This post will help you in your endeavor to be ready when the regulation kicks in.
- First, we’re going to talk in detail about the GDPR guidelines, the specific areas of your business that the guidelines affect, and why you should be concerned about WordPress GDPR compliance.
- Next, we will cover the basics of making a WordPress site complaint with the guidelines.
- Finally, we will discuss the implications of the use of plugins on your WordPress site and how your GDPR compliance might be affected.
What is GDPR?
GDPR stands for General Data Protection Regulation and it is a new data protection law in the EU, which comes into force in May 2018.
The aim of the GDPR is to give citizens of the EU control over their personal data, and change the approach of organizations across the world towards data privacy.
The GDPR provides much stronger rules than existing laws and is much more restrictive than the “EU cookie law.”
The GDPR law applies to data collected about EU citizens from anywhere in the world. As a consequence, a website with any EU visitors or customers must comply with the GDPR, which means that virtually all websites and businesses must comply.
To better understand the regulation, take a look at the publication of the regulations in the Official Journal of the European Union, which defines all terms related to the law. There are two main aspects of the GDPR: “personal data” and “processing of personal data.” Here’s how it relates to running a WordPress site:
- personal data pertains to “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address,
- whereas processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user.
Should GDPR be taken seriously?
Webmasters have time until May 2018 to comply with the regulations set by the GDPR. The penalty for non compliance can be 4% of annual global turnover, up to a maximum of €20 million.
There are various slabs of penalties according to the seriousness of the breach, which have been described in the FAQ section of the GDPR portal.
Such a high amount in penalties has been proposed to increase compliance. However, one may wonder what steps for the supervision of websites are in place. Supervisory Authorities (SA) of different member states are going to be set up, with the full support of the law. Each member state may have multiple SAs, depending on the constitutional, administrative and organizational structures. There are various powers that SAs will have:
- carry out audits on websites,
- issue warnings for non-compliance,
- issue corrective measures to be followed with deadlines.
SAs have both investigative and corrective powers to check compliance with the law and suggest changes to be compliant.
It is too early to speculate how SAs of various member states would interlink and work together, but one aspect is clear; SAs would enjoy considerable power to enforce the GDPR guidelines.
Six months after the guidelines were released, PwC surveyed 200 CXOs of large US firms to assess the impact of the GDPR guidelines. The results revealed that a majority of the firms had taken up the GDPR guidelines as their top data protection priority, with 76% of them prepared to spend in excess of $1 million on GDPR. This shows that owning to a substantial presence in the EU, large corporations are taking up the GDPR compliance seriously.
(Charts by Visualizer Lite.)
The details of your WordPress GDPR compliance
Okay, so with all the official information out of the way, let’s take a moment to talk about how to make sure that your website is compliant and that you won’t experience any WordPress GDPR problems.
Before you move on to each of the aspects and how to comply with them, a security audit on your WordPress site should, in general, reveal how data is being processed and stored on your servers, and steps that are required to comply with the GDPR. The Security Audit Log plugin can help you perform a security audit on your website.
Some usual ways in which a standard WordPress site might collect user data:
- user registrations,
- contact form entries,
- analytics and traffic log solutions,
- any other logging tools and plugins,
- security tools and plugins.
Here are some key aspects of the WordPress GDPR that users need to take care of:
(a) Breach notification
Under the GDPR compliance, if your website is experiencing a data breach of any kind, that breach needs to be communicated to your users.
A data breach may result in a risk for the rights and freedoms of individuals, due to which notifying users in a timely manner becomes necessary. Under the GDPR, a notification must be sent within 72 hours of first becoming aware of a breach. Data processors are also required to notify users as well as the data controllers, immediately after first becoming aware of a data breach.
In a WordPress scenario, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.
This clause of the GDPR thus creates a legal requirement to assess and monitor the security of your website. The ideal way is to monitor web traffic and web server logs, but a practical option is to use the Wordfence plugin with notifications turned on. In general, this clause encourages one to use the best security practices available to ensure data breaches do not occur.
(b) Data collection, processing and storage
Three elements of this: Right to Access, Right to Be Forgotten and Data Portability.
- The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing and storage of the data. Users will also have to be provided a copy of their data free of cost within 40 days.
- The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their personal data to be used.
- The data portability clause of the GDPR provides users a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller.
Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to number of data points.
As a WordPress site owner, you first need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored.
Next, you need to have a setup to provide users with a copy of their data. This is perhaps the most difficult part of the process. However, we can assume that when the time comes, most plugin developers or tool developers – for the tools and plugins that you have on your site – will have already come forward with their own solutions to this.
It is still advised, however, to have a system in place to derive the required data out of your database.
Further, it may be wise to avoid data storage altogether in certain cases. For instance, contact forms could be set up to directly forward all communication to your email address instead of storing them anywhere on the web server.
(c) Use of plugins – implications of WordPress GDPR compliance
Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.
This can still mean some tough times for some of the most popular plugins out there. For instance, solutions like Gravity Forms or Jetpack have a lot of modules that collect user data by nature. How are those tools going to comply with the GDPR exactly?
For plugins too, the same rules apply, although they must be approached from the point of view of the WordPress site owner. Each plugin needs to establish a data flow and inform about the processing of personal data. If you are the developer of a plugin, consider providing users of your plugin an addendum that they may add to their website’s terms in order to make them GDPR compliant. Gravity Forms, for instance, needs to let the user know how personal data being filled in a contact form is going to be published, and an option to get it removed, if necessary.
No other plugin seems to have released any statements related to this yet.
We're working towards the GDPR, so keep an eye out for our new privacy related features.
— Jetpack (@jetpack) July 23, 2017
Also, some tools that sit seemingly outside of your WordPress website will see the impact of this too. Take, email marketing tools, for example. It’s a common practice to have those integrated with your WordPress website and to send promotional emails based on a list of email addresses. Depending on how you run your newsletters/lists, those addresses might not have been obtained by getting explicit consent from users.
To sum up what it means to make WordPress GDPR compliant:
- the law comes into effect in May 2018,
- it applies to any website that deals with personal information of EU users (read: all WordPress websites),
- it gives the user the right to control the flow of their personal information,
- there are defined processes to monitor compliance and huge fines are in place for non-compliance.
In a nutshell, to make your WordPress GDPR compliant, you should (1) look into all the different ways in which you’re collecting visitor data. Next, (2) put mechanisms in place to make sure that users can control their data. Additionally, (3) it’s probably a good idea to avoid collecting user data where it’s not necessary (like the contact form example from above). And most importantly of all, (4) even if you’re using third-party tools and solutions, you still need to make sure that those are GDPR compliant as well.
If you don’t have all of the above taken care of by May 2018, trouble.
- UK Information Commission’s Office paper
- White papers: by Actiance.com, by iapp.org
- Wikipedia page on the GDPR
- “WordPress Telemetry Proposal Addresses Long-Standing Privacy Concerns as GDPR Compliance Deadline Looms” by WPTavern
- Slides from relevant WordCamp presentations:
Don’t forget to join our free crash course on speeding up your WordPress site. With some simple fixes, you can reduce your loading time by even 50-80%:
Layout and presentation by Karol K.