WordPress GDPR Compliance – Everything You Need to Know

July 15 13:02 2019 Print This Article

You might have heard of the term “GDPR” being discussed around the web. It’s still a pretty hot topic, especially with all that is going on with data breaches and security in the news. To put it simply, GDPR is a privacy law designed to give citizens back control of their personal data. Hands down, GDPR is impacting how the entire internet deals with data. The scary part is that the deadline was last year (May 25th, 2018) and many questions regarding GDPR are still plaguing people:

  1. What exactly is GDPR? In layman’s terms.
  2. Does GDPR impact me?
  3. What do I need to do for GDPR compliance?

Many have a tendency to put off what they don’t understand. Taxes are a good example. For a lot of us, GDPR has simply been a lower priority on our checklists. But the GDPR deadline has come and gone and you really should take a few moments and determine whether or not you need to make changes to the way your business and or website operates. If you don’t there could be hefty fines involved.

Don’t worry, we’ll try and explain everything you need to know about GDPR below, as well what you can do to prepare. But we aren’t lawyers, so we’ll try not to bore you with all the legal details.

What is GDPR? In Layman’s Terms

GDPR stands for the General Data Protection Regulation. It’s a privacy law that was approved on April 14, 2016, by the European Commission to protect the rights of all EU citizens (28 member states) and their personal data. This replaces the 95/46/EC Directive on Data Protection of 24 October 1995 and is much more extensive than the Cookie Law of 2011 (soon to be replaced by the new EU ePrivacy regulationwhich goes hand in hand with GDPR) . The rollout plan for the regulation was set for two years, and the deadline was May 25th, 2018.

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years… EU GDPR

If you want to read the extensive official PDFs of the regulation (11 chapters, 99 articles) we recommend checking out gdpr-info.eu, as they have everything in a neatly arranged website.

There are a few key terms to get a handle on:

  • controller determines the purposes and means of processing personal data.
  • processor is responsible for processing personal data on behalf of a controller.
  • Personal data is any information that can be used to identify an individual, even indirectly by combining that information with other information.

What is Processing?

If personal data is accessed or stored or used in any way, that is considered processing. The full GDPR definition of processing includes all of the following actions taken on personal data as constituting processing of that data: collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, transmission, disclosure, dissemination, combination, alignment, restriction, erasure, or destruction.

Basic Principles of GDPR

There are seven basic principles that apply to the controller under GDPR:

  1. Data has be processed lawfully, fairly, and transparently. Requires that consent is given.
  2. Personal data has to be collected for a specific, explicit, and legitimate purpose and only used for that purpose.
  3. Personal data must be adequate, relevant, and limit collection to only what is necessary.
  4. Personal data must be accurate and kept up to date.
  5. Personal data should only be kept in identifiable form for the shortest period possible.
  6. Personal data should be processed in such a way that ensures the security of the data.
  7. The controller is responsible for being able to demonstrate compliance with these principles.

Individual rights under GDPR

Individuals with protection under GDPR (EU citizens) have seven rights under GDPR that the processor must be prepared to uphold:

  1. A right to be informed: Gives a person the right to know what information is being stored about them.
  2. A right to access and portability: A person can request their information is an easily downloadable format at any time, as well as use or transfer the data to another service. (Art. 20)
  3. A right to rectification.
  4. A right to be forgotten: Allows a person to request that their personal information about them is completely erased (unless there is a valid reason, such as a bank loan). (Art. 17).
  5. A right to restrict processing.
  6. A right to object.
  7. A right to fair treatment when subjected to automated decision making and profiling.

Additional GDPR Notes

Unfortunately, not everything is always black or white when it comes to things like this, so here are a few additional things to keep in mind:

  • Applies to any personal data (PII – any data that relates to or can be used to identify someone).

Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, social security number, location data, an online identifier (IP address or email address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;. It also controls what can be done with the personal information (Art. 4).

  • Applies to any sensitive personal data such as race, ethnic origin, sexual orientation, and health status. (Recital 51Art. 9)
  • Privacy by design and default: Makes sure that personal information is properly protected. New systems must have protection designed into them and access to the data is strictly controlled and only given when required (Art. 25).
  • If data is lost, stolen or is accessed without permission, the authorities must be notified within 72 hours (Art. 33) along with the people whose data was accessed (Art. 34).
  • Data can only be used for the reason given at the time of collection and is securely deleted after it’s no longer needed.
  • Allows national authorities to impose fines on companies breaching the regulation.
  • Parental consent will be required to process the personal data of children under the age of 16 for online services; can vary per member state, but it will not be below the age of 13 (Art. 8).

Who Does GDPR Impact?

While the new GDPR regulations were designed to protect the rights of EU citizens, it essentially impacts everyone on the web. That’s right, everyone! This isregardless of where a business is established or where its online activities take place. If your website is processing or collecting data from EU citizens, then you must abide by the GDPR regulations.

Here are just a couple examples of websites located outside of the EU that are impacted:

  • A WordPress community site that collects personal information for each user profile.
  • A WordPress theme shop that has customers sign up for accounts to purchase themes or plugins (sales and billing data).
  • A WordPress blog that has a newsletter subscription widget or lets visitors comment.
  • An ecommerce (WooCommerce or Easy Digital Downloads) store that sells products online.
  • A WordPress site that uses analytics software.

You can probably see where we are going with this. Unless you’re explicitly blocking all EU traffic, which most of you probably aren’t, then your site falls under GDPR regulations.

If you’re wondering whether your company is already GDPR compliant, the team over at Mailjet created a handy GDPR quiz. We also recommend checking out The GDPR Checklist.

