A Brief Overview of GDPR Compliance for WordPress Users
Table of Contents
You might have already received a couple of emails notifying you about privacy policy updates from different websites. Most likely, the vast majority of those notifications have the connection to the GDPR – a new General Data Protection Regulation that was first adopted back in 2016 and is coming into effect on May 25, 2018. If you happen to be new to the term, the main aim of the European Union enacting these changes is “to harmonize data privacy laws across Europe”, that is, to protect the privacy of all individuals in the EU.
It applies to all companies that process the personal information of EU citizens (even if your business is not located in the Union, but you deal with EU citizens). The GDPR talks have started almost a year ago, but the closer the deadline, the more buzz around it.
As a website owner, you should safeguard the right and freedoms to the data protection of your website users/customers. In simple terms, you should tell people what you are going to do with their personal information to guarantee their fundamental right to the protection of personal data, give them more privacy choices, and the like.
What’s interesting, according to the results of the TrustArc survey conducted in 2017, 99 percent of respondents report needing additional help with the GDPR. Also, the same research shows that IT professionals expect that compliance with the GDPR will require a huge investment: over 80 percent of respondents expected GDPR-related spending to be at least $100,000. That’s really huge (is it a word?).
Should you bother?
The Regulation applies if any of the following statements are true:
- You are the data controller (you collect personal data from EU residents)
- You are the processor (you process personal data on behalf of a data controller)
- You are the data subject (person) based in the EU
- You are an organization outside the EU, but you collect and process the personal data of EU citizens.
Simply put, if you have a website and an email list, or a contact form, or a shopping cart, then yes, you collect personal data and you could be affected by the GDPR.
What’s included in personal data?
According to the GDPR Art. 4, personal data includes:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Check out an interactive GDPR infographic by the European Commission
What does it mean “to process data”?
According to the GDPR Art. 4:
“processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
How personal data of EU citizens should be processed?
According to the GDPR Art. 5, it shall be
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
What your customers should be aware of?
According to the GDPR Art.13
“Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide
– the identity and the contact details of the controller and, where applicable, of the controller’s representative;
– the contact details of the data protection officer, where applicable;
– the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
– where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
– the recipients or categories of recipients of the personal data, if any;”
These are just very short key extras to give you an idea of what the Regulation is about. You should carefully learn all aspects and principles to be able to follow the rules in terms of your business realities.
Check out the GDPR guides to learn all details by yourself:
- Official GDPR website
- The full GDPR guideline
- Check out all important GDPR entails
- A brief GDPR overview in simple terms
- GDPR infographics by the European Commission
Not complying with the GDPR
Per Art. 83, non-compliance with the GDPR can result in sanctions up to €20 million or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Will MotoPress comply with the GDPR?
Alexander Mat, a co-founder of MotoPress is answering this question:
“We take it really seriously. At the moment, MotoPress is fully committed to achieving full compliance with the GDPR in terms of internal website processes and interactions with customers as well making all MotoPress products GDPR complaint.
Thankfully and luckily, WordPress is a fast-actioning and powerful community. It is working hard to provide the evolving set of the GDPR compliance tools to help all WordPress users and WordPress developers do business according to the Regulation.”
Read more about the updated privacy policy of MotoPress.
I’d just add that a very useful project by Dejlig Lama and Peter Suhm, GDRPWP that aims to make WordPress plugins GDPR complaint, is now moving into WordPress core. This is good news for WordPress website owners or WordPress plugin providers as it’s going to significantly simplify the preparation process.
Actionable tips on how to comply with the GDPR
The process of making your WordPress website GDPR compliant pretty much depends on whether the WordPress and non-WordPress tools you use made their way to the GDPR compliance.
However, we’ve also collected some of the best practices of making your WordPress website GDPR complaint today. However, bear in mind that they don’t eliminate a need to consult a lawyer if required.
The following is not legal advice
- Update the Privacy Policy in accordance with the GDPR and notify your customers about this change. Be open and up-front in your new privacy policy. Learn the GDPR to properly state who you are, why you collect personal data, how it will be used, for how long it will be retained, etc. Moreover, provide maximum explicit directions of how and where a person can download complete data from your record, how to delete or change that data, how to unsubscribe, etc. You may check out an updated version of Twitter’s Privacy Policy for a good example.
- Per the GDPR, you must give people more privacy choices, so make all opt-ins optional. That means, NO opt-in boxes are checked by default. Each form on your site should indicate that users should first agree to your privacy policy terms by themselves. As you are probably relying on third-party opt-in solutions (for email marketing, for example), this is your responsibility to send them questions about whether they are working in the direction of making their products or services GDPR complaint.
- Limit your own access to a person’s data – ask for only that personal information you are absolutely sure you need. The less information you store, the better. Again, remember to tell people directly why you need their personal data (e.g. we are going to send you emails about our promo campaigns).
- Make sure your website is SSL encrypted to protect it from data breaches (like analytics or email addresses).
- Analyze all your channels that collect user’s data and make sure their operations comply with the GDPR.
Popular services like Shopify may start providing free privacy policy generators, updated to include the major requirements of the GDPR.
Bottom line
Though the Regulation guideline is quite well systemized, for each particular case it may not be entirely clear how to set it all up and not forget any tiny detail. Taking into account the variety of tools any modern website relies on today, it will really take a lot of time to figure out what you should do in order to comply with the GDPR according to all officially laid down Regulation rules.
So, if you respect your business and your customers, take the moment, carefully learn the new Regulation, probably consult a lawyer (as you may find the rules overwhelming), learn the updated privacy policy examples from businesses from a similar niche, and get prepared. Do yourself a favor and make your website GDPR compliant before the May 25, 2018 deadline. A fine up to €20 million that can be imposed for not complying with the GDPR is also good motivation to start, what do you think?
Btw, keep an eye on the MotoPress news on the privacy-related features!
Really helpful, well-structured article for getting a profound good overview about GDPR .