On May 25, 2018 – always a year ago from today – the GDPR came into force aimed to regulate the rules for personal data processing of the EU citizens.
GDPR stands for General Data Protection Regulation. The new regulations should increase the level of data protection and provide citizens of the European Union more control over their data.
In case your company website collects information about visitors and users, knowledge and compliance to these new the GDPR requirements is a must. Ignorance and non-completion lead to large fines – up to €20 million – which you most likely would not want to pay…
What are the main principles of GDPR and why the new regulations are so vital for website owners? How to make sure your WordPress website is GDPR compliant? And most importantly, what happens if you keep ignoring one?
In this article, we will try to interpret the GDPR regulations from the aspect that one will be useful for the website owners – and not only those working directly with the EU citizens. Finally, we will give you practical advice on how to make your WordPress site GDPR compliant.
Click on the following titles for faster navigation:
What is GDPR and What Does It Protect?
Personal data stands for any information that helps to identify a specific individual. In the GDPR definition, personal data is information provided both for a particular web resource (first and last name, gender, email or phone), or automatically collected one. The latter kind of information may be the user’s location, device (including IP address), operating system, etc.
In addition, there is one more kind of personal data collected by Internet resources. Those are how many pages a particular user has viewed, what queries he searched for, which posts on social media he liked/commented, etc. Such information helps to determine the user’s interests, as well as his social status, religious beliefs, or political views.
Payment information can be classified as a special group of personal data. This and the information above is from now on supposed to be protected by GDPR.
GDPR (General Data Protection Regulation) consists of 99 articles aimed to govern the relationship between those who provide their personal data (EU citizens) and those who collect, process, and utilize this data in their activity (Internet services, web resources, commercial and non-profit companies, organizations).
Click here if you want to get acquainted with the full text of GDPR regulations.
Accordingly, GDPR protects any information about a person that identifies one in some aspect, either gender, age, place of residence, or mental, cultural, economic, and social identity.
New terms: Data Controller & Data Processor
To move further, first of all, let’s clarify the new terms introduced in the GDPR regulation – data controller and data processors.
Data controllers are referred to as companies or organizations that collect user data. Data processors are companies that process them on behalf of controllers. Controllers carry the most responsibility and make agreements with the processors on the observance of the GDPR rules when processing data that was transmitted by controllers.
To Whom Will GDPR Concern?
GDPR has an extraterritorial influence. The new rules will apply to everyone who works with data of EU residents. It does not matter if you have branches in Europe or not, or where the company was registered and where it in general processes user data.
If at least one of your customers has an EU citizenship, your company has no choice but to complain about the GDPR regulations. The document currently covers 28 countries and still includes Great Britain until their full Brexit.
The unified business data regulations should:
- improve data management and information security;
- lead to a better brand image and reputation;
- increase customer confidence;
- create an identical legal basis in all EU countries;
- Minimize the costs of client work organization on the level of any databases.
GDPR Principles & Requirements
GDPR is based on 8 main principles documented in the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data back in 1980. In GDPR, they’ve been rephrased in 7 main points.
So, personal data shall be:
- Processed legally, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes – and not for further processing;
- Adequate, relevant and limited to what is necessary;
- Precise, accurate, and relevant;
- Kept for no longer than is necessary for the purposes for which the personal data are processed;
- Kept confidential and processed in a manner that ensures appropriate security of the personal data;
- Finally, the data controller should be ready to demonstrate his compliance at any time it’s requested.
Besides, the controller is obliged to set forth the purpose of collecting personal data to users in a simple and accessible manner. In addition, users should have easy access to information about their already collected data. The information must be accurate, protected, and stored for a limited time only. Finally, the controller shall not collect extra information about the user – just the one he needs to make his service provision better.
What Are the User Rights?
In accordance with GDPR, the EU citizens have the right to either agree with the data collection, or reject, delete, and control which of their personal data is processed by their visited websites.
In general, the following regulations provide users with more freedom and control over the information they can share with companies.