Consequences of Not Complying with GDPR

According to data.verifiedjoseph, as of March 20, 2019, 1,129 websites are still not available in the European Union after GDPR was put into effect. 😱 Many of these include large news organizations.

Why? Because they haven’t been able to comply with the technical implementations of GDPR and therefore don’t want to face fines. So they have simply blocked traffic from the EU altogether.

If your business doesn’t comply with GPDR you can get sanctioned up to 4% of the annual worldwide turnover or fined up to €20 million (the higher of the two), per infringement. There is also a tiered approach to fines. For example, a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. (Art. 83)

In January 2019, France’s data privacy watchdog slapped Google with a $57 million fine under GDPR. And as of February 2019, there have been over 59,000 reported data breaches and 91 fines.

If you’re a small ecommerce shop or WordPress developer these fines could be devastating!

How to Make Your WordPress Site GDPR Compliant

Now for the reason you’re probably all reading this blog post, and that is how to make your WordPress site GDPR compliant. Unfortunately, unlike our normal tutorials, we can’t give you a simple step by step tutorial as becoming compliant varies per site. But here are suggestions to get on the right track, as well as additional things to be aware of.

1. Hire a Lawyer

If you have any concerns about GDPR compliance (which most of you probably do) we always recommend hiring a lawyer, even if it’s just temporarily. This is one of those areas we strongly urge you to not try and tackle on your own. A lawyer can provide you with legal advice specifically tailored to your situation. If you get this wrong, it could result in hefty fines.

2. Review Your Data Collection and Processing Workflow

We recommend going through your entire WordPress site and determine where data collection and processing occurs, as well as where that information is stored, and for how long. This includes things such as:

  • Collecting personal information on an ecommerce checkout page or WordPress registration page.
  • IP addresses, cookie identifiers, and GPS locations.
  • Various services such as Google Analytics, Hotjar, etc.

After you pinpoint all of these you need to confirm that you’re asking for the visitor’s permission, as well as disclosing how the data collected is used.

3. GDPR Project Has Been Merged into WordPress Core for Developers

Dejlig Lama & Peter Suhm originally started working on a project called GDPR for WordPress. This was going to provide plugin developers with a simple solution to GDPR validate their plugin and offer website administrators the overview and tools to handle the administrative tasks involved with being GDPR compliant. However, the great news is that this has now become part of WordPress core.

To see what was done, you can check out the GDPR Trac tickets as well as the roadmap for GDPR compliance. This was just as important for WordPress users as it was for developers, as GDPR compliance is a two-way street. WordPress users needed new features built into plugins they were already using such as checkboxes, prompts, etc. to make sure they are compliant when collecting data.

4. Update All Legal Documents

With GDPR it’s now time to update your terms and condition pages, privacy pages, affiliate terms, as well as any other legal documents or agreements you might have. You can no longer have forms without checkboxes, unless they all under lawfulness of processing. In other words, there must be a way for the user to specifically consent. Gone are the days of just throwing terms in a link at the bottom and assuming the user will read them.

The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. (Source: EU GDPR)

Again, this is an area we recommend roping in a lawyer. If you’re just running a simple blog, at least use a tool like iubenda or something similar to generate stronger privacy policies.

A new privacy page feature was added in WordPress 4.9.6. You can now designate a privacy page on your site and it will show on your login and registration pages. We also recommend putting it in your footer.

Here is an example of the default privacy policy page now generated by WordPress. This should be used as a template and or starting point, it won’t have everything your site needs.

5. Offer Data Portability

According to Art. 20, any business that collects data must also offer the ability to for the user to download it and take/transfer the data elsewhere.

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

Make sure you have a system in place yet to provide a user with a downloadable file of their data if requested (.csv, .xml, etc). If you can’t currently offer this, you might want to hire a WordPress developer.

New features regarding data handling were added in WordPress 4.9.6. Site owners can now export a ZIP file containing a user’s personal data as well as erase a user’s personal data. There is also a new email-based method that they can use to confirm personal data requests.

6. Self-Certify Under Privacy Shield Framework

Due to the fact that many websites collect data from all over the globe and with tighter restrictions on personal data, many companies are now certifying under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. These were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

Read more about the benefits of self-certifying under the Privacy Shield.

7. Encrypt Your Data / HTTPS

In terms of encryption, there are different parts to this: encryption of your web traffic (HTTPS) and encryption where your data is stored. We always recommend you encrypt your web traffic, regardless of GDPR. The benefits of moving to HTTPSfar outweigh the cons and that is where the web is headed.

The term encryption itself is actually only mentioned a few times in the GDPR and is not necessarily mandatory.

In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption (Recital 83).

So while it appears encryption is not legally required to comply with GDPR, it’s highly recommended, as you are responsible for the data. If you’re using a WordPress host like Kinsta, we are powered by Google Cloud Platform which means all data is encrypted at rest. Read more about GDPR encryption.

8. Check Your WordPress Themes, Plugins, Services, APIs

Any WordPress plugins or theme specific features you have installed that collect or store personal data must be updated for your site to be fully GDPR complaint. If you’re a WordPress developer, hopefully, you have already made GDPR changes for users. We’ll include some popular plugins and configurations below, along with direct links to how they’re handling GDPR.

This article was originally posted here: https://kinsta.com/blog/wordpress-gdpr-compliance/

  Article "tagged" as:
  Categories:
view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment

0 Comments

No Comments Yet!

You can be the one to start a conversation.

Add a Comment