Is your WordPress website ready for the GDPR?
In March 2018, the WPLounge team attended WordCamp Rotterdam and had a great opportunity to get ourselves more familiar with the GDPR through the keynote given by Sowmedia. Even though the keynote was only two months before the GDPR comes into effect, it was clear that the majority of the participants were not yet ready to comply with the new data protection regulation. Besides, there were still many uncertain legal points and phrases that were subject to different interpretations.
Despite the complexity and ambiguity of this new regulation that many people struggle to get to grips with, there are things that you must get done for your website before May 2018 to avoid possibly receiving huge fines.
In this article, we will explain everything that you need to know about the GDPR as a WordPress site owner in the easiest possible way. Even if you are still not familiar with this regulation, after reading this article, you will have good understanding of what it is and which steps you need to take to get your WordPress website ready for the GDPR.
Disclaimer: We have carefully conducted our research for this article. However, we are not lawyers so this is not legal advice.
GDPR (General Data Protection Regulation) is a new European data protection and privacy law. It was adopted to replace the Data Protection Directive from 1995. The new regulation will come into effect on 25 May 2018 and be applicable to any website that handles personal information of EU citizens. This means that the regulation will affect even non-EU based websites in case they have any EU visitors or customers.
The purpose of the GDPR is to give EU citizens the right to control their personal information and ensure that the same data protection rules apply in every European country. This new regulation will change organizations’ approach to data protection and privacy globally. If your website is not GDPR compliant, you are subject to serious fines – up to €20 million or 4% of your global revenue.
Compared to the Data Protection Directive, there are several key changes in the new regulation. For example, the GDPR will include a much wider range of personal information and require a higher level of data transparency. It is aimed to give users full control of their personal data such as transferring and erasing the data. Furthermore, data breaches must be reported under the new regulation.
Below, we will explain the 8 rights of users (what is also called “data subject”) that you should know under the GDPR compliance. In case you receive users’ requests related to those rights, you should be able to respond to them within 30 days in most cases.
1. The right to be informed
Users have the right to be informed about the collection and use of their personal data. It means you must provide users with clear and concise information regarding why you collect/process the data, how long you will keep the data, where you will store the data, and who will have access to the data.
2. The right of access
Users have the right to have confirmation that their data is being processed and obtain access to their data from you who hold their data (legally, we call this party “data controller”).
3. The right to rectification
Users have the right to have inaccurate or incomplete personal data rectified. When receiving a request for rectification, you should take reasonable steps to check the accuracy of the date and rectify the data if necessary.
4. The right to erasure (or to be forgotten)
Users have the right to completely erase their personal data, and prevent further collection and processing of the data. In this process, users can withdraw their consent for their personal data to be used.
5. The right to restrict
Under certain circumstances, users can make a request for restricting or suppressing the processing of their personal data.
6. The right to portability
Users have the right to obtain their personal data from you and reuse it for their own purposes, and further transmit it to a different controller.
7. The right to object
Users have the right to object to processing of personal data based on legitimate interests, direct marketing and processing the personal data for purposes of scientific or historical research.
8. The right not to be subject to automated decision-making
Users have the right not to be subject to automated decision-making including profiling when it produces an adverse legal impact or significantly affect them in a similar way.
How would the GPDR affect your WordPress site?
So, what will happen to your WordPress site when the GDPR comes into effect? What will be the major impacts of the GDPR on your WordPress website?
A standard WordPress site collects the user’s data including user registrations, comments, contact form entries or analytic data. Remember, under the GDPR regulation, each time you request data including both personal and sensitive data processing, clear and explicit consent is required. It means the old consent forms that you are using might need to be updated.
Under the GDPR, silence, pre-ticked boxes or inactivity will not be considered as valid consent anymore. Thus, pre-ticked opt-in box or soft opt-in will be no longer sufficient for GDPR consent. Instead, the consent must be unambiguous and explicit as well as involves an affirmative action that makes it clear that the user is agreeing to the collection of their private information for a specific and clear purpose.
Once you have their data, you should also be prepared to respond to users’ requests related to their personal data such as erasure or withdrawal of their data. In most of the cases, you only have 30 days to respond so it will be critical to have an easy and effective withdrawal mechanism in place.
Furthermore, you need to be more careful with installing plugins as well. Any plugin or any third-party software that you use will need to comply with the GDPR. As a site owner, you are responsible for ensuring that every plugin can collect, export, provide and erase user information in compliance with the GDPR.
In case of a data breach, you need to take an immediate action. If your website is experiencing a data breach of any kind, you need to send a notification within 72 hours after having become aware of it. In this regard, both the data collector (you, the website owner) and data processors (e.g. a third-party tool like Mailchimp) are required to notify the affected users.
How to make my WordPress site GDPR compliant: tips & plugins
Now, you might be wondering or feeling concerned about how you can deal with such complex requirements and how to make sure that you are preparing it right. It can be an overwhelming process. However, after conducting an extensive research in this topic, we have found that the rationale behind this new regulation could be quite simple. Let’s think in this way.
