Before we guide you through every step, a little disclosure is in order. We are not advocates, so all the details in this WordPress GDPR guide are expressed as personal opinion and understanding on the matter. It is not in any way meant for you to implement it or consider – if you do not agree with it. We are simply stating the facts and explaining the ways GDPR works and affects the online environment.
Starting from May 25th, modern business as we know it, with all the storage and user data processing will be more strictly regulated within the EU. But, what does it mean to bloggers, freelancers, small business owners? What does it mean to all of us who use WordPress and are not from EU?
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a regulation passed by the European Parliament and the Council of the protection of individuals with the aim to protect personal data. Furthermore, it’s supposed to hold any organization or a person accountable for data security. And, regardless of your place of residence, if your site has EU visitors, the Regulation applies to you too.
The penalties for disregarding the rules on personal data protection under this regulation can sum up to 4% of the company’s global income on a yearly basis! In some cases, it will go up to €20 million! Initially, GDPR was adopted in 2016, but the application was postponed for the entities to which it relates get ready in due time. So, it’s now official that GDPR will become enforceable starting May 25, 2018.
- Defines measures data holders must take to protect data
- Emphasizes enforcement expectations
- Enables large fines to be levied
- Imposes broad disclosure requirements for data security breaches
GDPR main players
There are three main categories or players involved in the whole GDPR process.
As stated in Chapter 1, Article 4 of the GDPR, Controller is:
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The same chapter describes Data Processor as:
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Protection Officer (DPO)
Data Protection Officer is a security leadership role responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. As stated in Chapter 4, Article 39, Data Protection Officer has at least five tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations under this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
What does it mean in practice?
Well, it’s not that easy to answer, simply because this regulation applies to a very wide definition of personal data. First, any specific information that relates to an individual – offline and online ID, phone number, name, any form of identity is considered as personal data. As such, you can’t play with it (the data) the way you used to do. And when we say you – it refers to marketers and data analysts. You know, the people that collect and analyze the big data to provide successfully targeted ads, offers and such. But, let us try and explain more with some relevant examples.
Let’s say you own an e-commerce business and you’re living in the USA. In this case, the GDPR applies to every EU visitor that comes to your site, because you’re dealing with and processing their personal information. Whether it’s a payment procedure, cookies (remember that mess in the beginning?), commenting (yes, that too), contact or signup forms, Google Analytics and all other Google’s tools. And why? Because this regulation is cleaning the mess we made with all those tools and software we use to track our users so we can market to them better. So, it goes without saying that, if we use any of these tools, GDPR also applies to you too. This regulation simply puts tighter guidelines and measures, so we’ll need to:
- create better and straightforward privacy policies
- add tools that inform visitors of all data tracking, how we collect and store them
- use tools that encourage user privacy
- add opt-ins for visitors consent
In simple terms, if you are by any means storing visitors information, you are obliged to notify them about that and provide them an opt-in solution.
GDPR guide to main privacy principles
GDPR has six main privacy principles organizations must follow when collecting, managing and processing personal information data.
Lawfulness, fairness and transparency
Means that all personal data needs to be collected legally, fairly and transparently.
Means that all personal data you collect will be used only for their purpose.
Meaning the data collection is permitted only to the extent that the purpose is achieved.
All data that is processed must be accurate and up-to-date and the data that don’t need to be removed or updated.
Except in certain cases, all data is to be stored for as long as in the form as is necessary to achieve their purpose.
Integrity and confidentiality
All data can be processed only in a way that ensures their safety and to be protected against any unlawful or unauthorized processing as well as from loss, damage or destruction.
Does GDPR affect WordPress and in what way?
It’s much bigger than just WordPress. GDPR affects all aspects of the online environment. For the end user, a visitor, it is a good thing. People already want to know who is tracking them and why. So this regulation will, hopefully, put an end to non-consensual tracking and all the data collection which is not relevant to the service you or anyone else, provides.
WordPress GDPR guide
However, if you’re not sure whether you collect any user data, here are some standard ways any WordPress site usually gather information:
- Analytics (Google Analytics, Facebook Pixel,…)
- Forms (contact forms, subscriptions, signup forms)
- Logging/Security tools and plugins
Use the materials and tools to learn everything about it and to implement it in the best possible way, for you and your visitors. Provide useful information with details like why you collect data, how are you using them and whether you’re storing them, why and how. That being said, there are already few GDPR related plugins you can use to align your blog or site with GDPR.
WordPress GDPR plugins
This plugin helps you to comply with EU privacy regulations and is regularly updated with the new GDPR related issues. It supports Contact Form 7, Gravity Forms, WooCommerce and WordPress Comments.
A freemium plugin that helps you handle personal data on your blog or website. It has this cool feature where it provides you a GDPR page where visitors can access their data. Furthermore, they can request for their data to be easily deleted and secured, if they want to.
Great plugin that helps you keep an eye on what is going on on your site and ensures that your website meets regulatory Compliance requirements.
Do not try to avoid GDPR in any way. Although it’s less likely the authority will go after small blogs and websites, you shouldn’t put any risk on your small business. Hopefully, this article helps you understand better all the mess around the GDPR. For more details and progress about WordPress and GDPR you can always visit WordPress.org and their useful intel: