How to Become GDPR Compliant

Table of Contents

• What is GDPR?
• How does this affect you?
• What is required under GDPR?
• How do you know if you are GDPR compliant?
• How to make your WordPress site GDPR compliant

 

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) privacy law that was adopted on 14 April, 2016 and became enforceable on May 25, 2018. GDPR is designed to give back citizens of the EU control over their personal data. Personal data is any data that relates to or can be used to identify a person in any way such as name, email, address, race, health status or even an IP address.

If you want to read the extensive official PDFs of the regulation (11 chapters, 99 articles) we recommend checking out gdpr-info.eu, as they have everything in a neatly arranged website.

How does this affect you?

While the GDPR regulations were designed to protect the rights of EU citizens, it essentially impacts everyone on the web. Regardless of where a business is established or where its online activities take place, if your website is processing or collecting data from EU citizens, then you must abide by the GDPR regulations. Even if a EU citizen just visits your website for a few seconds, access logs are created and you must follow the regulations.

>> Businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual turnover or €20 million (whichever is greater).

While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.

What is required under GDPR?

While the GDPR is 200 pages long, here are the most important parts that you need to know:

Explicit Consent – If you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t send unsolicited emails to people who gave you their business card or filled out your website contact form if they did not opt-in for your marketing newsletter.

For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.

Data can only be used for the reason given at the time of collection and is securely deleted after it’s no longer needed.

Right to Access – You must inform individuals where, why, and how their data is processed / stored.

Right to be Forgotten – An individual has the right ask for their data to be deleted and to stop further collection and processing of the data unless there is a reason not to do this such as a loan account. This process involves the user withdrawing their consent for their data being used.

Data portability – An individual has the right to download their personal data and further transmit that data to a different controller.

Breach Notification – Organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company must also inform individuals who’re impacted right away.

Data Protection Officers – If you are a public company or process large amounts of personal information, then you must appoint a data protection officer. This is not required for small businesses. Consult an attorney if you’re in doubt.

How do you know if you are GDPR compliant?

If you have any of the following things on your website, then you are probably not GDPR compliant and you must fix your provided information to follow regulations:

• Any plugin that stores or processes personal data
• User registrations
• Comments
• Contact form entries
• Analytics and traffic log solutions
• Other logging tools and plugins
• Security tools and plugins

How to make your WordPress site GDPR compliant

No single platform, plugin or solution can offer 100% GDPR compliance. The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site.

Here are some recommended steps that you should take:

Update All Legal Documents

You should update all terms and condition pages, privacy pages, affiliate terms, as well as any other legal documents or agreements you might have. WordPress comes with a pre-made privacy policy page with very minimal information and a privacy policy guide that you should follow to ensure you follow regulations.

You can find the guide by editing the pre-made privacy policy page and clicking on the “check out our guide” link near the top of the editing page. Plugins with data collection or processing must also be referenced in the privacy policy. There are many different things that should be included on a privacy policy and you should start now because it will take time.

Check Your WordPress Themes, Plugins, Services, APIs

Plugins – An important rule is that every plugin must be able to export/provide/erase user data that they collect if they collect any. If they do not provide any information regarding this in a privacy policy or other method, you must either contact the developer of the plugin or cease the use of the plugin until it reaches GDPR compliance. How a plugin uses data must also be included in your privacy policy.

Contact Forms – All forms require a positive opt-in (i.e no pre-ticked checkbox) and must contain clear wording on how an individual’s data will be used. WordPress automatically adds a comment privacy checkbox for comments so you do not have to worry about comments. Other forms require a consent checkbox if they store any personal data. This includes general contact forms if they store information on your site.

An example of a checkbox consent is “I consent to this website storing my submitted information so that they may respond to my inquiry”. For most contact forms, you can just install a plugin such as WP GDPR Compliance to automatically add a checkbox to all forms. You may need to look for other plugins or include the consent check boxes manually if certain plugins don’t work.

Email Marketing Opt-ins – If you use an email marketing opt-in such as MailChimp to provide newsletters, then you must include a consent checkbox with how an individual’s information will be used. An example is “I consent to my email being stored and used to receive weekly newsletters”. All currently subscribed users must also be sent an email to confirm consent if they had not done so previously. An unsubscribe option must also be provided in all emails.

Cookies – Cookies are information that is stored in an individual’s browser to be used for various purposes. Many plugins use cookies including social media plugins, forms, and even WordPress itself. You must provide a method for users to accept cookies or not upon entering your website. You can use a plugin to solve this such as Cookie Notice for GDPR. There are multiple plugins that can give a notice of consent.

Sales Data – If you sell any products on your website, then you must include information regarding your data collection in the privacy policy. If you use a store plugin such as WooCommerce, then you need to include their privacy policy information regarding data collection in your privacy policy. WooCommerce comes with a pre-made privacy policy blurb to include in your privacy policy. If you will be using data you obtain in the sales process for other purposes, such as emailing recommendations or special offers, state this when collecting the data and give people the option to opt out.

If you use a third party for collecting financial information such as PayPal or Stripes, then you need to include information regarding their data collection in your privacy policy. The WooCommerce pre-made policy includes information about PayPal.

User Registration – If you have user registration to make accounts, then you need to include a consent check box and how you will use their data on the form and privacy policy. WordPress comes with the ability to export or erase personal data for users. You can find these options underneath the tools tab in the the WordPress admin menu.

Analytics Data – If you you use any page tracking method such as Google Analytics to generate analytics data, then you must anonymize data or you can use Cookie Notice for GDPR to ask for consent beforehand. You can also use plugins such as Google Analytics Dashboard for WP by ExactMetrics or Google Analytics for WordPress by MonsterInsights.

Legal Disclaimer / Disclosure

We are not lawyers. Nothing on this post should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.