The Ultimate Guide to WordPress and GDPR Compliance
It’s been a long while since the internet has even remotely resembled a lawless new frontier with absolute freedom and perils threatening you with every click you perform. Not that there’s not a lot of freedom to be had online. The internet sure isn’t a safe place, either. But it manages to be all of that while still having regulations that affect every one of its users — you included.
If you happen to own a website, you might have additional responsibilities to meet certain regulatory standards. The most recent such regulation that caused a lot of fuss is the EU’s General Data Protection Regulation or GDPR. If you’re not familiar with it, and you’re wondering what WordPress GDPR compliance entails, we’ll try to help you understand. You’ll read about:
But before we start, it’s important to make it clear that this article in no way constitutes genuine legal advice. It hasn’t been written by a lawyer. It hasn’t even been written by a person who plays one on TV. For legal advice regarding GDPR, you should consult a lawyer.
In April of 2016, the European Union’s legislative bodies adopted a set of rules regulating the collection of EU citizen’s personal data. Called the General Data Protection Regulation, and commonly abbreviated as GDPR, this set of rules was adopted in replacement of an existing rule, the Data Protection Directive of 1995.
Take a moment to think about how much has changed in the time between the two regulations were adopted. The original Directive was created before social media, Google Ads, engineered lead-capturing forms. The text of the Directive was brought forth in the same month Microsoft released the first version of Internet Explorer that supported cookies.
GDPR was introduced to put additional protections on the personal data of EU citizens, expanding on those previously offered by the Data Protection Directive. Because it serves to protect the rights of EU citizens, any entity that gathers or processes their personal data must abide by GDPR, even if they’re an entity registered in a non-EU country.
The enforcement of the Regulation launched on 25 May 2018 to a rocky start, with surveys showing that up to two-thirds of organizations weren’t GDPR-compliant. GDPR fines, which can be up to $20 million or 4% of annual turnover in the year before, were levied in the thousands of euros in the first year, only to swell to millions in 2019. To this date, the biggest fine ordered under GDPR was the £183.39 million British Airways had to pay over a user data leak.
The biggest change that came into effect with GDPR was the fact that it started applying to anyone who wants access to the EU market. So as long as EU citizens can access your website and you plan to gather some of their personal information, you are no longer capable of handling their data any way you want just because you’re established outside of the EU.
So, let’s say you have a website that collects data it then sends to third-party services for further processing. In the GDPR, a European citizen whose data you’ve gathered is called the data subject. You, the owner of the website, are a data controller — an entity that decides why the data needs to be processed, and how the processing is supposed to happen. The entity that performs the processing is, of course, the processor.
Adhering to the Stipulated Principles
When a soon-to-become data subject lands on your website, you need to ensure that, if you’re collecting data that is considered personal, said data needs to be:
Processed lawfully, fairly, and transparently.
Collected exclusively for legitimate purposes you specified.
Limited to the minimal extent needed for the purposes.
Accurate and up to date.
Stored in a way that makes the data subject identifiable only for as long as it’s needed.
Stored and processed in a way that ensures safety and confidentiality.
As the controller, adherence to these principles is your responsibility. You’ll also need to make sure that you have a legal basis for processing the data, as stated in the first principle. Processing data to comply with legal obligations, execute a contract, or pursue your legitimate interests while not infringing the rights of the data subject are some of the legal basis for processing you can use.
Honoring the Rights of the Data Subject
While you have to ensure that the data is collected and processed for a legally sound reason and that it is treated in a certain way, you also have to honor the rights of the data subject. This means, among other things, allowing them:
Access to information about the nature, purpose, extent, and even location of data gathering and processing.
To give consent for data processing and take it back.
To pose restrictions on the processing you carry out on their data.
Access to all the data you gathered about them.
The ability to ask you to erase all their data you have.
To ask you to rectify inaccurate data.
While this might sound like a lot — and it sometimes is — you’ll see that there are often easy solutions that can move you towards upholding the rights of the data subjects and adhering to all the principles. A checkbox here, a couple of words there can do wonders.
But there’s also some finesse in working towards GDPR compliance. So, using the latest version of WordPress and only using GDPR-ready plugins is a definite must. But is it all you should be doing? Probably not. You’ll need to put in a bit more effort.
Plugins stepped up, too. WooCommerce, for example, made a page dedicated to informing store owners about WooCommerce and GDPR compliance. It started dealing with GDPR compliance with update 3.4, but it was also active in ensuring the core WordPress system has all the features it ended up having in version 4.9.6.
But it’s important you understand that, even though the core WordPress product is GDPR-compliant, and you decided to use only the plugins that are GDPR-ready, it doesn’t mean that your website is 100% compliant. APIs can affect your GDPR compliance, as can the extensions you use with your plugins. And remember, as the controller, it’s your responsibility to ensure that everything that happens with data subjects’ personal data is within the guidelines stipulated by GDPR.
Because WordPress websites are so far away from being enclosed, static systems, you’ll need a way to occasionally assess whether you’re on the right side of the line with GDPR. So let’s see what options do you have in this area.