Let’s go over these rights one more time:
- the right to know who and why processes their personal data;
- the right to have access to their personal data;
- the right to correct their personal data;
- the right to clear data, or the “right to be forgotten”;
- the right to restrict or block data processing;
- the right to transfer personal data from one service to another;
- the right to object to the data processing;
- the right to have a personal influence on automated systems for collecting and profiling.
Why Do I Have to Know It?
If everyone keeps ignoring GDPR, it may have bad consequences. Even the smallest American company working for a local market but owns a website can’t be 100% sure none of their visitors will be an EU citizen.
After all, It makes sense to check your customer base again, and then decide on further actions.
For example, 6 months after the release of guidelines, PwC surveyed 200 CEOs of large US companies to find out how the real impact of GDPR on their business. The results made it clear that most firms took the GDPR regulations very seriously and even put data protection as their top priority.
76% of respondents even had a plan to spend at least $1 million on GDPR the following year. Meanwhile, 54% of respondents plan to de-identify European personal data to reduce GDPR risk exposure.
How Will GDPR Regulations Affect the Company’s Work?
The biggest change to happen in your company after the implementation of GDPR won’t be about getting used to the new rules and policies. It’s rather about a revision of the company’s attitude to personal data and its protection.
- Companies will feel higher responsibility for collecting, processing and storing data;
- A large amount of processed data will no longer be equal to something positive. Most likely, it will indicate ignorance and inability to use data effectively in your work;
- Before releasing any new product/service, companies will need to think through and assess the impact and risks for the customers’ data;
- Those employees who have access to someone’s personal information will be aware of the rules and therefore will consciously take care of the data safety, thereby observe the basic protection rules.
What If I Neglect the Rules?
Ignorance of the GDPR principles leads to large fines of €10-20 million or 2 to 4% of the company’s annual turnover.
7 Steps to Make Your Website GDPR Compliant
1. Let Users Know You Want to Use Their Personal Data
As a company who works with someone’s personal data, you have to be 100% transparent with all users coming to your website. People want to know which information (even if it’s only cookies) you are about to collect and why you actually do it.
Providing this information is easy. Just use pop-up messages or bumpers at the top or bottom of your page to inform users right from the first second they visit your website.
2. Give Clear Description
Clear and easy to read explanation is the key to leaving your customers consent with your website terms.
For instance, you can expand your consent form and make it more detailed. Once a person is about to click on “I agree to the Terms & Conditions” checkbox, make sure he knows which personal data will be processed based on his consent.
For a better user’s comprehension, you may even use different consent forms as pop-up messages for various type of personal information (one for email, address, and phone; another for location, etc.)
3. Follow the GDPR Requirements
GDPR set new requirements regarding the pop-up forms that give websites a user consent (or rejection) to their data processing.
From now on, this form must comply with common standards. For examples, forms that have already put tick marks are no longer allowed. In addition, each user must have easy access to instructions on how to withdraw consent for data processing.
4. Use Double Opt-In
Although the new regulations say nothing about double opt-in (a subscription confirmation), I highly recommend you use one.
You have probably received letters asking you to confirm your email after you left your email address on someone’s site. To confirm your consent to receive messages from a resource, you had to follow a temporarily active link from the email.
In fact, the double opt-in technique improves the quality of your client base, and that helps to avoid spam complaints or a high bounce rate.
Double opt-in is rather useful for new users. So if want you collect additional data about existing customers, you wouldn’t need to repeat this trick multiple times.
5. Delete Personal Data On Demand
6. Inform If Data is Lost
Once you have the user data, you’re 100% responsible for its safety.
If data is stolen as a result of hacker attacks, the info is leaked, or you lose it in some other way, you must inform users of the matter within 5 days!
7. Remember About “Old” Users
If you already have a substantial client base (some of the old clients might not even visit your website anymore), a good idea will be sharing the new data regulations via email. This way, you can easily request to give their consent to the new GDPR rules.
WordPress Website and GDPR: Key Aspects
Whew, guess it was a long way down to finally get to our major question =)
If your company runs business using a WordPress site, you should have wondered how to make it GDPR compliant.
