GDPR – How to Make Your WordPress Site Safe
GDPR has arrived and the sky hasn’t fallen in for you business just yet, but the implications on non compliance with The General Data Protection Regulation (GDPR) are significant. It may turn out to be the biggest change so far in the field of data privacy regulation and information security. May the 25th 2018 will be remembered for this.
By combining all the European data privacy laws into one regulation, the new law provides European Union citizens more robust control measures over the way their personal data is being tracked, collected, shared, used and stored online.
And although GDPR applies primarily to online businesses in the EU, it will also affect website owners and developers outside the EU who are tracking, collecting and storing any kind of personal data from any European Union citizen.
WordPress currently has over 60% of the CMS market including many of the worlds websites. This increases the chances of a huge number of websites (including yours) getting impacted by new GDPR laws. If you run a WordPress powered website that collects or monitors or shares any kind of personal data from the citizens of the European Union; it’s time to get GDPR compliant because small and medium sized businesses cannot afford the shock of immediate fines and penalties the way a large multinational corporations can absorb shocks of a similar nature.
Here are the new Data Subject Rights given to users under the new GDPR laws!
(If you are a business website owner you may need to sit down!)
An individual’s rights under GDPR
Apart from being extra territorial, the new GDPR regulation brings 9 new rights to users, allowing them to have more control over the collection and usage of their personal data. These rights are:
Right to be Informed. An individual has the full right to be informed about how their personal data is being collected and used.
Right to Access. Every user has the right to access and download their personal data in the form of an electronic copy provided by the website owner free of cost.
Right to Rectification. The new GDPR regulation gives users the power to rectify any inaccurate personal data or complete it if it is not complete.
Right to Erasure. Also known as the right to be forgotten, this right allows individuals to leave a website and have any personal data erased anytime.
Right to Restrict Processing. According to this right, every user will have the ability to restrict or suppress the processing of their personal data anytime.
Right to Data Portability. The new GDPR regulation empowers users to download and reuse their personal data for their own purposes.
Right to Object. An individual can prohibit the use of any particular data for direct marketing or any other purpose anytime.
Right to be informed about Data Breaches. In case of a data breach, the website owner must notify users within 72 hours of knowing about the breach.
Rights related to Automated Decision Making. The GDPR regulation prevents users from being subject to a decision made without the active involvement of a human.
What Information Applies To GDPR ?
The GDPR legislation applies to any information that can be used to recognize the identity of a living person directly or indirectly. Furthermore, the new regulations redefines the scope of personal information to strengthen users’ rights related to the collection, storage, sharing and usage of their personal data online. As a result, it now counts even small details like an IP address as personal data.
Other data considered to be personal include:
Social security / PPS numbers
Profiling, sales and analytics data
Online Behavior (Cookies)
Furthermore, the GDPR law also applies to sensitive personal data, a special category of personal data such as healthcare, which requires more careful handling and can potentially link back to the identity of a living person. Health insurers for example face a significant challenge operationally to ensure they remain on the right side of the GDPR laws.
Sensitive Personal Data includes, but is not limited to, several factors, such as:
TL:DR In short, both personal and sensitive personal data are included in its scope.
But what now? How can a small or medium sized business without a large legal and regulatory department resource and manage the change and maintain data privacy laws are adhered to properly?
How to make a WordPress Site GDPR Safe
GDPR impacts a WordPress site in the following 3 ways:
How you track and collect users’ data through your WordPress website plays a key role in determining the compliance of your website with GDPR.
While collecting any kind of data through your WordPress site, you must clearly tell users:
Who you are
What personal data you collect
Why you collect the data
Where the collected data is being stored
How long the data is stored for
For what purpose you are using the data
How the data is secured
Transparency is key.
Regardless of the type of personal data you’re collecting via whatever kind of medium, explicit , clear consent of users is now legally imperative in order to monitor and collect personal data. The penalties are potentially severe.
