• flipboard

How to Make Your WordPress Site GDPR Compliant

How to Make Your WordPress Site GDPR Compliant

The General Data Protection Regulation (GDPR), which is probably the biggest change so far in the field of data privacy regulation law, will come into effect on the 25th May 2018.

Combining all the European data privacy laws into one regulation, the new law provides European Union citizens a much stronger and better control over the way their personal data is being tracked, collected, used and stored online.

Although GDPR applies primarily to online businesses in the EU, it will also affect website owners and developers outside the EU who are tracking, collecting and storing any kind of personal data from any European Union citizen.

GDPR Compliant Image 1

WordPress, meanwhile, ruling over 60% of the CMS market and powering over 30% of global websites, increases the chances of a huge number of websites getting affected by the GDPR. If you run a WordPress-powered website that collects or monitors any kind of personal data from the citizens of the European Union; it’s time to get it ready for the GDPR.

Through this blog post, we’ll discuss this topic, but let’s first take a brief look at several new Data Subject Rights given to users in the GDPR!

An individual’s rights under GDPR

Apart from being extra-territorial, the new GDPR regulation brings nine new rights to users, allowing them to have more control over the collection and usage of their personal data. These rights are:

  • Right to be informed. An individual has the full right to be informed about how their personal data is being collected and used.
  • Right to access. Every user has the right to access and download their personal data in the form of an electronic copy provided by the website owner free of cost.
  • Right to Rectification. The new GDPR regulation gives users the power to rectify any inaccurate personal data or complete it if it is not complete.
  • Right to Erasure. Also known as the right to be forgotten, this right allows individuals to leave a website and have any personal data erased anytime.
  • Right to Restrict Processing. According to this right, every user will have the ability to restrict or suppress the processing of their personal data anytime.
  • Right to Data Portability. The new GDPR regulation empowers users to download and reuse their personal data for their own purposes.
  • Right to Object. An individual can prohibit the use of any particular data for direct marketing or any other purpose anytime.
  • Right to be informed about Data Breaches. In case of a data breach, the website owner must notify users within 72 hours of knowing about the breach.
  • Rights related to Automated Decision Making. The GDPR regulation prevents users from being subject to a decision made without the active involvement of a human.

GDPR Compliance Image 2

What information will GDPR apply to?

The new GDPR legislation applies to any information that can be used to recognize the identity of a living person directly or indirectly. In fact, the new regulation redefines the scope of personal information to strengthen users’ rights regarding the collection, storage, and usage of their personal data online. As a result, it now counts even small details like an IP address as personal data.

Other data considered to be personal include:

  • Name
  • Photo
  • Mobile number
  • Email address
  • Physical address
  • Location data
  • IP address
  • Social security number
  • Profiling, sales and analytics data
  • Online Behavior (Cookies)

GDPR Compliance Image 3

Furthermore, the new law also applies to sensitive personal data, a special category of personal data, which requires more careful handling and can potentially link back to the identity of a living person. It includes, but not limited to, several factors, such as:

  • Health status
  • Sexual orientation
  • Political views
  • Religious beliefs
  • Behavioral data
  • Financial data
  • Biometric data
  • Genetic data

To sum it up, the GDPR applies to both personal and sensitive personal data.

How to make a WordPress Site GDPR compliant

Now let’s come to the main point: making a WordPress site GDPR compliant.

There are three main ways GDPR can affect a WordPress site:

Data collection, processing, and storage

The way you track and collect users’ data through your WordPress site plays a vital role in determining the compliance of your website with GDPR. According to the new legislation, while collecting any kind of data through your WordPress site, you must clearly tell users:

  • Who are you
  • What personal data you collect
  • Why you collect the data
  • Where the collected data is being stored
  • How long the data is stored for
  • For what purpose you are using the data
  • How the data is secured

The crucial thing here is the transparency. No matter what kind of personal data you’re collecting via what kind of medium, explicit consent of users is now imperative to monitor and collect personal data.

