You may have received emails from all different kinds of companies over the last few months with “GDPR” being the main theme. If you are a WordPress site owner, you may be wondering if and how the GDPR applies to you and your site visitors.
GDPR, or General Data Protection Regulation, is a new set of regulations set by the European Union (EU) which took effect May 25th, 2018. Though the GDPR was actually introduced in 2016, it only became enforceable as of May this year. The GDPR regulates how websites interact with website visitors, and how we as site owners handle user data.
Any website which processes the personal data of an EU resident is subject to these new privacy requirements, no matter where in the world the website is based.
Sites found in violation of GDPR are technically at risk of a fine equal to 4% (in Euros) of the website owner’s annual income though how these fines might be rolled out is still in the early stages.
GDPR states that website owners must have policies and methods in place that facilitate the provision of the website user a copy of their own data when required. The new regulations also state that site visitors must be notified of a breach in site security that affects the client’s data within 72 hours of the event.
If you are a WordPress website owner, it is best to make your website GDPR compliant because all websites are global by definition. This way, you align yourself with the best standards in global security and data protection.
Essentially, the GDPR provides:
– A clear outline of how the site owner works with third party vendors
– A description of the type of information stored on the website server
– The site visitor’s rights in regard to their data
– A site’s security protocol in the event of a data breach
For some, the rollout of GDPR may seem intimidating. Just how does one make a WordPress website GDPR compliant?
Follow these guidelines to ensure your website meets the requirements for world class security and data protection.
Develop your Privacy Page
YOUR DATA COLLECTION POLICY
Personal data is any data regarding you that could help someone to identify you. It is individual information pertaining to you, and it is not anonymous.
Anonymous data is any data where the identity has been removed from the statistical data, and could not help to identify an individual.
Your website may collect personal data in the form of PayPal payments, Newsletter signups via email or via Blog comment and site membership. Even if you have no members logging into the back end of your site, if you engage with the public at all on your website, a certain level of data is being collected.
Helping your site visitors understand the difference between personal and anonymous data is key. Include your data collection and storage policy as well.
DIRECT (VISITOR PROVIDED DATA)
This would include contact forms, comments, ecommerce transactions, event bookings and similar user generated content (data) submissions.
VIA SOFTWARE (INDIRECTLY)
This would be from Google Analytics, Jetpack, ad tracking programs, or similar site tracking software.
GENERAL DATA COLLECTION PRACTICE
This is where you break down what information you keep and how you store it.
I don’t use ads on my site but I do webmaster for some websites that serve ads. If you run ads, you must disclose this fact and also how the data gathered and stored by the ad software will be used.
HOW YOU USE PERSONAL DATA
– To complete an order and maintain a record of sales for tax and accounting purposes
– For fraud investigation in compliance with the law
– To comply with a law or regulation such as the GDPR
– To enhance your the site visitor experience
– To complete contractual obligations (like delivering a Newsletter or providing a product)
HOW YOU SHARE PERSONAL DATA
As a website owner or webmaster, your site may share personal data with the following types of third parties:
– Technology service providers (i.e. webhost)
– As part of a business transfer of ownership
– As required by law
I select third parties to work with who adhere to the laws and best practices of the Internet. Any information shared on site by the site visitor may not be used for any purpose other than the stated upon website related purpose.
DATA SECURITY PROTOCOL
If you have not thought about or developed a website security protocol, now is the time. It should include what your response would be in the face of a security event and what steps you take to prevent security events from taking place.
If you do link to 3rd parties, make sure you state that you are not responsible for any content or software served by the third party linked to.
YOUR DATA RETENTION POLICY
You can use the information legally collected on your website to fulfill any legal, accounting, or reporting requirements.
Any transactions resulting in a purchase mean that the website owner as a US tax payer must store this information for 7 years for tax and legal record keeping purposes.
There are a few examples of when a user may request removal of their data from your site. For example, when you unsubscribe from my Newsletter, you may then contact me and ask me to delete your subscriber information including email and name. Your anonymous aggregate data will remain, as it is not legally protected data.
Anonymous data may be used in perpetuity for the purposes of continuing to improve your website for the enjoyment of your site visitors.
HOW TO ACCESS YOUR DATA WITH ME
As part of the GDPR, site users now have the right to request a copy of their data from the site owner under the following circumstances:
Set Your Privacy Page in WordPress
The WordPress Privacy area is where you can download a copy of the User’s data for emailing upon appropriate user data pull request.
Install an SSL Certificate
Though not a requirement of GDPR per se, installing a Secure Sockets Layer adds a layer of encrypted protection to your website which improves your site security. An active SSL is now required by Google for any website with a backend such as WordPress. Without an active and properly configured SSL, your website could receive SEO penalties and will appear with a warning in the address bar of Google Chrome.
Many webhosts will have easy options for SSL installation. If you have any trouble finding the SSL area in your webhost’s control panel, simply contact your webhost or you can contact me.
To see the http references in your site, open any page of your site in your browser of choice. I recommend using Firefox or Chrome for development purposes. Once you have the site in the frame, single right click anywhere on the page to open up the pop up menu. Select View Page Source or similar option. Once this editor opens, run a search for http by hitting CTRL/CMND + F for http. Review all instances of http and then go into your site and correct them all to https. Refresh and reload your site, being sure to clear your cache when you do. If there are instances you cannot correct because they are coming from a plugin or offsite source, consider how you can replace that Plugin or code call with an https compliant plugin.
Keep correcting all instances possible until the lock turns green and in the locked position on the address bar next to your website’s URL address. This means your page is now SSL compliant.
This process will need to be repeated until all pages are complete. You will find that there are certain elements in your site you will fix once and they will remove issues from other pages whereas some pages may have their own specific needs.
Your Newsletter List
By law, all subscribers on your enews list must have either directly subscribed or directly have given consent for you to sign them up. If you have concerns that there are subscribers on your list that did not consent, you can send an enews subscription confirmation checkin. If you use Mailchimp or a similar provider, they already have an email template ready for you to turn into a campaign and send to your enews list. People can unsubscribe by clicking a button or do nothing and stay subscribed.
Evaluate your Plugins for Compliance
You will need to look at each and every plugin in your site and review it’s GDPR compliance policy. Make sure you are using only Plugins that are 4 stars or above in the WordPress ratings. These Plugins are more likely to be frequently updated and well supported, meaning that their developers are tuned into GDPR and other critical developments in the WordPress space.
Visit https://www.eugdpr.org/ for more information and to stay updated on the GDPR.
Here’s a good article on GDPR from another resource:
If you are a WordPress website owner and have questions about the GDPR and how it affects you, feel free to reach out in the comments or contact me.
Every effort to provide full and complete information on this subject has been made. This information is offered in the spirit of education and should not be considered legal advice.