Themes and plug-ins
GDPR doesn’t just apply to the front end of your WordPress site
, the code of your website must also be fully in compliance with the new GDPR EU law. Being a WordPress site owner and or Webmaster / Administrator , you’re ultimately responsible for how a WordPress theme, plugin or third party software collects personal data through your website. If it’s your business website, the onus is on you to find out if your themes plugins and software is GDPR compliant. This is an area which will likely cause significant stress and confusion among the business community as they may think they have dealt with GDPR effectively in another capacity in the business only to find out that they facilitated a breach inadvertently of the GDPR
laws. Ignorance in this case will be not a valid defence.
The EU is committed to basic data privacy for private citizens which ideally should have been in place beforehand but it is a worthwhile act as this will herald a new dawn of permission based marketing
first coined by Seth Godin
who has advocated the benefits of this strategic approach by businesses so they can focus their resources on those interested in their products and are ready and willing to buy now and in the future.
All the best themes and plug-ins, like Jetpack
, and Avada etc had already started working on getting into compliance with the GDPR in anticipation of the May 25th 2018 deadline.
SME Marketing Labs recommends you audit all themes and plug-ins you’re using in your own business websites ASAP if you haven’t already done so.
Check out the useful WP GDPR Compliance
plug-in that helps you identify and resolve key GDPR related issues.
If you use opt-out options and pre-checked consent boxes on your WordPress site to collect any kind of personal data, it will now be considered a breach under GDPR.
As previously mentioned, to meet the new GDPR standard, users must be actively involved in providing consent for the collection of personal data through your WordPress site.
Some approved examples of legal consent requests are:
- Clicking an opt in button or link
- Selecting from yes or no options
- Responding manually to a consent email
So now that you understand how GDPR can affect a WordPress site and have a rough idea of how to deal with GDPR law,
Practical Ways You Can Get Your WordPress Website GDPR Compliant
Audit the personal data information you collect
Complete a full audit of users’ personal data collected through your WordPress sites. You’ll find out the necessary data required to run the website but also help you purge any unwanted data that has little or no value. Delete any personal data sets that you no longer use and you’ll achieve the first step toward making your WordPress site GDPR compliant under the law.
Document your new policies and procedures according to the new GDPR legislation. This gives you a clear idea of what you’ll do in case a personal data breach occurs or a user requests to access their personal data. In your new business policies, describe clearly what personal data your business collects, why you collect it and what you do to keep it safe and secure.
Request explicit consent
An explicit consent of the user is required to collect personal data. This means any checkbox on your WordPress site must be empty or unchecked by default so your website users can voluntarily tick it to allow the website owner to collect their personal data. Basically, you must remove all the automatic opt in style boxes from your WordPress site.
Maintain privacy by design
The privacy by design principle encourages you to ask users only for the personal data that is absolutely necessary to run your WordPress website. For example, if you’re adding a new contact form on your WordPress site to collect users’ personal data, privacy and data protection, instead of treating it as an after thought, integrate it with the design of the form from the very beginning giving a superior user experience (UX) with the improved user interface (UI).
Consider A DPO
Lastly, if your website site monitors or processes personal data on a large scale, you need to consider hiring a Data Protection Officer (DPO). A DPO is an individual who monitors all privacy and data protection related activities of your WordPress site and ensures it’s compliant with the GDPR regulation. Depending on your requirements, you may appoint a DPO from within your organization or hire one externally. Get in touch with SME Marketing Labs for more on this or any website, digital marketing or SEO related issues. We love solving real world business problems with our digital skills!
Hopefully this article prompts you to take action and get one step closer to better results online. If you are reading this article you are probably thinking about how you can create or improve the strategic planning and digital marketing of your small or medium sized business. Get in touch!
SEO and search engine marketing keeps promoting your business and website online while you get on with managing your business and focusing on keeping your customers happy.
Investing in your small or medium sized business with an SME Marketing Labs SEO Package has significant benefits for your business and your own clients customer experience. Get in touch today and we’ll take care of the rest! See our contacts area or simply click the contact button to pick a time to chat.