TL;DR: The GDPR is a new regulation by the EU. It changes a lot regarding how each and every WordPress site goes about doing their business. Even non EU-based sites and businesses are affected. You have less than a year to make your WordPress GDPR compliant. Else you’re facing serious fines – up to € 20 million, or more, believe it or not.
On 25th May 2018, the GDPR (General Data Protection Regulation) enacted by the EU will come into effect. Is your website running on WordPress GDPR compliant? What are the steps that you must take to ensure that you follow the guidelines? What if you neglect this?
This WP GDPR Fix Review will help you in your endeavor to be ready when the regulation kicks in.
What is GDPR?
Disclaimer. This post is not legal advice. We’re not lawyers.
GDPR stands for General Data Protection Regulation and it is a new data protection law in the EU, which comes into force in May 2018.
The aim of the GDPR is to give citizens of the EU control over their personal data and change the approach of organizations across the world towards data privacy.
The GDPR provides much stronger rules than existing laws and is much more restrictive than the “EU cookie law.”
The GDPR applies to data collected about EU citizens from anywhere in the world. As a consequence, a website with any EU visitors or customers must comply with the GDPR, which means virtually all businesses that want to sell products or services to the European market.
To better understand the regulation, take a look at Traffic-Laze Review, which defines all terms related to the law. There are two main aspects of the GDPR: “personal data” and “processing of personal data.” Here’s how it relates to running a WordPress site:
Should GDPR be taken seriously?
Webmasters have time until May 2018 to comply with the regulations set by the GDPR. The penalty for non compliance can be up to € 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
There are various slabs of penalties according to the seriousness of the breach, which have been described in the Jumbovid Review.
Such a high amount in penalties has been proposed to increase compliance. However, one may wonder what steps for the supervision of websites are in place. Supervisory Authorities (SA) of different member states are going to be set up, with the full support of the law. Each member state may have multiple SAs, depending on the constitutional, administrative and organizational structures. There are various powers that SAs will have:
SAs have both investigative and corrective powers to check compliance with the law and suggest changes to be compliant.
It is too early to speculate how SAs of various member states would interlink and work together, but one aspect is clear; SAs would enjoy considerable power to enforce the GDPR guidelines.
Six months after the guidelines were released, PwC surveyed 200 CXOs of large US firms to assess the impact of the GDPR guidelines. The results revealed that a majority of the firms had taken up the GDPR guidelines as their top data protection priority, with 76% of them prepared to spend in excess of $1 million on GDPR. This WP WhatsApp Review shows that owing to a substantial presence in the EU, large corporations are taking up the GDPR compliance seriously.
What companies are willing to spend on GDPR complianceunder $1 millionbetween $1 million and $10 millionover $10 million24%8%68%
The details of your WordPress GDPR compliance
Okay, so with all the official information out of the way, let’s take a moment to talk about how to make sure that your website is compliant and that you won’t experience any WordPress GDPR problems.
Before you move on to each of the aspects and how to comply with them, a security audit on your WordPress site should, in general, reveal how data is being processed and stored on your servers, and steps that are required to comply with the GDPR. The Security Audit Log plugin can help you perform a security audit on your website.
Some usual ways in which a standard WordPress site might collect user data:
Here are some key aspects of the WordPress GDPR that users need to take care of:
(a) Breach notification
Under the GDPR compliance, if your website is experiencing a data breach of any kind, that breach needs to be communicated to your users.
A data breach may result in a risk for the rights and freedoms of individuals, due to which notifying users in a timely manner becomes necessary. Under the GDPR, a notification must be sent within 72 hours of first becoming aware of a breach. Data processors are also required to notify users as well as the data controllers, immediately after first becoming aware of a data breach.
In a WordPress scenario, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.
This clause of the GDPR thus creates a legal requirement to assess and monitor the security of your website. The ideal way is to monitor web traffic and web server logs, but a practical option is to use the Wordfence plugin with notifications turned on. In general, this clause encourages one to use the best security practices available to ensure data breaches do not occur.
(b) Data collection, processing and storage
Three elements of this: Right to Access, Right to Be Forgotten and Data Portability.
Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to a number of data points.
As a WordPress site owner, you first need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored.
Next, you need to have a setup to provide users with a copy of their data. This is perhaps the most difficult part of the process. However, we can assume that when the time comes, most plugin developers or tool developers – for the tools and plugins that you have on your site – will have already come forward with their own solutions to this.
It is still advised, however, to have a system in place to derive the required data out of your database.
Further, it may be wise to avoid data storage altogether in certain cases. For instance, contact forms could be set up to directly forward all communication to your email address instead of storing them anywhere on the web server.
(c) Use of plugins – implications of WordPress GDPR compliance
Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.
This can still mean some tough times for some of the most popular plugins out there. For instance, solutions like Gravity Forms or Jetpack have a lot of modules that collect user data by nature. How are those tools going to comply with the GDPR exactly?
For plugins too, the same rules apply, although they must be approached from the point of view of the WordPress site owner. Each plugin needs to establish a data flow and inform about the processing of personal data. If you are the developer of a plugin, consider providing users of your plugin an addendum that they may add to their website’s terms in order to make them GDPR compliant. Gravity Forms, for instance, needs to let the user know how personal data being filled in a contact form is going to be published, and an option to get it removed, if necessary.
Although there has been no official communication from the popular WordPress plugin developers, Jetpack’s Twitter handle has confirmed that they are preparing for the GDPR, and further updates would appear in their new privacy-related features.
No other plugin seems to have released any statements related to this yet.
GDPR looks like a really big change that we should all treat very seriously and look for solutions. If there’s one thing we learned from VAT, it’s that the EU is quite serious about those things. They keep introducing more and more regulations and then put new mechanisms in place to enforce them. Those 4% fines aren’t looking good.
Also, some tools that sit seemingly outside of your WordPress website will see the impact of this too. Take, email marketing tools, for example. It’s a common practice to have those integrated with your WordPress website and to send promotional emails based on a list of email addresses. Depending on how you run your newsletters/lists, those addresses might not have been obtained by getting explicit consent from users.
Although the final responsibility lies with the site owner, WordPress itself may have to look into its processes to become compliant as well. As of February 2018, there is a proposed roadmap for adding privacy tools to the core. You can follow the GDPR tickets on Make WordPress Core.
To sum up what it means to make WordPress GDPR compliant:
In a nutshell, to make your WordPress GDPR compliant, you should (1) look into all the different ways in which you’re collecting visitor data. Next, (2) put mechanisms in place to make sure that users can control their data. Additionally, (3) it’s probably a good idea to avoid collecting user data where it’s not necessary (like the contact form example from above). And most importantly of all, (4) even if you’re using third-party tools and solutions, you still need to make sure that those are GDPR compliant as well.
If you don’t have all of the above taken care of by May 2018, trouble.
Nonetheless, the GDPR regulation is the right step in ensuring transparency in handling of data. Although this post has covered the basics of GDPR, you may want to go through
the regulation in detail if you have a profitable business running behind your WordPress website. Remember, not complying can result in administrative fines up to € 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
We just sent you an email. Please click the link in the email to confirm your subscription!
OKSubscriptions powered by Strikingly