It applies to all companies that process personal information of EU citizens (even if your business is not located in the Union, but you deal with EU citizens). The GDPR talks have started almost a year ago, but the closer the deadline, the more buzz around it.
As a website owner, you should safeguard the right and freedoms to the data protection of your website users / customers. In simple terms, you should tell people what you are going to do with their personal information to guarantee their fundamental right to the protection of personal data, give them more privacy choices and the like.
What’s interesting, according to the results of TrustArc survey conducted in 2017, 99 percent of respondents report needing additional help with the GDPR. Also, the same research shows that IT professionals expect that compliance with the GDPR will require a huge investment: over 80 percent of respondents expected GDPR-related spending to be at least $100,000. That’s really huge (is it a word?).
Should you bother?
The Regulation applies if any of the following statements are true:
- You are the data controller (you collect personal data from EU residents)
- You are the processor (you process personal data on behalf of a data controller)
- You are the data subject (person) based in the EU
- You are an organization outside the EU, but you collect and process personal data of EU citizens.
Simply put, if you have a website and an email list, or a contact form, or a shopping cart, then yes, you collect personal data and you could be affected by the GDPR.
What’s included into personal data?
According to the GDPR Art. 4, personal data includes:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Check out an interactive GDPR infographics by the European Commission
What does it mean “to process data” ?
According to the GDPR Art. 4:
“processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
How personal data of EU citizens should be processed?
According to the GDPR Art. 5, it shall be
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
What your customers should be aware of?
According to the GDPR Art.13
“Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide
– the identity and the contact details of the controller and, where applicable, of the controller’s representative;
– the contact details of the data protection officer, where applicable;
– the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
– where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
– the recipients or categories of recipients of the personal data, if any;”
These are just very short key extras to give you the idea of what the Regulation is about. You should carefully learn all aspects and principles to be able to follow the rules in terms of your business realities.
Check out the GDPR guides to learn all details by yourself:
- Official GDPR website
- The full GDPR guideline
- Check out all important GDPR entails
- A brief GDPR overview in simple terms
- GDPR infographics by the European Commission
Not complying with the GDPR
Per Art. 83, non-compliance with the GDPR can result into sanctions up to €20 million or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Will MotoPress comply with the GDPR?
Alexander Mat, a co-founder of MotoPress is answering this question:
“We take it really seriously. At the moment, MotoPress is fully committed to achieving full compliance with the GDPR in terms of internal website processes and interactions with customers as well making all MotoPress products GDPR complaint.
Thankfully and luckily, WordPress is a fast-actioning and powerful community. It is working hard to provide the evolving set of the GDPR compliance tools to help all WordPress users and WordPress developers do business according to the Regulation.”
I’d just add that a very useful project by Dejlig Lama and Peter Suhm, GDRPWP that aims to make WordPress plugins GDPR complaint, is now moving into WordPress core. This is good news for WordPress website owners or WordPress plugin providers as it’s going to significantly simplify the preparation process.
Actionable tips on how to comply with the GDPR
The process of making your WordPress website GDPR compliant pretty much depends on whether the WordPress and non-WordPress tools you use made their way to the GDPR compliance.
However, we’ve also collected some of the best practices of making your WordPress website GDPR complaint today. However, bear in mind that they don’t eliminate a need to consult a lawyer if required.
The following is not legal advice
- Limit your own access to a person’s data – ask for only that personal information you are absolutely sure you need. The less information you store, the better. Again, remember to tell people directly why you need their personal data (e.g. we are going to send you emails about our promo campaigns).
- Make sure your website is SSL encrypted to protect it from data breaches (like analytics or email addresses).
- Analyze all your channels that collect user’s data and make sure their operations comply with the GDPR.
Though the Regulation guideline is quite well systemized, for each particular case it may not be entirely clear how to set it all up and not forget any tiny detail. Taking into account the variety of tools any modern website relays on today, it will really take a lot of time to figure out what you should do in order to comply with the GDPR according to all officially laid down Regulation rules.
Btw, keep an eye on the MotoPress news on the privacy related features!