The (GDPR) General Data Protection Regulation has come into effect as of May 25, 2018. This has brought the biggest change in the field of data privacy and regulation law. Any website that serves EU citizens must be GDPR compliant. If not, that site ends up being against the law and faces a heavy penalty.
Having known this, you surely don’t want to go up against the law, do you? That’s why making your WordPress GDPR compliant is necessary. If you don’t know the process, this article will cover it for you.
Here, we have explained what WordPress GDPR compliance is, what do you need to do under GDPR, and how to make your WordPress website GDPR compliant.
Now, let’s get into it!
Table of Contents
- #What is GDPR?
- #Why is GDPR Necessary?
- #What is Under the GDPR Regulation?
- #Basic Principles of GDPR
- #Users’ Rights Under GDPR
- #Fines for Not Complying with the GDPR Law
- #Different Ways to Make WordPress Website GDPR Compliant
- #Lawfulness of Processing
- #Useful GDPR WordPress Plugins
- #Other Ways to Make WordPress Website GDPR Compliant
- #GDPR Audit
- Frequently Asked Questions (FAQs)
#What is GDPR?
The GDPR is a European Union (EU) law that gives EU citizens better and stronger control over how their data is being tracked, collected, stored, and used online. The main goal of GDPR is to change the data privacy approach of organizations (online businesses and website owners/developers) in and outside the EU.
The European Commission approved the GDPR on April 14, 2016, and marked an important change in the data privacy regulation. The GDPR rule replaces the Directive on Data Protection rule of October 24, 1995, and is also more extensive than the 2011s Cookie Law. However, the rolling out of the GDPR rule was given two years with a deadline of May 25, 2018.
Here are a few key terms to get you a hang of GDPR:
- Controller: A controller determines the means and purpose of processing personal data.
- Processor: A processor is responsible for all the personal data processing on behalf of the controller.
- Personal Data: Personal Data is any information that leads to identifying an individual, even when indirectly linked with other information.
#Why is GDPR Necessary?
The EU is not some evil government trying to enforce something out of nowhere. They have imposed the GDPR rule with the goal of protecting consumers’ data from being illegally recorded, tracked, or used. This protects from reckless data handling and breaches.
The hefty penalty is to get the attention of larger companies such as Google, Amazon, and Facebook who keep personal records of a large number of people. Furthermore, this encourages organizations to give more emphasis on protecting people’s rights.
So, though you may view GDPR as a villain, you will realize that it’s not crazy once you know the spirit of the law.
#What is Under the GDPR Regulation?
We have mentioned that GDPR is here to protect the users’ personal information and guide the organization to a certain level when it comes to collecting, storing, and using that information.
Personal information can include name, IP address, physical address, emails, bank details and transaction codes, health information, income, and more.
GDPR regulation is 200 pages long (11 chapters, 99 articles) and going through each page will take time. So, we will highlight the most important pillars that you must know:
1. Explicit Consent
If your website collects personal data from EU citizens, you must obtain explicit consent from them. You cannot just send unsolicited emails to those who filled your contact form or gave you their business card. Unless they sign up for your marketing newsletter, the emails you send them are tagged as SPAM.
For your form to be called an explicit consent, it must follow the following rules:
- It must have a positive opt-in (meaning, no pre-ticked checkboxes)
- It must contain clear wording, i.e., no legalese.
- It must be separate from your other terms and conditions.
2. Rights to Data
You must inform users how, why, and where their data is stored, processed, and used by your website. Users have the right to download their personal data. They also reserve the right to have their data deleted.
Thus, if users unsubscribe or ask your company to delete their profile, you need to do that.
3. Breach Notifications
Organizations and websites must report certain data breaches relevant to concerned authorities within 72 hours. The company must also notify individuals who are impacted by the breach right away. However, if the breach is harmless and poses no risk to users’ data, reporting is not necessary.
4. Data Protection Officers
If you are a public company or store/process large amounts of personal information, you must appoint a data protection officer. You can consult with an attorney if you are in any doubt.
