The General Data Protection Regulation (GDPR), which is probably the biggest change so far in the field of data privacy regulation law, will come into effect on the 25th May 2018.
Combining all the European data privacy laws into one regulation, the new law provides European Union citizens a much stronger and better control over the way their personal data is being tracked, collected, used and stored online.
Although GDPR applies primarily to online businesses in the EU, it will also affect website owners and developers outside the EU who are tracking, collecting and storing any kind of personal data from any European Union citizen.
WordPress, meanwhile, ruling over 60% of the CMS market and powering over 30% of global websites, increases the chances of a huge number of websites getting affected by the GDPR. If you run a WordPress-powered website that collects or monitors any kind of personal data from the citizens of the European Union; it’s time to get it ready for the GDPR.
Through this blog post, we’ll discuss this topic, but let’s first take a brief look at several new Data Subject Rights given to users in the GDPR!
Apart from being extra-territorial, the new GDPR regulation brings nine new rights to users, allowing them to have more control over the collection and usage of their personal data. These rights are:
The new GDPR legislation applies to any information that can be used to recognize the identity of a living person directly or indirectly. In fact, the new regulation redefines the scope of personal information to strengthen users’ rights regarding the collection, storage, and usage of their personal data online. As a result, it now counts even small details like an IP address as personal data.
Other data considered to be personal include:
Furthermore, the new law also applies to sensitive personal data, a special category of personal data, which requires more careful handling and can potentially link back to the identity of a living person. It includes, but not limited to, several factors, such as:
To sum it up, the GDPR applies to both personal and sensitive personal data.
Now let’s come to the main point: making a WordPress site GDPR compliant.
There are three main ways GDPR can affect a WordPress site:
The way you track and collect users’ data through your WordPress site plays a vital role in determining the compliance of your website with GDPR. According to the new legislation, while collecting any kind of data through your WordPress site, you must clearly tell users:
The crucial thing here is the transparency. No matter what kind of personal data you’re collecting via what kind of medium, explicit consent of users is now imperative to monitor and collect personal data.
GDPR doesn’t just apply to the front-end of your WordPress site, the code of your website must also be in compliance with the new law. Being a WordPress site owner, you’re ultimately responsible for how a WordPress theme, plug-in or third-party software collects personal data through your site.
While several big themes and plug-ins, like Jetpack, WooCommerce, and Gravity Forms, are already working on getting into compliance with the GDPR, it’s highly recommended you audit all themes and plug-ins you’re using before the release of the new legislation. For this purpose, you can take advantage of WP GDPR Compliance plug-in that helps you identify and resolve key GDPR related issues.
If you use opt-out options and pre-checked consent boxes on your WordPress site to collect any kind of personal data, it will now be considered a breach under GDPR. As already mentioned above, to meet the new GDPR standard, users must be actively involved in providing consent for the collection of personal data through your WordPress site. According to the new law, some approved examples of legal consent requests are:
Now that you understand how GDPR can affect a WordPress site and have a rough idea of how to deal with the GDPR, let’s get familiar with some practical ways you can get your WordPress site into compliance with GDPR:
Firstly, take a full audit of users’ personal data collected through your WordPress site. This will not only help you find out the absolutely necessary data required to run the website but also help you get rid of any unwanted data having no real use or value. Delete any personal data that you no longer use and you’ll achieve the first step toward making your WordPress site GDPR compliant.
When you’re left with the absolutely necessary personal data, it’s time to write down your new policies and procedures according to the new GDPR legislation. This will help you have a clear idea of what you’ll do in case a personal data breach occurs or a user requests to access their personal data. In your new policies, describe clearly what personal data you collect, why you collect it and what you do to keep it safe and secure.
This one is extremely crucial! According to the new regulation, an explicit consent of the user is required to collect personal data. This means any checkbox on your WordPress site must be empty or unchecked by default so users can voluntarily tick it to allow the website owner to collect their personal data. In other words, you must remove all the automatic opt-in boxes from your WordPress site.
Privacy by design encourages you to ask users only for the personal data that is absolutely necessary to run your WordPress-powered website. For example, if you’re incorporating a new form on your WordPress site to collect users’ personal data, privacy and data protection, instead of treating it as an after-thought or addendum, integrate it with the design of the form from the very beginning.
Finally, if your WordPress site monitors or processes personal data on a very large scale, you may consider hiring a Data Protection Officer (DPO). A DPO is an individual who monitors all privacy and data protection related activities of your WordPress site and ensures it’s compliant with the GDPR regulation. Depending on your requirements, you may appoint a DPO from within your organization or hire one externally.
Guest author: Ashish is an experienced web developer working with XHTMLJunction – PSD to WordPress Service Provider. He always tries to keep himself up with latest web development trends and technologies to boost his productivity and capabilities. In his spare time, he loves to write articles related to WordPress, Web Design, App Development, and eCommerce.