The General Data Protection Regulation (GDPR), which is probably the biggest change so far in the field of data privacy regulation law, will come into effect on the 25th May 2018.
Combining all the European data privacy laws into one regulation, the new law provides European Union citizens a much stronger and better control over the way their personal data is being tracked, collected, used and stored online.
Although GDPR applies primarily to online businesses in the EU, it will also affect website owners and developers outside the EU who are tracking, collecting and storing any kind of personal data from any European Union citizen.
WordPress, meanwhile, ruling over 60% of the CMS market and powering over 30% of global websites, increases the chances of a huge number of websites getting affected by the GDPR. If you run a WordPress-powered website that collects or monitors any kind of personal data from the citizens of the European Union; it’s time to get it ready for the GDPR.
Through this blog post, we’ll discuss this topic, but let’s first take a brief look at several new Data Subject Rights given to users in the GDPR!
An individual’s rights under GDPR
Apart from being extra-territorial, the new GDPR regulation brings nine new rights to users, allowing them to have more control over the collection and usage of their personal data. These rights are:
- Right to be informed. An individual has the full right to be informed about how their personal data is being collected and used.
- Right to access. Every user has the right to access and download their personal data in the form of an electronic copy provided by the website owner free of cost.
- Right to Rectification. The new GDPR regulation gives users the power to rectify any inaccurate personal data or complete it if it is not complete.
- Right to Erasure. Also known as the right to be forgotten, this right allows individuals to leave a website and have any personal data erased anytime.
- Right to Restrict Processing. According to this right, every user will have the ability to restrict or suppress the processing of their personal data anytime.
- Right to Data Portability. The new GDPR regulation empowers users to download and reuse their personal data for their own purposes.
- Right to Object. An individual can prohibit the use of any particular data for direct marketing or any other purpose anytime.
- Right to be informed about Data Breaches. In case of a data breach, the website owner must notify users within 72 hours of knowing about the breach.
- Rights related to Automated Decision Making. The GDPR regulation prevents users from being subject to a decision made without the active involvement of a human.
What information will GDPR apply to?
The new GDPR legislation applies to any information that can be used to recognize the identity of a living person directly or indirectly. In fact, the new regulation redefines the scope of personal information to strengthen users’ rights regarding the collection, storage, and usage of their personal data online. As a result, it now counts even small details like an IP address as personal data.
Other data considered to be personal include:
- Name
- Photo
- Mobile number
- Email address
- Physical address
- Location data
- IP address
- Social security number
- Profiling, sales and analytics data
- Online Behavior (Cookies)
Furthermore, the new law also applies to sensitive personal data, a special category of personal data, which requires more careful handling and can potentially link back to the identity of a living person. It includes, but not limited to, several factors, such as:
- Health status
- Sexual orientation
- Political views
- Religious beliefs
- Behavioral data
- Financial data
- Biometric data
- Genetic data
To sum it up, the GDPR applies to both personal and sensitive personal data.
How to make a WordPress Site GDPR compliant
Now let’s come to the main point: making a WordPress site GDPR compliant.
There are three main ways GDPR can affect a WordPress site:
Data collection, processing, and storage
The way you track and collect users’ data through your WordPress site plays a vital role in determining the compliance of your website with GDPR. According to the new legislation, while collecting any kind of data through your WordPress site, you must clearly tell users:
- Who are you
- What personal data you collect
- Why you collect the data
- Where the collected data is being stored
- How long the data is stored for
- For what purpose you are using the data
- How the data is secured
The crucial thing here is the transparency. No matter what kind of personal data you’re collecting via what kind of medium, explicit consent of users is now imperative to monitor and collect personal data.
Themes and plug-ins
GDPR doesn’t just apply to the front-end of your WordPress site, the code of your website must also be in compliance with the new law. Being a WordPress site owner, you’re ultimately responsible for how a WordPress theme, plug-in or third-party software collects personal data through your site.
While several big themes and plug-ins, like Jetpack, WooCommerce, and Gravity Forms, are already working on getting into compliance with the GDPR, it’s highly recommended you audit all themes and plug-ins you’re using before the release of the new legislation. For this purpose, you can take advantage of WP GDPR Compliance plug-in that helps you identify and resolve key GDPR related issues.
Automatic consent
If you use opt-out options and pre-checked consent boxes on your WordPress site to collect any kind of personal data, it will now be considered a breach under GDPR. As already mentioned above, to meet the new GDPR standard, users must be actively involved in providing consent for the collection of personal data through your WordPress site. According to the new law, some approved examples of legal consent requests are:
- Clicking an opt-in button/link.
- Selecting from yes or no options.
- Responding manually to a consent email.
Now that you understand how GDPR can affect a WordPress site and have a rough idea of how to deal with the GDPR, let’s get familiar with some practical ways you can get your WordPress site into compliance with GDPR:
Audit the personal data you collect
Firstly, take a full audit of users’ personal data collected through your WordPress site. This will not only help you find out the absolutely necessary data required to run the website but also help you get rid of any unwanted data having no real use or value. Delete any personal data that you no longer use and you’ll achieve the first step toward making your WordPress site GDPR compliant.
Document everything
When you’re left with the absolutely necessary personal data, it’s time to write down your new policies and procedures according to the new GDPR legislation. This will help you have a clear idea of what you’ll do in case a personal data breach occurs or a user requests to access their personal data. In your new policies, describe clearly what personal data you collect, why you collect it and what you do to keep it safe and secure.
Request explicit consent
This one is extremely crucial! According to the new regulation, an explicit consent of the user is required to collect personal data. This means any checkbox on your WordPress site must be empty or unchecked by default so users can voluntarily tick it to allow the website owner to collect their personal data. In other words, you must remove all the automatic opt-in boxes from your WordPress site.
Maintain privacy by design
Privacy by design encourages you to ask users only for the personal data that is absolutely necessary to run your WordPress-powered website. For example, if you’re incorporating a new form on your WordPress site to collect users’ personal data, privacy and data protection, instead of treating it as an after-thought or addendum, integrate it with the design of the form from the very beginning.
Consider appointing a DPO
Finally, if your WordPress site monitors or processes personal data on a very large scale, you may consider hiring a Data Protection Officer (DPO). A DPO is an individual who monitors all privacy and data protection related activities of your WordPress site and ensures it’s compliant with the GDPR regulation. Depending on your requirements, you may appoint a DPO from within your organization or hire one externally.
Other useful GDPR resources
Guest author: Ashish is an experienced web developer working with XHTMLJunction – PSD to WordPress Service Provider. He always tries to keep himself up with latest web development trends and technologies to boost his productivity and capabilities. In his spare time, he loves to write articles related to WordPress, Web Design, App Development, and eCommerce.