To sum up it all:
- You can’t go on sending people emails if they didn’t ask for it.
- You can sell users’ data without taking their explicit consent.
- You need to delete and unsubscribe them from your email list if they ask for it.
- You need to report the data breaches to the concerned authority.
#Basic Principles of GDPR
There are seven basic principles of GDPR that a controller needs to follow:
- Processing the data should be lawful, fair, and transparent.
- Personal data is to be collected for an explicit, legitimate, and specific purpose and should be used only for that purpose.
- Personal data should be limited, relevant, and adequate to only what is necessary.
- Personal data must be accurate and should be kept up to date.
- Personal data should be kept for the shortest period possible in an identifiable form.
- Personal data should be processed by ensuring data security.
- The controller is fully responsible for demonstrating compliance with all these principles.
#Users’ Rights Under GDPR
Here are the major user rights under GDPR:
- Right to be informed: Users have the right to know how their personal data is being collected, tracked and used.
- Right to access: Users get the right to access their personal information and download it in an electronic copy from the website free of cost.
- Right to rectification: Users can rectify any personal data or complete it if it is incorrect or incomplete respectively.
- Right to Erasure: Users get the right to leave a website and have all their information and personal data erased anytime. It is also known as the right to be forgotten.
- Right to Restrict Processing: Users have the right to restrict their personal data from being processed anytime.
- Right to Data Portability: Users can download and reuse their personal data for their own purposes.
- Right to Object: Users can prohibit the use of any data for marketing or any other purpose anytime.
- Right to be informed about Data Breaches: Users have the right to be notified by owners within 72 hours of knowing about any data breach.
- Rights related to Automated Decision Making: Users reserve the right to negate any decision made without their active involvement.
#Fines for Not Complying with the GDPR Law
The EU has set a penalty margin for those who don’t comply with the GDPR rules. Businesses can face up to 4% of their annual global revenue or €20 million, which is more than $23.5 million.
#Different Ways to Make WordPress Website GDPR Compliant
We hope you now know the basics about WordPress GDPR compliance and the consequence of not playing with the rule. That brings us to our main topic – How to make WordPress website GDPR compliant.
Well, there is no specific way to do that. However, we will explain various options to help you get on track.
1. Hiring a Lawyer
We understand you’ve not broken any law, but hiring a lawyer doesn’t always come only after committing a felony. Sometimes, a lawyer consultation can be helpful before an event. We recommend hiring a lawyer (even if temporarily) who knows about the GDPR rule and can help you get answers to your concerns about GDPR.
Plus, you can get legal advice that is specifically tailored to your situation and benefit. This way, you can avoid the hefty penalty we talked about above.
2. Reviewing The Flow of Data Collection and Processing
The way your website is collecting and using the users’ data plays a key role in determining whether it is complying with GDPR or not. According to the new rule, WordPress sites must clearly tell users the following while collecting data with them:
- Who you are
- What kind of personal data you collect
- Why do you collect such data
- Where do you store those data
- For how long do you store those data
- For what purpose/s do you use those data
- What are your data security measures
There must be transparency no matter what personal data you are collecting from, no matter what medium. Explicit consent is crucial for collecting and monitoring personal data.
We recommend going through your WordPress website and determining where data collection and its processing takes place. You can also figure out where that information is stored. The common things to check are:
- Ecommerce checkout page or the registration page.
- Cookie identifiers, IP addresses, and GPS locations.
- Google Analytics, Hotjar, and other analytical services.
After you’ve pinpointed all the areas of data collection, storage, and usage, make sure that you are asking for users’ permission and also disclosing how you are using that data. Now, you can get rid of those data that you don’t need or have no value. After auditing the data you collect, you are a step closer to achieving WordPress GDPR compliance.
3. Updating All the Documents
With the GDPR in action, it’s time for you to update your privacy pages, terms and condition pages, affiliate terms, and other legal agreements or documents pertaining to the users. The rule disallows your forms without checkboxes unless they are under the lawfulness of processing the data. In simple words, you must offer a way for the users to specifically consent.
