The Ultimate Guide to WordPress and GDPR Compliance

It’s been a long while since the internet has even remotely resembled a lawless new frontier with absolute freedom and perils threatening you with every click you perform. Not that there’s not a lot of freedom to be had online. The internet sure isn’t a safe place, either. But it manages to be all of that while still having regulations that affect every one of its users — you included.

If you happen to own a website, you might have additional responsibilities to meet certain regulatory standards. The most recent such regulation that caused a lot of fuss is the EU’s General Data Protection Regulation or GDPR. If you’re not familiar with it, and you’re wondering what WordPress GDPR compliance entails, we’ll try to help you understand. You’ll read about:

But before we start, it’s important to make it clear that this article in no way constitutes genuine legal advice. It hasn’t been written by a lawyer. It hasn’t even been written by a person who plays one on TV. For legal advice regarding GDPR, you should consult a lawyer. And while we’re on the topic, make sure to check out our article on how to make your website CCPA-compliant, too.

What Is GDPR?

In April of 2016, the European Union’s legislative bodies adopted a set of rules regulating the collection of EU citizen’s personal data. Called the General Data Protection Regulation, and commonly abbreviated as GDPR, this set of rules was adopted in replacement of an existing rule, the Data Protection Directive of 1995.

Take a moment to think about how much has changed in the time between the two regulations were adopted. The original Directive was created before social media, Google Ads, engineered lead-capturing forms. The text of the Directive was brought forth in the same month Microsoft released the first version of Internet Explorer that supported cookies.

GDPR was introduced to put additional protections on the personal data of EU citizens, expanding on those previously offered by the Data Protection Directive. Because it serves to protect the rights of EU citizens, any entity that gathers or processes their personal data must abide by GDPR, even if they’re an entity registered in a non-EU country.

The enforcement of the Regulation launched on 25 May 2018 to a rocky start, with surveys showing that up to two-thirds of organizations weren’t GDPR-compliant. GDPR fines, which can be up to $20 million or 4% of annual turnover in the year before, were levied in the thousands of euros in the first year, only to swell to millions in 2019. To this date, the biggest fine ordered under GDPR was the £183.39 million British Airways had to pay over a user data leak.

The biggest change that came into effect with GDPR was the fact that it started applying to anyone who wants access to the EU market. So as long as EU citizens can access your website and you plan to gather some of their personal information, you are no longer capable of handling their data any way you want just because you’re established outside of the EU.

What Are the Provisions of GDPR?

So, let’s say you have a website that collects data it then sends to third-party services for further processing. In the GDPR, a European citizen whose data you’ve gathered is called the data subject. You, the owner of the website, are a data controller — an entity that decides why the data needs to be processed, and how the processing is supposed to happen. The entity that performs the processing is, of course, the processor.

Adhering to the Stipulated Principles

When a soon-to-become data subject lands on your website, you need to ensure that, if you’re collecting data that is considered personal, said data needs to be:

As the controller, adherence to these principles is your responsibility. You’ll also need to make sure that you have a legal basis for processing the data, as stated in the first principle. Processing data to comply with legal obligations, execute a contract, or pursue your legitimate interests while not infringing the rights of the data subject are some of the legal basis for processing you can use.

Honoring the Rights of the Data Subject

While you have to ensure that the data is collected and processed for a legally sound reason and that it is treated in a certain way, you also have to honor the rights of the data subject. This means, among other things, allowing them:

While this might sound like a lot — and it sometimes is — you’ll see that there are often easy solutions that can move you towards upholding the rights of the data subjects and adhering to all the principles. A checkbox here, a couple of words there can do wonders.

But there’s also some finesse in working towards GDPR compliance. So, using the latest version of WordPress and only using GDPR-ready plugins is a definite must. But is it all you should be doing? Probably not. You’ll need to put in a bit more effort.

