You may be aware of the GDPR (General Data Protection Regulation) enacted by the EU which came into effect on 25th May 2018. The regulation is designed to give EU residents and citizens more control over their personal data as part of their fundamental right to privacy.
As the website owner, it is your responsibility to be compliant (as stated in my updated Terms & Conditions of Service). There are potential penalties for non-compliance as detailed in some of the resources mentioned in this email, and even if you don’t have EU customers or website visitors it’s a good exercise to carry out overall.
To better understand what GDPR is all about, I encourage you to do your own reading – GDPR compliance information is widely available on the web and I’ve shared a few choice articles and snippets in this email relevant to your WordPress website.
“There are two main aspects of the GDPR: “personal data” and “processing of personal data.” Here’s how it relates to running a WordPress site:
- personal datapertains to “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address,
- whereas processing of personal datarefers to “any operation or set of operations which is performed on personal data”. Therefore, a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user”
[Taken from Code in WP Blog’s Complete WordPress GDPR Guide]
Data Subject Rights
In plain English, a data subject is any EU citizen from which you are collecting personal data. GDPR compliance requires data subjects be granted certain rights. What follows is not an exhaustive list, but those rights that are relevant to the collection, processing, and storage of personal data on your WordPress website.
Right to Access. Data subjects must be able to request and obtain confirmation that data is or is not being collected on them, and if so exactly what data is being collected, how, where, and for what purpose. That data must also be provided to them in an electronic format free of charge on request.
Right to Be Forgotten. Data subjects must be provided a quick and painless way to withdraw consent and have collected data purged.
Data Portability. Similar to the Right to Access, Data Portability requires that data subjects are able to request, obtain, and/or transfer possession of collected data at any time.
Breach Notification. If a breach/unauthorized access of personal data takes place that is likely to “result in a risk for the rights and freedoms of individuals”, notification must be made within 72 hours of becoming aware of the breach.”
[Taken from Ninja Forms’ GDPR Compliance and WordPress Forms]
HOW DOES THIS AFFECT YOU?
WordPress websites, and plugins associated with them most commonly collect and store:
- Contact form data
- Comment data
- User registrations
- Analytics tracking information (and as a result details of users’ location, language, gender, age etc)
- IP addresses (through security plugins)
- Mailing list sign up information (name, email etc.)
- Customer information (name, email, address etc.) if you have an online shop
Many plugins and data processors (MailChimp, Google Analytics and file hosting providers like Dropbox) have confirmed that they are GDPR compliant. I’m also constantly making enquiries with other commonly used plugins as to their intended GDPR compliance, but you can take your own steps in the interim to work towards compliance.
The main thing is to ensure that users are explicitly opting in on your website rather than automatically being added to mailing lists, and that you tell users what data is being collected, how it will be used, how it will be protected, how it can be deleted, who has access to it and how it is shared.
Here are my recommended changes to your website(s) which I have actioned:
- Add a Privacy Policy to your website
- Ensure no pre-checked sign up boxes or automatic adding to newsletter (MailChimp) lists are active on your website (usually via Contact Form or WooCommerce checkout).
- Ensure your MailChimp account is using double opt-in with GDPR activated fields, meaning the user receives an email to confirm they wish to sign up to your mailing list.
- Ensure your MailChimp list has GDPR activated fields.
- Add a transparency statement to your contact forms explaining how data will be used etc. and a consent confirmation tick box.
- Add a cookie consent pop up notice to your website.
- Anonymize IP addresses for Google Analytics tracking as recommended by Google.
- Ensure your website is https:// with an SSL certificate installed
Website cookies
Your website will use cookies to track user actions on your website for Google Analytics, Wordfence security, blog comments etc. Part of GDPR compliance is asking users to accept these cookies when visiting your site.
At the moment I believe it’s enough to ask users to accept cookies on your site and link to your privacy policy / website terms to outline this further, however there may be a need for more advanced controls to allow users to deactivate non-essential cookies like Google Analytics tracking when visiting your website. I’m still looking into this and I’m sure as we reach the GDPR compliance deadline more options for managing this effectively will present themselves.
There are currently multiple WordPress tools in development to make GDPR compliance even easier. The global WordPress community is working on this as we speak.
Please note that it is likely that the next update of WordPress core will contain important GDPR compliance changes. It’s therefore highly recommended that your WordPress version is updated as soon as it’s released (as usual, I recommend backing up your site before updating).
Going forward, I will be implementing GDPR compliance in my website builds by design but it will still be the website owner’s responsibility to comply.
ADDITIONAL RESOURCES/READING:
Data Protection – EU Commission: http://ec.europa.eu/justice/smedataprotect/index_en.htm
How to make a WordPress website compliant to GDPR – Pink SEO & Marketing
https://www.pinkseo.marketing/how-to-make-a-wordpress-website-compliant-to-gdpr/
DISCLAIMER:
This is not legal advice; I am not a lawyer or a GDPR compliance expert. These recommendations are as a result of my own independent online research. It is your responsibility as the website owner to ensure your business and website is compliant and it is your responsibility to update your website Terms & Conditions and Privacy Policy.