The GDPR rule has now strengthened the consent conditions. Companies now must give an intelligible and readily accessible consent form that depicts the purpose of data processing as well. Consent must be clear and distinguishable with the use of clear and plain language. Also, it must be easy to withdraw the consent as it is to give.
You can consult with your lawyer. If you run a simple blog, you could use tools such as iubenda or something similar for regenerating privacy policies that comply with GDPR. Besides, WordPress 4.9.6 and above have a new privacy page feature. This lets you designate a privacy page on your website that shows up on the login and registration pages. You can also put it in your site’s footer.
You can find the option under Settings > Privacy on your WordPress dashboard.
4. Offering Data Portability
Article 20 of the GDPR rule states:
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”
This means businesses that collect data must also offer the ability to the users to download and transfer the data elsewhere.
Make sure that you have the system in place to provide your users with the downloadable file of their data upon their request. If you don’t offer such a service currently, hire a WordPress developer to help you out.
Luckily, WordPress 4.9.6 and above allow you to export a ZIP file that contains the user’s personal data. You can also erase the user data from here.
To do so, go to your WordPress dashboard. Then click on the Tools to locate the options.
There is also an email-based option to confirm the requests.
5. Self-Certify Under Privacy Shield Framework
As many websites collect data from all over the world, many companies now certify under the Swiss-U.S and EU-U.S Privacy Shield Frameworks. These frameworks were designed by the European Commission, the US Department of Commerce, and the Swiss Administration to offer companies a mechanism to be aligned with the data protection requirements.
Learn more about the Privacy Shield program.
6. Encrypting your Data / HTTPS
The recitals number 83 of the GDPR law states:
“In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”
Encryption refers to various actions such as encryption of web traffic (HTTPS) and encryption of your data storage facility. We recommend encrypting your web traffic regardless of your concern relating to WordPress GDPR compliance.
You can check out how to move from HTTP to HTTPS.
The term “encryption” is only mentioned a few times in the GDPR rule and is not necessarily a compulsion. However, the benefit of moving to HTTPS is far beneficial to your website.
Here are some commonly collected cookies:
- Google Analytics and other tracking services
- Cloudflare and CDN services
- Google Adwords, Bing and other ad networks
- Push notifications
- Options or pop-ups
- Video players
- Shopping carts
Here are some popular plugins that are handling the GDPR very well:
Contact Form Plugins
One of the easiest ways to achieve WordPress GDPR compliance is by adding a checkbox to your contact form to gain users’ consent for data collection and storage. Lucky for you, most of the popular contact form plugins already have this feature to make sure your WordPress is GDPR compliant.
Here are some of the contact form plugins that are built-in GDPR ready:
- Contact Form 7
- WP Forms
- Gravity Forms GDPR
- NinjaForms GDPR
Even the comments plugins that you use on your WordPress collect personal information. So, you need to make sure you are compliant with the GDPR by adding a consent checkbox before users can submit their comments. However, some scenarios can fall under the lawfulness of the processing that we will discuss later in this writeup.
Here are some comments plugins that are built-in GDPR ready:
WordPress has added consent to the native comments by default. This applies to WordPress 4.9.6 and above versions.
Marketing Services and Plugins
Similar to the contact forms, you also need to take user consent for marketing services and plugins. Everything, including newsletter plugins, quiz plugins, survey plugins, email marketing software and push notification plugins, is impacted by GDPR. Thus, you need user consent.
You can collect the consent with either a checkbox that users have to click before completing their sign-up or by using double-opt-in to your mail list.
Some marketing plugins that comply with GDPR are:
Analytics, Tracking, Remarketing
Any third-party plugin or service that collects data must comply with GDPR. Those services/plugins include Google Analytics, heat map services, A/B testing plugins, remarketing platforms, and others.
eCommerce Solutions and Payment Data
If your website is an online hub, you are within the GDPR’s boundary as you collect personal information, sales data, user account data and integrate with third-party payment methods. Thus, you need to disclose how you collect, retain, and use the data.