Perform a Self-Assessment
A great way to ensure the level of compliance of your website with the GDPR is to perform a self-assessment. The one provided by Ireland’s Data Protection Commission will, for example, guide you through areas ranging from personal data and data subject rights to data security and breaches.
After answering all the questions, you’ll have a much clearer picture of how your website handles visitors’ data and what you can do to make it better. The only downside is that, usually, you will need a bit of knowledge about GDPR, its principles, and the terminology used before you’re able to navigate these self-assessment tests.
Get a Website Audit
Some businesses will offer a website audit as a service. Ideally, you’d want someone who understands both the European legal landscape and the intricacies of web design and online security to have a look.
There are also automated tools you can use for the same purposes. You can find tools that can assess the areas where you must put in a little bit of extra work to bridge the gap and get your website compliant.
Go Nuclear — Don’t Become a Subject of GDPR
This might be the most drastic measure to remove yourself from under the thumb of the EU regulators, but for some websites, it might be worth it. The two ways you can do it are simple enough — you either collect data but ban European citizens from accessing your website, or you don’t gather any data.
The problem with these methods is that either way, you must give up something valuable. The European market is huge and affluent, so cutting it off would mean forgoing potential profits. On the other hand, if you don’t gather any data, you’ll have a tough time monetizing your website or making it work at all in some cases.
Even when you know where your website stands concerning GDPR compliance, you can have no idea how to take it that extra step or two in the right direction. There’s no single method that can ensure that your website is absolutely compliant, but if you combine a couple of them, your chances of creating a website that will conform to all the rules set forth by the lawmakers from Brussels go up.
Here are some of the things you should do to make your website more GDPR compliant.
1. Consult a Professional
Once again, we have to restate that reading a blog post about GDPR is not the same as getting valid legal advice from an expert. Whether you hire a legal theme to perform an audit or put your legal counsel in the team that’s putting the compliance measures in place, make sure that there’s someone who understands both the law and the tech involved. At the very least, have them perform an audit after you’ve done every other thing on this list.
2. Make Sure You Understand What Personal Data You Gather and Why
One of the more important things GDPR did was update the definition of personal data to include any type of data you can relate to an identifiable person, including IP addresses, RFID tags, and cookie identifiers.
You should take the plugins you’re using, APIs, extensions, and pour over their documentation in search of the explanation of the data they gather. Everything from Google Analytics to your store’s payment processing service needs to be examined, and you need to be aware of which piece of data goes where. You are accountable for it all as a controller.
3. Let the Visitors Know What You’re Gathering and Why and Give Them the Ability to Consent
Also, keep in mind that consent needs to be explicit under GDPR, and it needs to be provided in an active manner. So you have to give users something to do that signifies their explicit consent to have their data processed. Usually, a checkbox will do.
4. Review All the Points Where You Gather Data
Some plugins have to collect personal data to work properly. Other plugins have data collection as their sole purpose. You’ll need to revisit specimens of both kinds that have their place in your website and check if they’re compliant. Remember, consent is usually the easiest ground to legalize data processing, but it’s not the only one.
Here are some of the more popular services and plugins and how you can go about making them GDPR compliant:
Contact forms : If your contact form doesn’t have a checkbox for consent, you can use a plugin to add one. For Contact Form 7, for example, you can use the WP GDPR Compliance plugin.
Google Analytics : Google’s made it easy for you by allowing you to anonymize IP addresses automatically, and to set data expiry rules.
WooCommerce : Your best bet would be to follow WooCommerce’s introduction to GDPR compliance for stores. And then go over all the plugins and extensions and make sure they comply, too.
Third-Party APIs : See which of the APIs gather data and why, and then either remove them or find a legal base for data collection under GDPR.
5. Add a Cookie Consent
If you haven’t already, install one of the many plugins that inform the users about cookies and asks for their consent. GDPR Cookie Consent is a popular option.
6. Provide Data Portability Options
Your website visitors should be able to retrieve from you every single piece of their data that you’ve gathered. They should also be able to ask you to delete their data. Since WordPress 4.9.6, you’re able to comply with these requests. You just need to be able to receive them.
7. Report a Breach if It Happens
Under the GDPR, you have an obligation to inform authorities about data breaches within 72 hours of their occurrence. If the breach presents a high risk to an individual, you should let them know, too.
Let’s Wrap It Up!
The EU’s General Data Protection Regulation sure can be tough. But if you want people from the EU to visit your website, it’s a reality you simply have to deal with. But you shouldn’t let that scare you — many websites are managing to color within the lines as set by the Regulation.
There’s no reason why you wouldn’t be one of them. There is work that needs to be done, if you want to be sure that you’re reasonably compliant with the GDPR, that’s for sure. But if you’re thorough and use the very principles GDPR has in its core as your guidelines, you have every chance of creating a safe environment for your website visitors’ information. And that is, after all, the reason why you should be chasing after WordPress GDPR compliance.