Starting May 25, 2018, the General Data Protection Regulation (GDPR) will be effective, requiring any company or organisation with access to personal data related to EU citizens to provide a higher level of protection.
How will my business be affected?
GDPR applies not only to countries under the EU but also to organisations around the world that:
- Supply goods or services to EU citizens
- Monitor the behaviour of individuals in the EU with an online presence
- Have an establishment in the EU
Even if your website caters to clients/customers in non-European countries, you have no control over who visits your site. Someone from the EU may access your site and leave their information in your online forms.
What happens if I don’t comply?
Non-compliance to GDPR will mean a significant fine of up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher.
Who monitors my website?
EU member states have a group of Supervisory Authorities (SA) who are tasked to run audits on websites, issue warnings for non-compliance, and provide corrective measures organisations should follow.
How do I make sure my WordPress website is compliant?
Here are some important things you need to take care of:
Security audit
First, we advise you to run a security audit on your WordPress website and check how personal information is processed from your site. Take note of the following usual ways a WordPress website can collect data:
- User registration forms
- Contact forms
- Analytics
- Blog comments
- Security tools and plugins
- Other logging tools and plugins
Data collection, storage and processing
GDPR cites three important elements:
- Right to access – This requires website owners to be transparent about how data is being collected, processed and stored, and why these are necessary. Users will also be provided a copy of their data.
- Right to erasure – This gives users the option to remove personal information and deny consent on using their data.
- Data portability – Users should be able to download their personal data
You need to publish a detailed Privacy Policy basically telling your website visitors the data points you’re using in your site and how they are being processed and stored. Data includes not only names, address and contact information but also pictures and avatars visitors upload on your site.
Then, you must have a way to provide users with a copy of their personal data from your database. This can either be a plugin, an online tool or a manual encoding system.
Forms with consent
GDPR requires explicit permission before collecting or storing user data, at the same time allowing the user to request access to that data and ask for their data to be deleted. GDPR-compliant website forms should:
- Remove pre-checked boxes or any type of default consent
- Provide the name of your organisation and any third-party controllers who will be relying on your consent
- Include a link to Privacy Policy and Terms of Conditions
- Provide option to request for data or to have user’s data deleted
- Inform what you intend to do with their information. If you won’t share or sell their data, indicate so in your form.
- If possible, provide a yes or no choice
- Have age-verification measures (or parental consent measures) if you’re collecting data from children
Here are some examples:
Plugins
Yes, even your plugins should comply with GDPR rules. As a website owner, you need to make sure that all plugins you have provides a way to erase or export data collected from visitors. Read through the privacy guidelines of each of your plugins, especially online forms and data collection tools, and make sure they establish a clear data flow and provide information on how they collect, process and store data. Popular plugins like Contact Form 7, Gravity Forms and Jetpack are now preparing for the GDPR and working to update their privacy features.
Third party providers
Any tool or third party service that is part of your website should be compliant to GDPR. This includes payment gateways like PayPal and Stripe, as well as email marketing tools you use to send promotional messages and newsletters. The same goes with your mailing list provider. You have to make sure the emails are not collected illegally and that these people explicitly asked to receive emails from you.
Notification of breach
According to GDPR, you need to inform your users about any kind of data breach you are experiencing within 72 hours of finding out about the incident. Your responsibility as a website owner is to monitor web traffic and server logs, and make use of available tools to make sure that data breaches do not happen.
GDPR Compliance Checklist for WordPress Websites
- If you have a form on your website, include why you’re collecting data and how you intend to use it
- Have a privacy policy in your website
- Enable double opt-in option to make sure you have informed consent
- If you’re sharing information, inform your users and ALWAYS ask for their consent
- Make sure your plugins (including ecommerce plugins) are GDPR compliant
- Make sure payment gateways, email tools and mailing list providers are GDPR compliant
- When sending out emails, inform them why you’re emailing them and how you sourced their data.
- Provide an ‘Unsubscribe’ option in your emails
- Also provide a ‘Forget Me’ option. If someone selects this option, immediately DELETE their data
- Avoid using analytics software to track individual data and IP addresses
Yes, data regulations are not fun! But your website is an important part of your business and this is something you can’t ignore.
Is your website GDPR compliant? Contact us to organise a compliance audit.