“data = money”
In a bank, clients come in, sign up for the consent and let the bank keep their money. In this case, the bank is allowed to store their money and further utilize it based on the consent. While keeping their money, the bank is required to safely store and keep track of the money as well as provide all the relevant information upon request. Although the bank has their money, the clients have full control of it. Anytime, the clients can withdraw the money, transfer it to a different bank and even take it all out and close the bank account. Furthermore, in case of a robbery, the clients have to be informed immediately.
From the above example, you might have noticed that what the GDPR requires is similar to how a bank protects others’ money. The difference is that we are used to treating money in that way but not used to treating our data in the same way. Although data is considered as the most valuable asset in the 21st century, not many of us have treated data as we have treated our money. Thus, the most fundamental thing in complying with the GDPR is to understand the importance of personal data and take logical steps to protect users’ information like we protect our money.
Having said that, now we are going to share our tips and plugin options that will help to make your WordPress website GDPR compliant.
1. Identify personal data you hold
The first step to comply with the GDPR is to understand what personal information you are holding including where the data resides, who can have access to it and whether there are any risks to the data. In this process, you should identify the following key elements:
- What kind of data is being processed (name, phone number, email address, etc.) and what category does it fall into?
- In which format do you store their data (hard copy, digital database, etc.)?
- How do you collect data (contact form, social media, telephone, etc.) and how do you share it internally and externally (email, cloud, etc.)?
- What locations are involved in data flow (offices, cloud, third parties, etc.)?
- Who is accountable for the data?
- Who has access to the data?
2. Remove unnecessary data
It is important to find ways to minimize the collection of personal information. You can achieve this by collecting personal data only when you have a clear purpose to do so. Also, look at the existing data and remove any unnecessary personal data. Lastly, ensure that all personal information is kept secure and only used for the pre-defined purpose.
If you want more structured approach, you may adopt a Privacy by Design framework which would help you anticipate, manage and prevent privacy issues with the personal data.
3. Keep user data organized and accessible
Be prepared to respond to users’ requests related to accessing or deleting their data. You should establish processes in place to easily locate and delete customer data and further, provide a user with a copy of all personal data within 30 days from receiving the request (you can provide this either for free or with small fees).
1) Delete Me is a free WordPress plugin that allows users with specific WordPress roles to delete their information by themselves including their posts, links as well as comments.
2) WP GPDR creates a page where users can request access to their personal data. When users ask for the access, it sends an automatic email with a unique URL where users can view, update and download their information as well request for a removal. It also allows a website owner to have an overview of the users’ requests. This plugin is also free.
4. Inform your users
- What data is being collected?
- Who is collecting the data?
- Why is the data being collected?
- How will the data be used?
- Who will have access to the data (such as third parties)?
- How long will the data be kept for?
- What rights does the user (data subject) have?
- How can the user raise a complaint?
Before building your own policy, you can also refer to the following examples. However, don’t just copy others’ examples. Make sure that your policy is tailored to your business and audience.
1) Happytable presents a simple policy summary that addresses all the necessary points with an easy, concise and clear explanation.
- Unbundled: It must be separate from other terms and conditions.
- Active opt-in: Pre-ticked opt-in boxes are invalid.
- Granular: Different consent options for different types of data processing are needed.
- Named: It must include both the name of the organization processing the data and any third parties relying on that consent.
- Documented: all the (consent) information must be documented.
- Easy to withdraw: The users must be notified that they can withdraw their consent and the consent must be easy to be withdrawn.
- No imbalance: There should not be an imbalance in the relationship between the individual and the controller.
1) GDPR Consent is a paid WordPress Plugin (€ 39) that could prevent your website from collecting personal data before your user has provided permission for it.
2) WP GDPR compliance is one of the most popular GDPR compliance plugin so far. It assists you in complying with privacy regulations. However, they clearly mention that the plugin does not guarantee full compliance with GDPR (like any other plugins) .
5. Prepare a plan for data breaches
Plan how you will deal with a data breach. This plan should detail out what processes you will have in place to detect a breach, stop the breach and prevent further breaches as well as to notify all affected individuals/the regulator of the breach within 72 hours.
1) Wordfence plugin is the most comprehensive and well-known WordPress security solution, which includes an endpoint firewall and malware scanner that are made specifically for WordPress platform.
6. Build a data privacy culture
GDPR is not one person’s game. Make sure that all your employees are aware of the importance of complying with GDPR as well as at least have good understand of the basic requirements as we explained in this article. It is important to encourage them to think of personal data as a valuable asset (like money) and integrate data transparency into their day-to-day operations.
Ideally, you may consider appointing a Data Protection Officer (DPO) to be responsible for reviewing regulation, implementing and documenting processes, and ensuring compliance. A DPO could be appointed internally within an organization or externally.
So, that’s it! We hope this article was helpful for making your WordPress website GDPR ready. However, don’t just take our word for it. Please make sure to go through the regulation in detail. You may also want to seek legal advice from a GDPR consultant.
If you have any further questions about the GDPR and WordPress, feel free to leave your comment below.