General Data Protection Regulation
So, What is GDPR?
The General Data Protection Regulation (GDPR) is the EU Personal Data Protection Act, which replaces the 1995 Data Protection Directive and came into legal effect 25th. May 2018. All sites which may have EU visitors – even if the site is not based in the EU – are obliged to implement these new regulations.
As GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable. Failure to comply can result in a very heavy penalty (i.e. 4% of your global annual turnover or 20 million euros, whichever is higher).
Do I Really Need to Know/Implement This Stuff?
YES, you probably do – even if you do not live/work in Europe. I know, it’s very complicated, really boring and takes a LOT of time, which may appear “unfair”, but it’s the law and MUST be done.
As a business/website owner (or controller) you are legally responsible, under punishment of penalty, for implementing GDPR, including an explanation of ALL the data you (your website, etc.) collects, how it is collected, by whom and for what specific purpose(s). You also need to have procedures in place for personal data retrieval, amendment and deletion, which must be available (and free of charge) to anyone who asks.
There are two primary aspects of the GDPR: “personal data” and “processing of personal data”:
- personal data means “any information relating to an identified or identifiable natural person”—like name, email, address, or even an IP address.
- processing of personal data means “any operation or set of operations which is performed on personal data”. Simply storing an IP address in your web server logs is processing of a user’s personal data. All webservers store IP addresses of your site visitors.
There is also a classification called “sensitive personal data”, which means any information concerning an individual’s:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health data
- Genetic data
- Sex life or sexual orientation
- Past or spent criminal convictions
Depending on your specific business, you may also have to appoint a Data Protection Officer (DPO), who is responsible for all data security and how it is treated. A specific DPO is not really required if you have a small business and do not specifically engage in data processing, but the legal “role” must still be filled (i.e. You are still responsible for GDPR from a legal aspect).
On top of that you also need to track and log everything, so in the event of a potential security breach, you have the ability to quickly locate/repair the breach and create a report for the Supervisory Authority (SA). GDPR legally requires you to notify your SA of any security breach within 72 hours.
No doubt about, it’s quite a bit of work, but it has to be done!
The good news is I’ve spent several days going through all this in-depth to get a better understanding of what is actually required from a website perspective. By working through the suggestions below and using the recommended plugins (I tested several, these were the best I found), you’ll quickly have the knowledge and tools you need to be well on the way to GDPR compliance. With that said, this is an on-going process and things may continue to change over time, please use your own due diligence to keep up with GDPR developments and ensure you follow the law.
This regulation is not one that applies only to organizations in the European Union as EU privacy regulations have applied in the past. If you have a website that an EU resident can visit, you’re impacted!
You need to know what’s going on. GDPR applies to businesses, non-profits, government agencies, and other organizations. It applies to organizations in the EU, organizations that offer goods and services to EU residents, and any organization that collects data on EU residents. In other words, everyone.
No matter what the purpose of your website, it has a global audience. Check your Google Analytics from time to time and see how many visitors you receive from EU countries. (You may be surprised!)
Currently the European Union consists of the following 27 countries:
- Republic of Cyprus
- Czech Republic
What Does GDPR Mean for Your Site?
In addition to user consent and breach notifications, there are 3 basic responsibilities that you are liable for fulfilling as a website owner: Right to Access, Right to Be Forgotten and Data Portability.
Please answer these questions:
- Do you have a contact form, or any other form that collects personal information like name, email address, or telephone number?
- Can visitors post a comment anywhere on your website?
- Can people purchase products through your website or eCommerce shop?
- Do you provide a forum or message board?
- Do you have a method where visitors can chat with your company directly?
- Do you have Google Analytics/360 or other 3rd Party APIs on your site?
- Do you have server/site statistics running on your site?
If you answered ‘No’ to ALL of these questions, your site is probably in good shape and you may not have to do anything to mitigate the compliance risk. If you don’t have the information, you don’t have to protect it. With that said, remember YOU are still responsible for all of this and ignorance is no excuse under law.
If you answered ‘Yes’ to any of the above questions, here are some general steps you need to consider:
- Include a GDPR compliance line
- Specify what information you collect and store from website visitors. ( e.g. ip addresses, device information, access information, cookies, visit duration and tracking, mouse and swipe actions, email, phone, name, address and billing addresses)
- Specify who has access to this personal data. (e.g. you, your ISP, MailChimp, Google, etc.)
- Specify the contact details of the assigned Data Protection Officer in your organization. For small businesses, this is probably you. Larger businesses and enterprises should have a dedicated senior-level person who carries indemnity insurance to cover the liability of this role. This person should receive data protection training and a certification.
