GDPR Checklist: What WordPress Businesses Need to Know
If you’re wondering why you’re suddenly getting so many emails from online businesses regarding recent updates to their privacy policies, it’s because of the GDPR.
The GDPR, or General Data Protection Regulation, is the most important change in data privacy regulations by the European Union (EU) in recent time, replacing their outdated Data Protection Directive 95/46/EC, which was created 20 years ago. The GDPR officially took effect on May 25, 2018.
Although the GDPR has already been implemented, as many as 84% of SMEs are still unaware of these policies, due largely in part to the fact that the GDPR is about 200 pages long! If you still haven’t implemented GDPR on your WordPress website, there’s no time like the present.
Here’s a breakdown of the most important things to consider:
What is the GDPR and Why Should it Matter to Me?
The GDPR aims to:
- Give the citizens of 28 EU countries more control over their personal data, especially since several data breaches and hacks have been recently occurring left and right.
- Simplify data regulations for both local and international businesses by offering a unified regulation.
Businesses that are found to not be compliant with these policies can be fined up to 20 million euro (about US $24 million), or 4% of global revenues: whichever is greater.
The good news? Fines aren’t the first level of punishment. Before you’re levied any fines, you’ll get a warning reprimanding you. The last and final straw is being slapped with a fine. The large fine associated with the GDPR was designed to grab the attention of the large multinational corporations that think they can get away with anything.
The new GDPR regulation affects businesses that process data of EU citizens. This means that even if you’re not in the EU, if your website serves users that are from the EU, you’ll have to comply.
Don’t fret too much about this: Article 3 of the GDPR states that the rule only applies if you collect personal data from an EU citizen within EU borders. Outside of this distinction, GDPR does not apply. And no—you can’t block EU visitors from accessing your website or other relevant online marketing materials—that’s technically against the GDPR.
What is Required of the GDPR?
The GDPR was created to give users more control over their data, as well as to provide a unified international standard that businesses should follow with regards to protecting users’ data.
GDPR is primarily concerned with two facets of data privacy:
- Personal data: This refers to personal information like names, emails, addresses (even IP addresses), income, health data, and more.
- Processing personal data: This refers to the operations involving personal data, so the simple fact of storing any of these personal data items is within the scope of the GDPR.
Here are some of the most important policies to note when it comes to complying with GDPR—considerations for your GDPR checklist:
- Explicit consent. The GDPR requires that users explicitly state that they are allowing the company to process their data, which means no sneaky tactics will be permitted (such as pre-checked opt-in boxes) and a new need for separate terms and conditions that are explained simply and clearly.
- Data protection officer. Companies that process large amounts of data must appoint a data protection officer. The need for a data protection officer depends on the type and amount of data you’re storing and whether this data is the main focus of your business. Some examples of businesses that need a data protection officer are those that process health data for hospitals and those that process personal and behavioral data for targeted advertising. Small businesses don’t need to appoint a data protection officer.
- Report data breaches. Previously, data breaches were reported way after the fact. Companies now have an obligation to report data breaches 72 hours after they’ve happened, at most. Additionally, thanks to GDPR, companies must inform individuals that are affected by these breaches, especially if these are considered high-risk breaches.
There’s also the right to data. There are three facets to this:
- Right to be forgotten. With the GDPR, EU citizens also have the ‘right to be forgotten’, especially if they do not want their data processed. This is especially true if you have no legal grounds for keeping their data. For example, when the person is not a client of your company anymore.
- Right to access. Users can request for access or information on how their data is used, processed or stored in your company.
- Data portability. Users can download the data they’ve previously allowed companies to use and can also transmit this data to other data controllers.
GDPR Checklist: Simple Steps to implement GDPR on your WordPress Website
The WordPress core is GDPR compliant, but as an additional measure, developers added features to support GDPR compliance in the latest version update (WordPress 4.9.6, May 17, 2018).
That being said, it’s still worth noting that no single platform, plugin, or solution can offer 100% GDPR compliance due to the dynamic nature of websites. Instead, the compliance process will depend on the type of website you have, the type of data you collect and store, and how you process data on your site.
Here are some of the latest GDPR features WordPress has incorporated:
- Comment consent checkbox. This asks commenters if they would like to save their name, email address, and website details for quicker commenting next time. Previously, WordPress used to store this information as a cookie on the user’s browser. Commenters can leave the box unchecked, but will have to manually type in details everytime they wish to comment if doing so.
- Data download and delete. Lastly, WordPress now also gives site admins the capability to export and delete user data. This can be found in the Tools section of your WordPress dashboard.
Here are some additional items to add to your WordPress GDPR checklist:
- Conduct a website audit to see which areas you can secure and make more GDPR-compliant.
- Ask explicit permission from users to store their details and inform them as to what you’ll use their data for.
- Disable cookies and IP address collection (for forms).
- Comply when users ask you to delete their data.
- Keep your site secure, so that you won’t be easily hacked.
- Employ a data protection officer, especially if you’re from a large company.
Final Thoughts: GDPR Checklist: What WordPress Businesses Need to Know
The GDPR is the new standard for data privacy—don’t wait to become compliant. Though it primarily exists to protect citizens of the European Union, it’s fair to assume that other countries will likewise fall in line, in terms of similar legislation.
When it comes to GDPR, you probably won’t have to make any major changes—especially if you’re not handling large and sensitive data sets. Just make sure that you explicitly tell website visitors when you’ll use their information and where you’ll use it as part of your GDPR checklist.
What are you doing to make your WordPress website compliant per the terms of GDPR? What’s on your GDPR checklist? Let us know in the comments!