In WooCommerce, you get the built-in privacy features. To enable it:
- Go to WooCommerce > Settings > Accounts and Privacy section.
Other popular eCommerce solutions that comply with GDPR are:
Community plugins, membership plugins, and forum plugins store a lot of personal information aside from the ones used in the WordPress sign-up. Thus, make sure those plugins are GDPR compliant.
Some GDPR-compliant community plugins are:
Even third-party APIs store data. A good example is Google Fonts. Most of you are probably using Google Fonts to style your website, whether as an in-built theme feature or after manually adding it to your site. Whatever the scenario, look into each API on your site and find out what data the provider is collecting.
#Lawfulness of Processing
Asking for users’ consent using the ways shown above is an easy way to assure WordPress GDPR compliance. However, it is not the only way. In fact, there are some cases where the rule permits data processing without needing consent from the users. This is called the “lawfulness of the processing.” Here are a few examples:
The GDPR Article 6 (1) b allows data processing when it is a necessity. It states, “Data processing is permitted if it’s necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.”
The GDPR Article 6 (1) f states, “Data processing is permitted when it’s necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Note: This rule does not apply when public authorities carry out the processing of their tasks.
#Useful GDPR WordPress Plugins
Here are some of the GDPR WordPress plugins that can be helpful to make your WordPress site GDPR compliant.
WP Security Audit Log plugin makes it easy to see what’s going on in your WordPress site. We recommend using this plugin for security reasons. However, it can even be an excellent tool to see what data your website is collecting, such as user registrations, contact form entries, comments, and others.
WP GDPR Compliance plugin is a popular tool that helps your WordPress website comply with GDPR rules. It assists by providing common tips to comply. Plus, it offers integration with other popular plugins such as Contact Form 7, Gravity Forms, WooCommerce, and WordPress native comments.
GDPR is another effective plugin that assists you in getting your WordPress GDPR compliant. Some of the notable features in this plugin are:
- Rights to deletion of data with a confirmation email
- Publishing of contact information along with the data processor settings
- Right to access of data from dashboard and exporting
- Cookie preference management, and more
GDPR Cookie Compliance plugin allows users to give their consent for specific cookie purposes along with the ability to enable and disable cookie settings at a granular level.
GDPR Cookie Consent plugin allows you to display a cookie consent notification on your site. It only lets the cookies be installed on users’ browsers when they give explicit consent for it. The users can reverse their consent at any time they like. The plugin offers several other customization options to style your consent bar to match your website’s theme.
#Other Ways to Make WordPress Website GDPR Compliant
Besides the ones we have mentioned, here are some additional ways to assure WordPress GDPR compliance:
1. Adding a Cookie Notice
Your website might be collecting cookies from users such as push notifications, heatmaps, shopping carts, pop-ups, and others. While the gist of collecting cookies is to improve the website performance, it is still data being collected. Thus, you need to add a cookie disclosure and acceptance notice to your first page.
There are tons of plugins that will help you with it. Here, we have mentioned the two most popular ones:
You also get the option to add a cookie expiration, define script placement on the header or footer, and add style with different colors, buttons styles, animation, and position.
The plugin is also compatible with multisite and is responsive on all screen sizes.
2. Making it Easy for the Users to Request/Delete Their Information
As mentioned earlier, WordPress 4.9.6 offers built-in options for user data management. So, if any user likes to get a copy of their information or delete the information they provided you, they can do so instantly. However, to allow the users to do so, you need to create a contact form for letting them get in touch with you.
Depending on the type of your site, you may need to install a contact form plugin to streamline those contact submissions. This is an efficient option if your site has tons of users, such as a membership website or an online forum.
