Many of my customers have asked for information about GDPR so I decided to try and provide information as clear as possible about what it is and how will it affect the business of people having a website: Specifically in this article I’d like to clarify how to make a WordPress website compliant to GDPR.
What is it
The General Data Protection Regulation is the new data protection law in the EU, the most important change in data privacy regulation in 20 years, which was approved by the EU Parliament on 14 April 2016.
Why does it happen:
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to give citizens of the EU control over their personal data and to change the approach of organisations across the world towards data privacy.
Who is going to be bothered by this:
The GDPR law applies to data collected about EU citizens from anywhere in the world. As a consequence, a website with any EU visitors or customers must comply with the GDPR, which means that virtually all websites and businesses must comply.
25 May 2018.
Does it affect the UK despite Brexit?
Yes. The UK still needs to implement the GDPR regardless of whether the country is in or out of the EU. The Government has stressed that it wants to maintain the unhindered
flow of data between the UK and the EU after Brexit. In an August 2017 position paper, the Government said that it “wanted to explore a UK-EU model for exchanging and protecting personal data that could build on the existing adequacy model”.
Which are the possible fines?
There are various slabs of penalties for non-compliance, according to the seriousness of the breach, which can get to the 4% of annual global turnover, up to a maximum of €20 million. Such a high amount of penalties has been proposed to increase compliance.
Is it something I already have to worry about?
GDPR looks like a really big change that we should all treat very seriously and look for solutions. If there’s one thing we learned so far, it’s that the EU is quite serious about those things. Those 4% fines don’t look any good.
How and by whom will GDPR be enforced?
Supervisory Authorities (SA) of different member states are going to be set up and each member state may have multiple SAs, depending on the constitutional, administrative and organizational structures. SAs will have considerable power to enforce the GDPR, with both investigative and corrective powers to check compliance with the law and suggest changes to be compliant, by:
- carrying out audits on websites,
- issuing warnings for non-compliance,
- issuing corrective measures to be followed with deadlines.
Now that all the official information has been clearly explained, let’s check how to make sure that your WordPress website is compliant and that this new regulation won’t be a cause of damage.
First, an important disclaimer: I’m not a solicitor and what follows isn’t legal advice. I want to help you understand the implications of the GDPR for WordPress webistes, but if you need concrete legal advice, talk to your solicitor.
How does GDPR relate to a WordPress site?
Involved personal data pertains to “any information relating to an identified or identifiable natural person”:
- even an IP address, and so on.
Processing personal data refers to “any operation or set of operations which is performed on it”. For example, a simple operation of storing an IP address on your web server logs constitutes a situation in which you are processing of personal data of a user.
How might a standard WordPress site generally collect user data?
- user registrations,
- contact form entries,
- analytics and traffic log solutions,
- any other logging tools and plugins,
- security tools and plugins.
How to make a WordPress website compliant to GDPR?
Request explicit consent. The Right to Access states that before data collection takes place – before the user submits the form – they must be aware that that form is collecting personal data with the intent to store it and give an explicit consent to this.
Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to a number of data points.
Keep user data organized and accessible. The Right to Be Forgotten gives users an option to erase all personal data, and stop further collection and processing of the data. The Data Portability clause of the GDPR provides users with a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller. You must be able to provide a user with a copy of all personal data you have on them on request, free of cost within 40 days and to delete them on request. If you always collect an email address when you collect personal data of any type, submissions could easily be searched by it and the user contacted through that mean.
Breach notification. Under the GDPR compliance, if your website will ever experience a data breach of any kind, that breach will have to be communicated to your all of users in a timely manner (within 72 hours of first becoming aware of a breach) because that data breach could result in a risk for the rights and freedoms of individuals. The ideal way is to monitor web traffic and web server logs, but a practical option is to use the Wordfenceplugin with notifications turned on. In general, this clause encourages one to use the best security practices available to ensure data breaches do not occur.
However, the complexity here is the definition of the term “user”: users may be regular website users, contact form entries, and potentially even commenters. This clause of the GDPR thus creates a legal requirement to assess and monitor the security of your website.
Does every plugins we use on our WordPress site have to comply with the GDPR rules?
Yes, all of them. As a site owner, it is your responsibility to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules. This can still mean some tough times for some of the most popular plugins out there. Each plugin needs to establish a data flow and inform about the processing of personal data. Possibly plugins will provide their users with an addendum that they may add to their website’s terms in order to make them GDPR compliant.