Essential Facts About WordPress GDPR Compliance
Are You Aware of GDPR?
Many business and website owners are still not fully aware of the General Data Protection Regulations (GDPR) and how they affect their business and online presence. And that could cause big problems. Here at PixoLabo, we have been following this for a while. Since we have a European presence, we must comply. Here is what you should know about WordPress GDPR compliance to help other business owners and webmasters.
What is the GDPR?
The General Data Protection Regulation, or GDPR, is pretty complicated, and the purpose of this post is not to go into every little detail of it. Simply put, the General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).
The GDPR sets out the principles for data management and individual rights while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with EU citizens’ data. It is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR went into effect across the EU on May 25th, 2018.
What is Data Protection?
If you are not quite sure what data protection means or entails, you should check out this great infographic. It explains all the different areas of data protection, how it applies to GDPR, and what they mean for you and your business and online presence. Better safe than sorry, right?
To Whom Does GDPR Apply?
There is a common belief that simply because you, your business, and therefore your website are in North America, the GDPR does not apply to you. This belief is incorrect, and if you persist with it, you will be in big trouble! Simply put, the GDPR applies to everyone! If you have a website that an EU resident can visit, you’re affected!
Read this carefully: The GDPR applies to businesses, non-profits, government agencies, and other organizations. It applies to organizations in the EU, organizations that offer goods and services to EU residents, and any organization that collects data on EU residents. In other words, everyone. No matter what the purpose of your website, it has a global audience.
So, you don’t think you get website visitors from the EU? Here is an easy test for you! Simply check your Google or WordPress Jetpack analytics from time to time and see how many visitors you receive from EU countries. The numbers may surprise you. And once again, even if you only get a single visitor from the EU you need to be aware of WordPress GDPR compliance!
What Does GDPR Mean for Your WordPress Site?
As a WordPress website owner, you have three primary responsibilities you must fulfill for your website visitors:
- Right to Access
- Right to Be Forgotten
- Data Portability
To get started, please answer these questions about your WordPress website, and how it collects visitor information:
- Do you have a contact form or any other form that collects personal information like name, email address, or phone number?
- Can visitors post a comment anywhere on your website?
- Can people purchase products through your website or e-commerce shop?
- Do you provide a forum or message board?
- Do you have a method where visitors can chat with your company directly?
If you answered ‘No‘ to ALL of these questions, your WordPress website is most likely in good shape, and you comply. If you don’t collect the information, you don’t have to protect it. It is that simple!
General WordPress GDPR Compliance
However, if you answered ‘Yes‘ to ANY of these questions, please read on. Here are some general steps you need to consider as you prepare for WordPress GDPR compliance:
Here are some minimum recommendations:
- Include a GDPR compliance line
- Specify what information you collect and store from website visitors. (for instance: IP addresses, device information, access information, cookies, visit duration and tracking, mouse and swipe actions, email, phone, name, address, and billing addresses )
- Specify who has access to this personal data. (e.g., you, MailChimp, Google, Salesforce, etc.)
- Specify the contact details of the assigned Data Protection Officer in your organization. For small businesses, this is probably you. Larger companies should have a dedicated senior-level person who carries indemnity insurance to cover this role’s liability. This person should receive data protection training and certification.
- Provide instructions on how to submit a data access request.
- Specify how long you store personal information.
Remove Automatic Opt-ins
If you are using any automatic or pre-filled opt-in forms, either delete them completely OR remove any pre-filled data. All fields and checkboxes must be empty in your online forms. There is a good reason for that; an empty field or box cannot imply acceptance.
Only Collect Required Visitor Information
Of course, you need to gather some information from your website visitors to run your business. But be sure only to collect the information you require to run your business. Here are a few things to do:
- Delete personal information that you no longer use stored on servers, in excel spreadsheets, etc. This information includes emails with file attachments that may contain personal information.
- Keep only one version of personal information. You may keep copies for backup and restore purposes only. Up to 4 backups are acceptable. If you save more, you have to justify it. The location of the backups needs to be captured in your data/security audit.
- Collecting extra information just in case you may use it in the future is unlawful. You must delete any information you have about individuals for which you have no use.
Record All Data Breaches
Your WordPress GDPR compliance includes recording all data. Examples of data breaches include:
- Personal information being passed or coming into the possession of an unauthorized data processor or subcontractor.
- Passing of personal data into a non-GDPR compliant country.
- Passing of personal data to a third party without the knowledge of the data subject.
- Personal information leaked as a result of a website hack.
Have a response plan and process in place in case of a security data breach. Here’s a link to a helpful toolkit that can help you start developing a plan if you don’t already have one: Security Breach Response Plan Toolkit.
Have a Process
Have a process to comply with anyone asking for a copy of their data.
- Verify their identity
- Make sure you have the data before processing the request if you don’t have the data, respond and say, “I don’t have the data.”
- Do not create more personal data while performing the request.
- Process the request
- Record it in your data audit log
- Do it within 20 days.
