The purpose of this article is to help WordPress website owners comply with the GDPR regulation. The author is not a lawyer and this article should not be taken as a substitute for legal advice.
If you run a WordPress website and are worried that the new General Data Protection Regulation (GDPR) is going to affect how your website handles user data, you are not alone. Individuals, businesses, and websites around the world are preparing themselves for a new era of data security and privacy protection.
Since the adoption of GDPR by European Parliament in 2016, organizations were given a transition period of two years to comply with this regulation. On May 25, 2018, this piece of legislation will come into effect.
GDPR compliance is mandatory and non-compliance can have serious implications – including hefty fines. With this in mind, in this post, we’ll explain what the GDPR is, how it applies to website owners, and what you need to do to make your WordPress website GDPR compliant.
What Is GDPR and How Does It Apply to Website Owners?
The GDPR is ushering in a new era of data security and privacy protection. It requires organizations to take significant steps for protecting user data. And to become compliant with the GDPR, organizations need to implement new protocols and practices regarding how they handle user data.
GDPR: General Data Protection Regulation
The GDPR is a new regulation that gives EU residents certain rights and privileges related to their personal data. Any organization that handles, controls, or processes personal data of individuals living in the EU must comply with this regulation. The aim of the GDPR is to modernize the data security and privacy protection laws existing in the EU and better adapt to the new world of social networks and digital marketing.
A complex maze of information containing 99 articles, the GDPR demands that organizations comply with a number of new requirements.
- Consent of the Data Subject. Explicit and clear permission of the users is required prior to the collection and processing of their personal information.
- Right to Access One’s Data. Data subjects will be given access to their data. They will also be given the right to modify it.
- Right to Object. The data subject has the right to object to the processing of their personal information, unless the data controller (you) has reasonable legal reasons for processing.
- Right to Erasure (Right to be forgotten). The data subjects can ask the data controller to delete their data without any delay if (1) the data subject withdraws consent, (2) the information is no longer required for the purposes it was gathered, or (3) the data subject requests to stop data processing.
- Data Protection Officers. Organizations will appoint data protection officers where monitoring and processing of large scale data is involved.
- Data Breach Notifications. In case of a data breach, data controllers must inform the data subjects and the concerned authorities within 72 hours of the breach.
How Does GDPR Apply to WordPress Website Owners?
Aside from organizations, WordPress website owners will also be affected by the GDPR. If you own a WordPress site, you need to review:
- How your website gathers data through forms (contact forms, signup forms, registration forms, etc…).
- How your website gathers analytical/statistical data.
- How you handle the data you collect.
- How you share that data with your users and third-parties.
- How the plugins and themes you use affect user privacy.
- How you keep user data secure.
Contact forms are an easy way of collecting user information. However, you must ensure that any contact forms or contact form plugins you use on your WordPress website must be GDPR compliant. Remember that anything that reveals information about the user constitutes as personal data. If your website uses contact forms to collect user data, remember that under the GDPR rules you’re required to:
- Obtain explicit consent from your site’s visitors.
- Avoid the use of pre-checked contact forms for obtaining user consent.
- Inform users why their information is being collected.
- Let them know how long and for what purpose their data will be stored and processed.
- Let them know who will control their data.
- Give them information on how they can get access to that data.
If you have an eCommerce WordPress site, you will most likely be collecting financial information from your customers like credit card numbers and billing addresses. To protect your customers’ data, make sure that you’re following the recommendations listed above in addition to:
- Obtain user consent before sending customers email newsletters or special offers.
- Let your customers know that they can opt out of any of your service(s) whenever they choose to.
- Do not collect financial information directly. Instead, use third-party services and payment gateways like PayPal or Stripe. You must use GDPR-compliant e-commerce plugins to handle payments.
- In the event of a data breach, inform your customers and concerned authorities immediately. Give your customers access to their data at all times along with the option to delete their data.