WordPress and GDPR Compatibility

WordPress has done its share of the work to help your website be GDPR compliant. Roughly a week before the enforcement of GDPR began, WordPress 4.9.6 was released, ensuring that WordPress’ core product is GDPR-compliant. If you’re using that version of WordPress or any that came after it, you’re capable of giving consent options, building a Privacy Policy page, and exporting and erasing user data that was collected by WordPress and participating plugins.

Plugins stepped up, too. WooCommerce, for example, made a page dedicated to informing store owners about WooCommerce and GDPR compliance. It started dealing with GDPR compliance with update 3.4, but it was also active in ensuring the core WordPress system has all the features it ended up having in version 4.9.6.

Some plugin developers created plugins specifically to help with GDPR compliance. You can find a number of plugins that let you set up consent for the use of cookies, for example. There are a couple that can help test your website’s compliance with the regulation, too.

But it’s important you understand that, even though the core WordPress product is GDPR-compliant, and you decided to use only the plugins that are GDPR-ready, it doesn’t mean that your website is 100% compliant. APIs can affect your GDPR compliance, as can the extensions you use with your plugins. And remember, as the controller, it’s your responsibility to ensure that everything that happens with data subjects’ personal data is within the guidelines stipulated by GDPR.

How to Know Is My Website GDPR Compliant?

Because WordPress websites are so far away from being enclosed, static systems, you’ll need a way to occasionally assess whether you’re on the right side of the line with GDPR. So let’s see what options do you have in this area.

Perform a Self-Assessment

A great way to ensure the level of compliance of your website with the GDPR is to perform a self-assessment. The one provided by Ireland’s Data Protection Commission will, for example, guide you through areas ranging from personal data and data subject rights to data security and breaches.

After answering all the questions, you’ll have a much clearer picture of how your website handles visitors’ data and what you can do to make it better. The only downside is that, usually, you will need a bit of knowledge about GDPR, its principles, and the terminology used before you’re able to navigate these self-assessment tests.

Get a Website Audit

Some businesses will offer a website audit as a service. Ideally, you’d want someone who understands both the European legal landscape and the intricacies of web design and online security to have a look.

There are also automated tools you can use for the same purposes. You can find tools that can assess the areas where you must put in a little bit of extra work to bridge the gap and get your website compliant.

Go Nuclear — Don’t Become a Subject of GDPR

This might be the most drastic measure to remove yourself from under the thumb of the EU regulators, but for some websites, it might be worth it. The two ways you can do it are simple enough — you either collect data but ban European citizens from accessing your website, or you don’t gather any data.

The problem with these methods is that either way, you must give up something valuable. The European market is huge and affluent, so cutting it off would mean forgoing potential profits. On the other hand, if you don’t gather any data, you’ll have a tough time monetizing your website or making it work at all in some cases.

How to Move Towards GDPR Compliance

Even when you know where your website stands concerning GDPR compliance, you can have no idea how to take it that extra step or two in the right direction. There’s no single method that can ensure that your website is absolutely compliant, but if you combine a couple of them, your chances of creating a website that will conform to all the rules set forth by the lawmakers from Brussels go up.

Here are some of the things you should do to make your website more GDPR compliant.

1. Consult a Professional

Once again, we have to restate that reading a blog post about GDPR is not the same as getting valid legal advice from an expert. Whether you hire a legal theme to perform an audit or put your legal counsel in the team that’s putting the compliance measures in place, make sure that there’s someone who understands both the law and the tech involved. At the very least, have them perform an audit after you’ve done every other thing on this list.

2. Make Sure You Understand What Personal Data You Gather and Why

One of the more important things GDPR did was update the definition of personal data to include any type of data you can relate to an identifiable person, including IP addresses, RFID tags, and cookie identifiers.

You should take the plugins you’re using, APIs, extensions, and pour over their documentation in search of the explanation of the data they gather. Everything from Google Analytics to your store’s payment processing service needs to be examined, and you need to be aware of which piece of data goes where. You are accountable for it all as a controller.