Themes and plug-ins

GDPR doesn’t just apply to the front-end of your WordPress site, the code of your website must also be in compliance with the new law. Being a WordPress site owner, you’re ultimately responsible for how a WordPress theme, plug-in or third-party software collects personal data through your site.

While several big themes and plug-ins, like Jetpack, WooCommerce, and Gravity Forms, are already working on getting into compliance with the GDPR, it’s highly recommended you audit all themes and plug-ins you’re using before the release of the new legislation. For this purpose, you can take advantage of WP GDPR Compliance plug-in that helps you identify and resolve key GDPR related issues.

GDPR Compliance Image 4

Automatic consent

If you use opt-out options and pre-checked consent boxes on your WordPress site to collect any kind of personal data, it will now be considered a breach under GDPR. As already mentioned above, to meet the new GDPR standard, users must be actively involved in providing consent for the collection of personal data through your WordPress site. According to the new law, some approved examples of legal consent requests are:

  • Clicking an opt-in button/link.
  • Selecting from yes or no options.
  • Responding manually to a consent email.

Now that you understand how GDPR can affect a WordPress site and have a rough idea of how to deal with the GDPR, let’s get familiar with some practical ways you can get your WordPress site into compliance with GDPR:

Audit the personal data you collect

Firstly, take a full audit of users’ personal data collected through your WordPress site. This will not only help you find out the absolutely necessary data required to run the website but also help you get rid of any unwanted data having no real use or value. Delete any personal data that you no longer use and you’ll achieve the first step toward making your WordPress site GDPR compliant.

Document everything

When you’re left with the absolutely necessary personal data, it’s time to write down your new policies and procedures according to the new GDPR legislation. This will help you have a clear idea of what you’ll do in case a personal data breach occurs or a user requests to access their personal data. In your new policies, describe clearly what personal data you collect, why you collect it and what you do to keep it safe and secure.

Request explicit consent

This one is extremely crucial! According to the new regulation, an explicit consent of the user is required to collect personal data. This means any checkbox on your WordPress site must be empty or unchecked by default so users can voluntarily tick it to allow the website owner to collect their personal data. In other words, you must remove all the automatic opt-in boxes from your WordPress site.

GDPR Compliance Image 5

Maintain privacy by design

Privacy by design encourages you to ask users only for the personal data that is absolutely necessary to run your WordPress-powered website. For example, if you’re incorporating a new form on your WordPress site to collect users’ personal data, privacy and data protection, instead of treating it as an after-thought or addendum, integrate it with the design of the form from the very beginning.

Consider appointing a DPO

Finally, if your WordPress site monitors or processes personal data on a very large scale, you may consider hiring a Data Protection Officer (DPO). A DPO is an individual who monitors all privacy and data protection related activities of your WordPress site and ensures it’s compliant with the GDPR regulation. Depending on your requirements, you may appoint a DPO from within your organization or hire one externally.

Other useful GDPR resources

Guest author: Ashish is an experienced web developer working with XHTMLJunction – PSD to WordPress Service Provider. He always tries to keep himself up with latest web development trends and technologies to boost his productivity and capabilities. In his spare time, he loves to write articles related to WordPress, Web Design, App Development, and eCommerce.

Jeffbullas's Blog

Comments

  • Anne Thornley-Brown

    Unfortunately, this is not possible with MailChimp. I am getting sick and tired of all of these make work projects that the powers that be and search engines are creating every few years. First it was CASL in Canada and now this.

  • Great and useful article. Thanks for the tips

  • Moss Clement

    The GDPR update has been trending for the past week and some marketers are not paying much attention to it in the sense that it applies only to EU citizen. Although I’m not in the EU zone, I believe it might affect all online business owners including bloggers who have a target audience in the EU region. Consequently, this calls for marketers in all regions to implement this update as it might have a negative impact your business if you refuse to carry out the update.

    Thanks for sharing.