3. Sending Notifications for any Policy Updates or Data Breach
This is the last part of WordPress GDPR compliance that stands out as an important part. Your website is obliged to send a notification to the users regarding any policy updates or data breaches if were to happen. It comes into play for websites that offer user accounts to collect customer information or maintain a newsletter.
If you are using an email platform for communication, you can send out a quick privacy update or data breach notice to your users. However, if you are using a GDPR compliance plugin, you already have a built-in notification system to contact your website users.
Some of the GDPR plugins even let you automate the notification regarding the policy update or data breach. This saves you a substantial amount of time.
WordPress GDPR compliance can be a lot to take in your head and can go beyond confusion. It is a massive requirement regarding personal data collection and protection. If you are not sure about your WordPress website, it would be wise to consult an expert for a GDPR audit, preferably the one who works solely with WordPress.
Frequently Asked Questions (FAQs)
Does GDPR apply to my WordPress Website?
Yes, GDPR does apply to your website. In fact, every website and business that serves EU citizens must comply with GDPR. The consequences of not obeying the law can lead to up to 4% of your total annual revenue or a $23.5 million+ penalty. But, don’t worry yet.
While the penalty amount can get anyone standing on their feet, it doesn’t escalate to that level of fines quickly. First, you get warnings, followed by reprimand and suspension of data processing. If you still continue to go against the law, you are in for the penalty mentioned above.
Is WordPress GDPR compliant?
Yes, WordPress is GDPR compliant from version 4.9.6 and above. WordPress core team has made several GDPR enhancements to make sure of GDPR compliance. It’s important to know that we mean the self-hosted WordPress.org.
Check out the difference between WordPress.com and WordPress.org.
However, it is crucial to know that no single platform, theme, or plugin can offer 100% WordPress compliance. The GDPR rule varies depending on the type of your site, the data it stores, and how you process that data.
Who does GDPR impact?
GDPR rules were designed to protect the data privacy of EU citizens. However, the rule impacts everyone on the web. It is regardless of where your business was established or whether it conducts online activities. If your business collects or processes data from EU citizens, GDPR applies to you.
Here are a few examples of websites that are impacted by the EU but are located outside the region:
• A WordPress website that collects personal information from users.
• A shop that asks users to sign up for accounts for purchasing themes or plugins.
• A blog that has a newsletter subscription or visitors’ comments.
• An eCommerce website that sells products online.
• A website that uses analytics software.
So, the gist, if you take data from an EU citizen, you must abide by the GDPR rule. Blocking the EU citizens would be your way out of the GDPR fuss. But again, you couldn’t afford it, nor could you afford to disobey the law.
We recommend making your website GDPR compliant to get a win-win situation for both parties.
What information does GDPR apply to?
The new GDPR rule applies to any information which can be merged with other information to recognize the identity of a person. In fact, the new law redefines the information scope regarding the collecting, storing, and using of the data online. Thus, GDPR accounts for every little detail such as:
• Mobile number
• Email address
• Physical address
• Location-related data
• IP address
• Profiling, sales, and analytical data
• Social security number
• Online behavior (Cookies)
Further, the law also applies to other sensitive personal data that require more careful handling. They are:
• Health status
• Genetic data
• Sexual orientation
• Religious beliefs
• Political views
• Behavioral data
• Financial data
• Biometric data
Overall, the GDPR rule applies to both personal and sensitive personal data.
GDPR is a big concern when it comes to running a website. It impacts every WordPress website on the internet. If your website receives an EU citizen, you are bound to comply with the GDPR rule.
In this guide, we provided a brief introduction to GDPR and why you should comply with it. Also, we highlighted various ways to make your WordPress website comply with the GDPR rule. We recommend you follow these instructions and do further research to ensure your WordPress is fully GDPR compliant.
Finally, we also highly recommend contacting a GDPR consultant, preferably the one who deals with WordPress GDPR compliance. They can provide you with various tips to assure full GDPR compliance.
Don’t delay to make your WordPress GDPR compliant, or you can face the alarming fines we talked about earlier. For any further concerns and questions, leave a comment below.