similar eCommerce platform, using opt-out options and pre-ticked consent boxes to collect any personal data will now be considered a violation of GDPR. Means, active involvement of the users on your WordPress site, including all marketing materials like newsletters, is now imperative to meet the new regulations. According to the new regulation, some perfect examples of lawful consent requests are clicking an opt-in button or link online, selecting from an equivalent yes or no option and responding clearly to an email requesting consent.
What Can Be Done to Make a WordPress Site GDPR Compliant?
Let’s get acquainted with some surefire ways you can make your WordPress site GDPR compliant:
Audit Your Personal Data:
The first and foremost thing you need to do is carry out a full GDPR compliance audit of your WordPress site. This will help you determine factors like:
- Who do you hold data on?
- What personal data do you collect?
- Where is the collected data being stored?
- What are you using the data for?
- Do any third parties handle the data?
- How long is the data stored for?
- Is it secured in every way?
Once you have determined all the above factors, it will become pretty easy for you to find out what data is absolutely necessary for proper functioning of your WordPress site. In case you find anything with no real use or value, simply remove or delete it along with its processing points. Doing so, you’ll win half the battle against GDPR compliance.
Now that you have only the absolutely necessary data, write down your policies and procedures about how you’re going to handle this data. This is inevitable to demonstrate your compliance with the new GDPR regulation. You must have a clear plan in your mind of what you’ll do in case of:
- Subject Access Requests: Users may request to access, update or delete their personal data anytime. In such a case, you must have a clear idea of how you will verify their identity and fulfill the request.
- Data Security: Describe what efforts you’re putting into keeping users’ personal data safe and secure. This may involve techniques like access control, data anonymization, and encryption.
- Data Breaches: As previously mentioned, any personal data breaches which you think may significantly harm individuals must be brought to the attention of relevant supervisory authority within 72 hours of you become aware of the breach. If the breach is serious enough, you must have to notify the concerned individuals too.
Inform Your Audience:
Maintain Privacy by Design:
The concept of Privacy by Design has existed for years, but it is now a legal requirement under the GDPR regulation. Privacy by Design means instead of treating data protection as an after-thought or addendum, it should be incorporated into the design of a system from the onset. To be more specific, the designer should implement appropriate technical and organizational measures at the very core of any system. Privacy by design encourages website owners to ask users only for the absolutely necessary data.
Enhance Online Payments:
If you’re running an eCommerce WordPress site, then you are likely to be collecting personal details before redirecting the customer to the payment gateway. If this is the case, you need to modify your web processes to automatically delete any sensitive personal data after a certain period of time, for example, 60 days. Since the GDPR regulation doesn’t specify the exact number of days, it is your own decision as to after how many days the sensitive data must be deleted.
Request Explicit Consent:
This one is crucial in every way! Anyone whose data you collect must give explicit consent for you to use their personal data. Consent must be explicit, given freely and separately for each processing purpose, and can be withdrawn at any time. Here the word ‘explicit’ means all opt-in boxes must be empty/unchecked by default and the user must manually and voluntarily tick the box to give his consent to collect his/her personal data. In other words, there must be no automatic opt-ins existed on your WordPress site.
Consider Appointing a DPO:
Finally, if your WordPress site has to deal with the monitoring or processing large amounts of personal data, consider employing a Data Protection Officer (DPO) who is not only responsible for all data protection related activities but also ensures the compliance of your WordPress site with the GDPR regulations. A DPO can be any person within your organization or externally hired.
Useful GDPR Online Resources
- GDPR – Official Website
- Different Components of GDPR in a Single Infographic
- Google Data Protection Compliance
- An Introduction to GDPR Compliance for WooCommerce Stores
- MailChimp’s Guide to the GDPR
- GDPR Infographic from Sage
- Wikipedia page on the GDPR
- The GDPR for WordPress project
- Automattic and the General Data Protection Regulation (GDPR)
- GDPR Countdown Clock
Ashish is an experienced web developer and a passionate writer associated with XHTMLJunction – PSD to WordPress Service Provider. He always tries to keep himself up with latest web development trends and technologies to boost his productivity and capabilities. In his spare time, he loves to write articles related to WordPress, Web Design and Development, and eCommerce.