Table of Contents
- What is GDPR?
- How does this affect you?
- What is required under GDPR?
- How do you know if you are GDPR compliant?
- How to make your WordPress site GDPR compliant
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) privacy law that was adopted on 14 April, 2016 and became enforceable on May 25, 2018. GDPR is designed to give back citizens of the EU control over their personal data. Personal data is any data that relates to or can be used to identify a person in any way such as name, email, address, race, health status or even an IP address.
If you want to read the extensive official PDFs of the regulation (11 chapters, 99 articles) we recommend checking out gdpr-info.eu, as they have everything in a neatly arranged website.
How does this affect you?
While the GDPR regulations were designed to protect the rights of EU citizens, it essentially impacts everyone on the web. Regardless of where a business is established or where its online activities take place, if your website is processing or collecting data from EU citizens, then you must abide by the GDPR regulations. Even if a EU citizen just visits your website for a few seconds, access logs are created and you must follow the regulations.
>> Businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual turnover or €20 million (whichever is greater).
While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.
What is required under GDPR?
While the GDPR is 200 pages long, here are the most important parts that you need to know:
Explicit Consent – If you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t send unsolicited emails to people who gave you their business card or filled out your website contact form if they did not opt-in for your marketing newsletter.
For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.
Data can only be used for the reason given at the time of collection and is securely deleted after it’s no longer needed.
Right to Access – You must inform individuals where, why, and how their data is processed / stored.
Right to be Forgotten – An individual has the right ask for their data to be deleted and to stop further collection and processing of the data unless there is a reason not to do this such as a loan account. This process involves the user withdrawing their consent for their data being used.
Data portability – An individual has the right to download their personal data and further transmit that data to a different controller.
Breach Notification – Organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company must also inform individuals who’re impacted right away.
Data Protection Officers – If you are a public company or process large amounts of personal information, then you must appoint a data protection officer. This is not required for small businesses. Consult an attorney if you’re in doubt.
How do you know if you are GDPR compliant?
If you have any of the following things on your website, then you are probably not GDPR compliant and you must fix your provided information to follow regulations:
- Any plugin that stores or processes personal data
- User registrations
- Contact form entries
- Analytics and traffic log solutions
- Other logging tools and plugins
- Security tools and plugins
How to make your WordPress site GDPR compliant
No single platform, plugin or solution can offer 100% GDPR compliance. The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site.
Here are some recommended steps that you should take:
Update All Legal Documents
Check Your WordPress Themes, Plugins, Services, APIs
Contact Forms – All forms require a positive opt-in (i.e no pre-ticked checkbox) and must contain clear wording on how an individual’s data will be used. WordPress automatically adds a comment privacy checkbox for comments so you do not have to worry about comments. Other forms require a consent checkbox if they store any personal data. This includes general contact forms if they store information on your site.
An example of a checkbox consent is “I consent to this website storing my submitted information so that they may respond to my inquiry”. For most contact forms, you can just install a plugin such as WP GDPR Compliance to automatically add a checkbox to all forms. You may need to look for other plugins or include the consent check boxes manually if certain plugins don’t work.
Email Marketing Opt-ins – If you use an email marketing opt-in such as MailChimp to provide newsletters, then you must include a consent checkbox with how an individual’s information will be used. An example is “I consent to my email being stored and used to receive weekly newsletters”. All currently subscribed users must also be sent an email to confirm consent if they had not done so previously. An unsubscribe option must also be provided in all emails.
Analytics Data – If you you use any page tracking method such as Google Analytics to generate analytics data, then you must anonymize data or you can use Cookie Notice for GDPR to ask for consent beforehand. You can also use plugins such as Google Analytics Dashboard for WP by ExactMetrics or Google Analytics for WordPress by MonsterInsights.
Legal Disclaimer / Disclosure
We are not lawyers. Nothing on this post should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.