Many websites use analytics software and tools (like Google Analytics) to collect analytical data. This is done mostly to monitor website performance and to better optimize websites for search engine rankings. In case this data reveals individual information, there are strict guidelines you have to follow according to the GDPR. (The recommendations listed above apply here, too). However, most analytics tools collect data that is on group-scale and does not reveal personal information. Best practices indicate that you should:
- Avoid using analytics data to collect individual user information. Instead use anonymous group-scale data analytics.
- Don’t use analytics software to track users or their IP addresses.
The GDPR doesn’t just address data collection but also gives specific instructions about the legal basis of data processing.
Have a Legal Justification for Processing Personal Data
Any personal information you collect from the user, knowingly or unknowingly, must have a legal justification for processing. To process user data, you must have at least one of the legal justifications listed below:
- Contracts. This justification can be used when you need to fulfill a contractual obligation to a customer. Or the user asks you do something before signing a contract – like when they ask you for a quote. You should also document your reasons for processing data in case you need it later.
- Legal Obligations. You can process user information to ensure compliance with a common law or statuary obligation. For example, businesses that are required by their countries’ tax laws to keep a record of their expenses.
- Explicit Consent. User consent must be taken before processing user data. The data subject must give explicit consent voluntarily after being informed about the purpose and time limit of the processing. The data subject must be told about their right to erasure (deletion of all their data) and their right to opt out of any of your services.
How to Make Your WordPress Website GDPR Compliant
Now that you have a good grasp of the GDPR, let’s take a look at some of the steps you can take to make your WordPress website GDPR-compliant.
#1: Request Explicit User Consent
The GDPR requires website owners to obtain explicit consent from their site’s visitors regarding the collection, processing, storing, and sharing of their data. This consent has to be taken prior to processing the data. The requests for consent must not be attached to other terms and conditions. Instead, they should be obtained separately.
The GDPR does not permit a vague or blanket consent. As a website owner, you should obtain user consent every time you ask users for personal information. What this means is that if you have a newsletter subscription form on your website and a form that allows visitors to request a quote, you should be obtaining user consent for collecting their personal data individually for both forms.
In addition to this, you should not use pre-checked boxes or any other consent by default forms to collect user data. Finally, your site’s visitors should be allowed to withdraw their consent whenever they choose to.
#2: Let Users Know You’re Collecting Data
The data subject has the right to know why their data is being collected and how long will it be stored. You must inform your users about their right to access their data as well as their right to object to data processing. The users must also be allowed to modify or delete their data.
#3: Adopt Privacy by Design
The GDPR gives specific instructions concerning data security and protection of user privacy. Data that is absolutely necessary for the purpose of storing and processing must be obtained from users. Additionally, the number of data collection points must be limited to ensure safety of user data. You must take appropriate security measures to demonstrate robust data protection practices.
#4: Make Sure Your Users’ Data Is Accessible
The GDPR gives users significant control over their personal information. They have the right to access and modify the data which they have given their consent for. As the website owner, it is your responsibility to ensure your site’s users are able to access their data. The right to data portability gives users the option to download their personal data or even transfer it to another business (potentially your competitor).
#5: Give Users the Option to Withdraw Consent
Your site’s users have the right to withdraw their consent and your website must provide them with suitable forms for making such requests. Users can also request information about the status of their data, as well as, information about how and by whom their data is controlled and processed.
#6: In Case of Data Breaches
In case of a data breach, you must inform your site’s users and concerned authorities about the breach immediately (within 72 hours of becoming aware of the breach). Users must be given the option to completely delete their data.
In addition to this, you must take proper breach detection and investigation measures to make informed decisions moving forward. Finally, it’s a good idea to keep a record of all data breaches.
If your WordPress website handles personal information of the residents of the EU nations, you’re required to comply with the GDPR regulation by May 25, 2018. Demonstrating this compliance will not only save you from legal woes, but will also give your users a sense of security and let them know that they can trust your website with their personal data.
The GDPR is going to affect how your website handles user data. You have to:
- Make sure your website is in compliance with the GDPR.
- Take necessary steps to protect user data.
What are some of the steps you’re taking to make your WordPress website GDPR compliant? Let us know by commenting below!