Update Your Records
As you prepare for WordPress GDPR compliance, don’t forget to update your contracts, NDA’s, and privacy policies on your website, social media platforms, and in your written documents and communications. At a minimum, you should make sure that:
- All staff needs to have signed NDA’s and data protection awareness training. A good rule of thumb is to include all staff, even if they do not have direct access to personal information in the ordinary course of their duties.
- Update all customer contracts with a GDPR clause.
What You Can No Longer Do
We talked a lot about what you need to do to meet WordPress GDPR compliance guidelines. But you also need to understand what you are no longer allowed to do! This part takes many business website owners and marketers by surprise, so pay attention!
- You cannot send unsolicited emails to anyone. That includes no more purchasing lists from third parties or merging lists from different companies into other records.
- Sending auto emails from abandoned shopping carts offering discounts is no longer permitted unless the shopper has opted in for email at the top of the checkout.
- You cannot refuse to give customers their details on request.
- Sending unsolicited text messages via mobile phone numbers is no longer allowed.
Yes, This Includes You!
Don’t get fooled into a false sense of security here! Especially small business owners may think the EU has bigger fish to fry. That is easy to understand seeing the EU is busy taking on giants like Amazon and Microsoft. They’ll never audit a small business like yours, right? This thinking is dead wrong! As a European and someone who does business in Europe, I can guarantee that no business or brand is too small to warrant the attention of EU governing bodies!
Here is how you need to look at this. Even if you only collect information from a single EU resident who comes to your business website, you may be subject to a GDPR audit. They may not audit you right now, but they may at any time in the future, even if your business is not based in the EU. Why take the risk of being cited for non-compliance?
WordPress GDPR Compliance Specifics
The following areas or elements of your WordPress website are most affected by the upcoming GDPR rules. Take a look at what they are, and what precisely you must do to be in WordPress GDPR compliance.
E-Commerce Order Forms
Forums and Message Boards
Useful WordPress Plugins and Resources
Yes, getting your online presence into GDPR compliance will take some time and effort. But I have some good news for you! Meeting WordPress GDPR compliance regulations is a bit easier, mainly if you use any of these handy WordPress tools and plugins. Here is a list of a few I recommend you consider using on your WordPress site.
WordPress GDPR Compliance Plugins
This plugin assists website and webshop owners to comply with European privacy regulations known as GDPR. By May 24th, 2018, your site or shop has to comply to avoid large fines. WP GDPR Compliance currently supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments.
This open-source plugin will assist you in making your website GDPR compliant by making personal data accessible to the owner of the data. Visitors (owners) don’t need user accounts to access their data. Everything works through a unique link and emails.
This plugin assists a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.
This plugin helps address the “Right to be Forgotten.” It provides a method for data erasure of a user’s profile, comments, etc. available to WordPress admins. The plugin goes a step further if you are comfortable allowing users to delete their own data without having to create a request for it.
This plugin helps you perform a security audit on your website. It is WordPress’s most comprehensive real-time user activity and monitoring log plugin. It allows thousands of WordPress administrators and security professionals to keep an eye on what is happening on their websites.
Satisfies the GDPR legal requirement to assess and monitor the security of your website to ensure data breaches do not occur. If a breach does occur, you will receive a real-time notification from the plugin.
A Word of Caution
The above WordPress plugins will help you reach WordPress GDPR compliance if used correctly. But be aware that using any of these plugins will affect the functionality of your WordPress site. That, unfortunately, can also include other web functionality and even the appearance of your website. Before using any of these, I recommend you make a complete backup of your WordPress site and proceed with caution.
Other GDPR Resources
Useful links to articles, videos, summaries, opinions, and analysis on all things GDPR.
Looking Ahead at WordPress GDPR Compliance
This post is to give you an overall analysis and explanation of what GDPR is. It explains what GDPR means for you and your website in real terms, and what you can and must do to reach WordPress GDPR compliance. But even if you follow every last step and recommendation in this post, it is NOT a guarantee that you will be in WordPress GDPR compliance.
If you are in doubt about GDPR or if your business is indeed in compliance, you should consult with a legal professional. As mobile-first web designers, we can help get your WordPress website updated to meet these requirements. But there may very well be other considerations for your business. If you have any doubts, be sure to check with your legal or business advisors.
Need Help with Your WordPress GDPR Compliance?
Here at PixoLabo, we offer a full range of WordPress website consulting and design services for businesses and product brands, including custom web design and development, e-commerce solutions, search engine optimization, and WordPress optimization.
Feel free to reach out to us and learn more about how our team can help you get your WordPress website into GDPR compliance. Our team will listen to your concerns, evaluate your needs, and come up with a list of items to make your WordPress site compliant with these regulations.
Is Your WordPress Site GDPR Compliant?
Did you make sure that you are in GDPR compliance? If not, what is preventing you from doing so? Do you have anything to add to our recommendations for WordPress GDPR compliance? Maybe you have some helpful tips or advice of your own?
Please leave your comments below so our audience can benefit as well and grab our feed, so you don’t miss our next post! And help your friends and associates stay on the right side of EU regulators by sharing our WordPress GDPR compliance tips with them!
Thank you! We appreciate your help to end bad business websites, one pixel at a time!
By Gregor Saita
Co-Founder / CXO