3. Let the Visitors Know What You’re Gathering and Why and Give Them the Ability to Consent

Your Privacy Policy, Terms of Use, and other documents should contain a reference to the use of personal data where appropriate. You have to disclose the data you’re gathering and the reason why you’re doing it.

You can rely on the Privacy Policy WordPress now generates by default if you’re new to creating these kinds of documents, at least for inspiration. The Policy should reflect the data you collect and the reasons you have for collecting it.

Also, keep in mind that consent needs to be explicit under GDPR, and it needs to be provided in an active manner. So you have to give users something to do that signifies their explicit consent to have their data processed. Usually, a checkbox will do.

4. Review All the Points Where You Gather Data

Some plugins have to collect personal data to work properly. Other plugins have data collection as their sole purpose. You’ll need to revisit specimens of both kinds that have their place in your website and check if they’re compliant. Remember, consent is usually the easiest ground to legalize data processing, but it’s not the only one.

Here are some of the more popular services and plugins and how you can go about making them GDPR compliant:

5. Add a Cookie Consent

If you haven’t already, install one of the many plugins that inform the users about cookies and asks for their consent. GDPR Cookie Consent is a popular option.

6. Provide Data Portability Options

Your website visitors should be able to retrieve from you every single piece of their data that you’ve gathered. They should also be able to ask you to delete their data. Since WordPress 4.9.6, you’re able to comply with these requests. You just need to be able to receive them.

The solution to this issue can be as simple as putting your email address in the Privacy Policy and letting website visitors know they can use it to request a copy of their data. You can also use contact form plugins with custom request form templates to make it all look a bit fancier.

When you receive a request, head over to your dashboard and, Under Tools, navigate to either Erase Personal Data or Export Personal Data. Here you’ll find a list of website users who have requested to review their data or to have it removed. You will have to send them a request email and once it’s confirmed, WordPress will automatically create a downloadable ZIP file, for users requesting data export. For erasure, the final step is deleting their data from your database.

7. Revisit Your Security Provisions

Hacking and other cybercrime acts often target user data and data security is one of the key GDPR principles. Frequent revisions of your website security measures is a good practice at any rate, and especially so when making sure your website is GDPR-compliant.

In addition to using one of the many excellent WordPress security plugins, you may also want to consider using HTTPS protocol. Together with SSL, this protocol protects the data transfer between you and your users. These days, both these solutions are basically a given – a lot of browsers have settings that notify users when they’re accessing a non-HTTPS website, and SSL certificates are included in all the best hosting packages. Still, if you’re not using them yet, now’s the time to start. And make sure to check out our ultimate WordPress security checklist to make sure you’re covering all the angles.

8. Report a Breach if It Happens

Under the GDPR, you have an obligation to inform authorities about data breaches within 72 hours of their occurrence. If the breach presents a high risk to an individual, you should let them know, too.

9. Consider Server-Side Tracking

Server-side tagging and tracking is one of the solutions that’s recently been touted as a great workaround for cookie deprecation and reduced client-side tracking abilities. In this form of tracking, data is collected and processed on the server, which means more secure and reliable data management. Server-side tagging or tracking will not make you automatically GDPR-compliant, as you’ll still have to implement things like consent management, data privacy provisions, data erasure when requested, and so on. In addition, you will still require user consent. But, you will get to control which data third parties get, remove sensitive data and personally identifiable information, as well as modify it before sending it to any vendor.

Let’s Wrap It Up!

The EU’s General Data Protection Regulation sure can be tough. But if you want people from the EU to visit your website, it’s a reality you simply have to deal with. But you shouldn’t let that scare you — many websites are managing to color within the lines as set by the Regulation.

There’s no reason why you wouldn’t be one of them. There is work that needs to be done, if you want to be sure that you’re reasonably compliant with the GDPR, that’s for sure. But if you’re thorough and use the very principles GDPR has in its core as your guidelines, you have every chance of creating a safe environment for your website visitors’ information. And that is, after all, the reason why you should be chasing after WordPress GDPR compliance.