First things first, let’s figure out what a standard WP website may use to collect user data:
- user registrations,
- contact form entries,
- analytics and traffic log solutions,
- any other logging tools and plugins,
- security tools and plugins.
These are 3 main aspects of the WordPress GDPR you should know about:
1. Breach Notification
According to GDPR rules, in case your website experiences some kind of data breach, users must be informed about one. Data breaches can result in any sort of data loss, which may consequently violate individual rights and freedoms.
This means you must notify users as soon as possible. The GDPR says the notification must be sent to users within 72 hours since the break is exposed. Apart from users, data processors should notify data controllers as soon as they are aware of the data breach.
When it comes to WordPress website, you may wonder which of your website visitors are actually considered as “users”. After all, it can both mean regular users, commenters, or those who once filled in a contact form.
2.Data Collection, Processing & Storage
The three terms correspond to the following three elements: Right to Access, Right to Be Forgotten and Data Portability.
- The Right to Access ensures users receive complete information about their personal data, including which kind of data is collected, why it’s collected, which place it’s stored, etc.
- The Right to Be Forgotten provides users with a choice to delete their data from the database and stop their further collection&processing.
- The Data Portability, as mentioned in the GDPR full text, gives users a right to download data they gave their consent to be collected before, and move it to a different controller.
For WP website owners, this means you’d have to do a little more work than before. From the previous 7 steps, I advised you to publish the data policy to the tiniest detail.
After you complete and publish the policy, make sure you are ready to provide users with a copy of their data, as some of them may request it now or later. This can a daunting and one of the most difficult procedures to accomplish. After all, it’s a rule can you can’t ignore it.
It’s also highly recommended to have a system in place to derive data out of your database.
Finally, a good idea will be dividing data storage by its kinds to avoid having it altogether in one place.
3. Use of Plugins
Since most of the current WordPress plugins work with user data as well, they also must comply with the GDPR rules in a certain way. As a WP website owner, you can spend a lot of time figuring out which of your installed plugins are GDPR compliant and which are not.
So according to the following regulations, each plugin must establish a data flow with a WP website and always inform about its data processing.
Most likely, the majority of popular and well-known WordPress plugins have already updated their new data policies. So now you can use those without fearing to violate GDPR.
Ionut Neagu, CEO of Themelsle, gives a short comment on this matter:
GDPR looks like a really big change that we should all treat very seriously and look for solutions. If there’s one thing we learned from VAT, it’s that the EU is quite serious about those things. They keep introducing more and more regulations and then put new mechanisms in place to enforce them. Those 4% fines aren’t looking good.
Not only WP plugins will have to change their data policy though. A lot of digital marketing tools that you can integrate with your WordPress website will need to adjust. For instance, email marketing tools that send automated emails to all the recipients from the list.
Doesn’t matter which way you run your email marketing campaigns, one is clear – owners of the email addresses from your list must give their consent to the new GDPR data regulations.
Moreover, you are not allowed to buy a mailing list from a third-party because sending emails to email addresses without their consent is considered illegal.
So let’s summarize this entire chunk of text in several key statements:
- GDPR (General Data Protection Regulation) governs the relationship between those who provide their personal data and those who collect, process, and utilize this data in their activity;
- The GDPR regulations came into effect in May 2018;
- The rules apply to every website who deals with personal data of at least one EU citizen;
- It gives users more control over their shared personal information;
- Non-compliance leads to large fines – up to € 20 million or 2 to 4% of the company’s annual turnover.
These 7 steps will help your website remain GDPR compliant:
- Let users know you want to use their personal data;
- Give a clear description of the terms;
- Follow the GDPR requirements;
- Use double opt-in technique;
- Delete personal data on demand;
- Inform users if data is lost;
- Remember about “old” users.
I truly hope you have completed all of the above steps by May 2018.
Otherwise, you can be in real trouble =(
Wish you to stay out of trouble and always abide by the law!
Jessica spends 12 hours a day on the internet managing security for web assets and loves her macha tea