- Provide instructions on how to submit a data access request.
- Specify how long you store personal information.
2. Remove all automatic opt-ins on your site. All checkboxes must be empty (not-checked) in online forms. An empty box does not imply acceptance.
3. Collect only information you require to run your business.
- Delete personal information that you no longer use that may be stored on servers, in spreadsheets, etc. This includes emails with file attachments that may contain personal information.
- Keep only one version of personal information. You may keep copies for backup and restore purposes only. Up to 4 backups is acceptable. If you keep more, you have to justify it. The location of the backups needs to be captured in your data/security audit.
- Collecting extra information in case you may use it in the future is unlawful. Information you have about individuals for which you have no use must be deleted.
4. All data breaches need to be recorded and actioned with preventive measures. Examples of data breaches include:
- Personal information being passed or coming into the possession of an unauthorized data processor or subcontractor.
- Passing of personal data into a non-GDPR compliant country.
- Passing of personal data to a third party without the knowledge of the data subject.
- Personal information leaked as a result of a website hack.
5. Have a security data breach response plan and process in place.
6. Have a process to comply with someone asking for a copy of their data.
- Verify their identity.
- Make sure you have the data before processing the request, if you don’t have the data, respond and say, “I don’t have the data”.
- Do not create more personal data while performing the request.
- Process the request.
- Record it in your data audit log.
- Do it within 20 days.
7. Update your contracts, NDA’s, and Privacy policies on your website.
- All staff need to have signed NDA’s and data protection awareness training. A good rule of thumb is to include all staff even if they do not have direct access to personal information in the normal course of their duties.
- All customer contracts have to be updated with a GDPR clause.
What You May No Longer Do
- You may not send unsolicited emails to anyone. No more purchased lists or merging lists from different companies into other lists.
- You may not auto email from abandoned shopping carts offering discounts unless the shopper has opted in for email at the top of the checkout.
- You may not send unsolicited text messages via mobile phone numbers.
- You may not refuse to give customers their personal details on request (at no charge).
As I mentioned, it’s a lot of work! You may even be thinking, this must apply only to big businesses, they’ll never audit a small business. BEWARE: Even if you collect information from a single EU resident, you may be subject to a GDPR audit. They may not audit you right now, but they may at any time in the future, even if you are not based in the EU. Why risk citation for non-compliance?
NOTE: If your head is already about to explode with all this, take a break and allow things to sink in. It’s a lot to take on-board at one time!
OK, now that you have a better understanding of what GDPR is and what you need to be aware of, let’s take look at what that entails on a more practical level …
WordPress GDPR Compliance
Let’s consider some of the usual ways in which a WordPress site might collect user data:
- User registrations
- Contact form entries
- eCommerce sales
- Analytics and traffic log solutions
- Any other logging tools and plugins
- Security tools and plugins
- Newsletter and/or mailing lists
The first step in bringing your site into compliance is to conduct a security audit*. In general, a security audit reveals how data is being processed and stored on your servers. From there, you can determine the steps that are required to comply with the GDPR.
*I ordered a professional security check from WordFence to check WPOptimal and this members site, which resulted in a clean bill of health (woo-hoo!). Their service is not cheap, but I have to say, it was very professional, good contact throughout and you get a 10-page report explaining their findings, incl. anything which you should be aware of or take care of to maximize security. On top of that you get a 12-month Premium license included (normally $99). I’m not trying to sell this, I just want you to know where you can get it done, if you need that service. Another service (free) is Sucuri, which will check the “worst” offenders.
With that said, there are some key aspects of WordPress GDPR compliance that you need to implement, regardless of security audit results, including:
If your website is experiencing a data breach of any kind, that breach needs to be communicated to your users within 72 hours of its discovery. A data breach may result in a risk for the rights and freedoms of individuals, due to which, notifying users in a timely manner is a necessity. In WordPress, the term “user” may mean regular website users, contact form entries, eCommerce customers, commenters, and possibly others.
How often do you monitor your website for signs of a security breach? Under the GDPR, you now have a legal requirement to assess and monitor the security of your website. The ideal way is to monitor web traffic and web server logs. At the very least, this clause encourages you to use the best security practices available to ensure data breaches do not occur.
Data Collection, Processing, and Storage
Under GDPR, all users have the Right of Access, Right to Erasure, and the Right to Data Portability.
- Right of Access — provides users with complete transparency in data processing and storage. Users have the right to know what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing and storage of the data. EU users must also be provided with a copy of their data free of charge within 40 days of you collecting it.
