Last year, the European Union implemented a new set of regulations that were meant to protect personal information in the digital age. Known as the General Data Protection Regulation (GDPR), it was put into effect on May 25, 2018, and has major implications for how website owners collect and use personal information.
What is this new law about, and how does meeting/remaining in compliance affect WordPress website owners? As the most popular CMS in use (by far), and the platform that powers more than 30% of all sites, the intersection of GDPR and WordPress is worth discussing.
GDPR Compliance: What is it? And What Does it Mean?
Data privacy concerns are nothing new, but the need for further regulation regarding how personal information is collected and used has reached critical mass in light of recent high-profile cases of breaches and shady third-party marketing schemes that put data integrity at risk.
The GDPR was structured to enhance and strengthen EU policies regarding consumer data, practices like using cookies, and how digital marketing agencies and social media giants are allowed to collect and use our personal information.
It’s meant to regulate data collection and strengthen individual control over how our information is used when it is collected by following these seven key privacy principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
A brief overview of the law breaks down like this:
- WordPress websites must create and display clear-cut privacy policies detailing what information will be collected and how it will be stored and used.
- Users must confirm that they know this information and agree to the terms.
- Users must be given the right to deny or withdraw consent.
- Website owners must delete information when such consent is denied.
- Data breaches or leaks must be reported within 72 hours.
The concept is termed “Privacy by Design,” but what exactly is “personal data” under this law?
According to the official EUGDPR website, personal data is any information that makes an individual identifiable either directly or indirectly. These include:
– Name, address, and phone number
– Identification numbers like social security or state tax ID numbers
– Location information
– Online identifiers
A deeper dive into some of the vague terminology demonstrates how the regulation could cover a lot of territories, but some privacy advocates feel it doesn’t go far enough. Others think it potentially and needlessly penalizes small business owners and bloggers by using the specter of hacking and corporate greed to control eCommerce.
Is There a Deeper Purpose for Creating the GDPR?
One take on the stiff penalties for those found in violation of GDPR is that it’s not intended to punish smaller WordPress site operators but rather to send a message to social media giants like Facebook over their cavalier treatment of customer data. But there is no quarter given in the wording of the regulations, so ALL website owners should make plans to comply.
The law will be enforced through what are called Supervisory Authorities (SA). Each EU member state is allowed to choose their own SA, and they can have multiple SAs. This compliance will be determined through:
- Audits of websites
- Publication of warnings
- Taking the corrective measures with deadlines to meet full compliance
These regulations cover websites originating or based in the EU as well as those with customers or reach inside Union member states; that covers pretty much everyone with a WordPress blog, social media platform, or eCommerce website. It seems straightforward, but there’s a lot of concern about what will happen to existing databases and content, as well as about the stiff penalties for non-compliance.
These will be implemented in steps:
- First offense: Written warning
- Second offense: Official censure with deadlines to reach compliance
- Fines and other penalties for non-compliance: Theses amount to up to 4% of annual revenue or 20 million euros
As of version 4.9.6, WordPress is fully GDPR compliant. Those who have an older version of WP core software should update their website immediately. These regulations shouldn’t affect overall WP site design, except those elements that pertain to data collection and storage. Any websites that aren’t currently compliant had until May 25, 2019, to bring their WP site into full compliance.
Guide to GDPR Compliance for WordPress Website Owners
The amount of upheaval your website will experience depends on the type of website you own and how much you rely on collecting or using personal data from your visitors through:
- User registration forms, opt-ins, and subscriptions
- Comment sections
- Contact forms
- Analytics, reporting, and traffic logs
- Logging tools and plugins
- Security tools and plugins
As long as you operate your website with integrity – treat your visitors to the same – meeting compliance follows these simple steps:
- Fully read and understand the GDPR regulation
- Perform a full audit of your website through practices like data mapping, using these new regulations as a guideline
- Update your privacy and data collection policies and clearly inform visitors of these updates and their rights regarding their information
- Standardize your data collection and use policies using three components of data collection and storage: data access, the right to be forgotten, and data portability.
- Train employees and inform vendors following Article 13 of the regulation regarding the right to be informed.
- Design and implement a procedure for handling/reporting data breaches.
- Learn what steps your vendors and other associates are taking to ensure compliance on their end.
- Verify that any data transfer outside of the EU remains in compliance.
- Adjust your website to ensure compliance, transparency, and disclosures about data collection, use, and storage.
- Perform periodic reviews/audits to ensure continued compliance.
Avoiding GDPR-Related Fines: Common Mistakes
What does a wrong technical choice have to do with the GDPR stance on data handling? Perhaps a lot. Many small business owners and bloggers are looking to save money by seeking ostensibly free or low-cost web hosting services, which are a mixed bag of quality. The problem is that many of these companies have razor-thin margins, and do not handle customer data in a GDPR-approved manner.
To put it simply, a rock bottom price on your hosting plan could leave you to pay in other ways, often in having your own or customer personal data harvested and sold without permission to advertisers (bad) or maybe even put up for sale on the Dark Web (worse). Those few dollars a month you save by going with the cheapest host could end up costing you much more in privacy invasion.
Plus, if you suffer the misfortune to have your chosen cheapskate host hit with a sizable GDPR fine, the company might decide to close for good and slip away into the night, never to be heard from again and taking your WordPress site files with them.
Can you say complete rebuild?
The Bottom Line
The goal of this article is not to give you legal advice; that’s for lawyers to worry about. Our focus is to provide the most current information we have about the regulation and the steps you can take to help ensure your WordPress site gets and stays in compliance.
Latest posts by Gary Stevens (see all)
- Plain Guide to Making a WordPress Website GDPR Compliant - July 3, 2019