- Right to Erasure (aka. ‘Right to Be Forgotten’) — gives users an option to erase personal data, and stop the further collection and processing of the data. This involves the user withdrawing consent for their personal data from being used.
- Right to Data Portability — this clause grants users the right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller. It’s encouraged to enforce data policies that enable the processing and storage for only that data that is absolutely necessary. Site owners and controllers should adopt potentially safer policies for data, by limiting the number of data points they collect.
IMPORTANT – As a WordPress site owner, you MUST publish a detailed policy on the personal data points you’re using and how they are being processed and stored.
Next, you need to provide users with a copy of their data. This is perhaps the most difficult part of compliance. However, when the time comes, we can only hope that most plugin or tool developers — for those you use on your site(s) — have provided updates with their own solutions to this. Still, it’s advised to have a system in place to extract the required data out of your database.
If you’re reading this, then hopefully you are using WPOptimal (which is GDPR-ready). For any other additional theme(s) you may be using, you should check with the relevant developer(s) for GDPR compliance.
Plugins that you use on your site also need to comply with the GDPR rules. There may be plugins on your site that haven’t been updated in a long time or seemingly abandoned by their developers. While the “how” of plugin development is beyond your control, as the site owner, it remains your responsibility to ensure that every plugin can export, provide, and erase any user data it collects.
This can be problematic for some of the most popular plugins out there. For example, tools like Gravity Forms or Jetpack have tons of modules whose job is to collect user data. How will these tools comply with the GDPR exactly? What does this mean to you?
Under the rules, plugins need to approach data compliance from the perspective of the site owner – i.e. You! If the nature of the plugin includes anything related to personal data collection, it needs to establish a data flow and inform about the processing of personal data.
As for the other example plugin, Jetpack, Automattic has confirmed on Twitter that they are preparing Jetpack for the GDPR, and further updates would appear in their new privacy related features.
You need to make sure you check with the developers of your most important plugins to see how they plan to handle GDPR compliance. If they have no plans, consider finding a replacement tool.
External Tools and APIs
There are tools that you may be using on your site to collect names and email addresses that are external to your WordPress installation. Think about an email marketing tool like MailChimp, for example. It’s very common to integrate these types of tools with your WordPress website. You might use the collected email addresses to send promotional emails, newsletters, downloads, etc. Depending on how you’ve collected those addresses, they may not have been obtained by getting explicit consent from the users (i.e. double opt-in).
The final responsibility for GDPR compliance lies ultimately with you, the site owner. Although this change creates a considerable upset to the status quo, there are many benefits for any business that uses this opportunity to adopt a fresh approach to data privacy and protection. Consider adapting a Privacy by Design approach and its 7 Foundational Principles as a base strategy. Remember, compliance with the GDPR is not just an additional burden — it is also a way to build and strengthen trust with customers and employees, enhance business reputation, grow the value of data assets, and enhance risk mitigation.
We don’t know for sure how the GDPR can be enforced if you have no physical presence in the EU, but why risk the chance? The investment you make into developing a GDPR compliance strategy, compliant website, and on-going monitoring for your business is a lot less than facing a protracted legal battle and possible heavy fines.
WP Security Audit Log — Although monitoring and audit log functionality is available in the free edition, this is only half of what you need for GDPR compliance. I recommend you invest in the premium version for access to full security audit reports on your website and the ability to archive log tracking and setting up an external secondary database for better security. (This may sound a bit too “techie”, but it’s fairly simple to setup using the instructions, or you also have them set it up for you). Being able to track and report (if requested by SA) everything is a MUST moving forward. It’s your time-stamped proof of exactly what happens on your site, when (timestamped) and by whom (admin/user/visitor).
WordFence (Premium) — The free version is excellent and does most of the heavy lifting when it comes to site security. However, if you want the more robust version to help with compliance, you’ll need to sign-up for premium to assess and monitor the security of your website to ensure data breaches do not occur. If a breach does occur, you will receive a real time notification from the plugin.
The 2 plugins above pretty much take care of your “backend” GDPR requirements for monitoring, tracking and the ability to report potential data security breaches, incl. on-going, time-stamped logging of all site activity. Like insurance, you may never actually need this, but whether you do or not, you are still required by law to have it. As my grandfather used to say, it’s better to have and not need, than to need and not have. ;o)
Privacy Shield Framework:
If you consider it necessary or are looking for an additional advantage, you can self-certify your site(s) through the U.S. Department of Commerce’s Privacy Shield Framework which is created and designed with the European Commission and Swiss Administration to help protect US businesses from GDPR compliance issues.
(The cost for self-certification is scaled based on annual revenue.)