It is legislation, developed by EU, to strengthen the rights of individuals as regards to the collection, use, and storage of the personal data. It is known as the General Data Protection Regulation (GDPR) – the biggest change in the data privacy regulation law.
So far, the General Data Protection Regulation – GDPR is the biggest change in the field of consumer data privacy regulation law. It has already come into effect on May 25, 2018. Combining the existing European data privacy laws into this one regulation, the newly developed law offers European Union citizens a relatively stronger and lot better control in terms of the way their personal data is tracked.
If you are into tech websites or like reading the technical news, you must know that GDPR is all the rage. But if you have no idea about GDPR and how it is related to WooCommerce stores or WordPress websites then read on!
In this post, we will not only understand the GDPR in detail but we will also discuss the best practices and considerations that you must take into account, before making your WordPress site GDPR compliant.
So let’s drill down into the important details of this EU’s new regulation and most importantly how you can make your WordPress website GDPR compliant by following best practices.
Table of Contents
Understanding GDPR and its Purpose
Consumer data privacy is one of the biggest concerns of today’s modern world of internet. There is always a need to increase the data security and incorporate more controls to keep proper track of the consumer data. This is exactly why GDPR is the regulation that must be followed by the WordPress site owners.
It is the new law which has already been implemented for quite some time now. It was first passed in the year 2016 and after completing the two years’ transition, it came into force in this year.
The regulation has replaced the predecessor from 1995 and outlines more updated guidelines. It protects and governs the privacy of all the individuals belonging to the European Union.
As per Codeable expert and WordPress developer – Robin Scott;
GDPR is the new regulation and not the directive. Without getting into details; it is not an advice but in fact a law. It is something highly imperative to the Union and you must pay attention to it.
This new set of regulations is designed with an elaborative purpose. But majorly it focuses on providing EU citizens much more control over the personal data that they share with sites.
Of course, this will resolve into a quite distinctive approach from organizations and companies worldwide, with regards to data management, privacy, security, data collection, profiling and security of the users.
As per the idea set down by the GDPR, every person, as opposed to organizations or companies, should have the absolute right to have their private data protected. When we say that it’s a ‘right’ it must be clear how strongly EU businesses need to actually interpret this regulation.
The Right of Individuals under GDPR
There are several laws or regulations that belong to the new GDPR. The new regulation outlines 9 major rights for users which allow them to get more control over the usage and collection of their private data. These nine individual rights include;
Right to access: Each user must have the right to download and access their private data, just like any other electronic copy, that must be provided by the site owner, absolutely free of charge.
Right to be informed: Every individual has got the complete right to be fully informed about how their private data is collected and being used.
Right to rectification: As per the new regulation of the GDPR, users have the power to easily rectify any wrong or inaccurate private data or simply complete it if it is incomplete.
Right to restrict processing:As per this right, each user will get the ability to suppress or restrict the processing of their private data at anytime.
Right to erasure:This is also called right to be forgotten. It is the right that enables individuals to leave the website and asked for any of their personal data to be erased at anytime.
Right to object: Each individual can restrict or prohibit utilization of any specific data for the purpose of direct marketing including any other purpose at anytime.
Right to data portability: As per the new regulation of GDPR, it empowers individuals to reuse and download their private data for their own purposes.
Right with regards to Automated Decision Making: The regulations of GDPR prevent individuals from being subject to an already made decision and without being actively involved in it.
Right to remain informed about data breaches: Considering the data breach incidence, the siteowner has to notify the individuals within next 72 hours of knowing about that breach.
All of these are the rights given to the users of websites so that complete and absolute protection can be ensured in terms of private or personal data of users.
And that is why many WordPress site owners are now making their websites GDPR compliant. The new regulation is applicable to any sort of information that may help in recognizing the identity of the user, directly or indirectly.
Information Affected by GDPR New Regulations?
The new GDPR regulation redefines the basic scope of private information to strengthen individuals’ rights with regards to storage, collection, and use of their data online. For the same reason; the regulation now even counts details like IP address as the personal data.
Other details which fall under the category of personal data include;
- Photo
- Name
- Email address
- Mobile Number
- IP address
- Physical address
- Location data
- Online behavior (Cookies)
- Sales, profiling and analytics data
- Social security number
Moreover, the law is also applicable to sensitive personal data. This is the data that demands careful handling and has the potential to link back to the identity of the user. Some of the details of sensitive personal data include:
- Sexual orientation
- Health status
- Religious beliefs
- Political views
- Biometric data
- Financial data
- Behavioral data
- Genetic data
All of this is just part of the details that are outlined in the GDPR new regulations. After all, GDPR is developed with the idea of making organizations responsible for good data governance and to make it their top priority.
So without further ado, let’s dive into the best practices to make your WordPress site fully compliant with the GDPR and to ensure better protection of consumer data while providing users’ with their basic rights.
Best Practices to Make Your WordPress Site GDPR Compliant
Since now you have the basic idea about GDPR and its main objective. It’s time for your site to embrace the spirit of data privacy and protection to maintain the users’ trust. Start with the comprehensive review of the data governance and then follow the best practices to prepare your site for GDPR. These measures will help your site to match the stance of your organization on data privacy by design.
Practice #1 – Identify All the Personal Data Your Site Holds
The foremost step is to;
- Recognize the personal data you hold and know where this data resides
- Ascertain who has the right to access this personal information and if there are any risks to the users’ data.
- Identify the following fundamental key points;
- What sort of data is being processed and in which category doesthis data fall into?
- What is the format of data storage like a digital database, hard copy, etc?
- What ways are used to collect data and how this data is shared both internally and externally?
- What locations are associated with data flow like 3rd parties, cloud etc?
- Who has got the access and who is actually responsible for the data?
Practice #2 – Delete Unnecessary Data
You don’t need to store as much data as possible, anymore, especially after the GDPR regulation. This is also crucial to keep yourself away from being held responsible for any kind of data breach.
So your best bet is to minimize the amount of personal data to the most relevant ones. Also, collect personal information only when you need it and have a clear purpose for doing so.
The best practice to become GDPR compliant is to review the collected personal information and delete or remove excess or unnecessary personal data. Also, make sure that all the data is properly secured and is used for predefined purposes only.
To remove the unnecessary user data you can take the help of various WordPress plugins like Inactive User Deleter or Delete Me.
Practice #3 – Have an SSL Certificate on Your Site
Even though an SSL certificate is rather a small bit of code present on your site’s server but it creates a more encrypted connection between the site and its users’ web browser. When you have SSL on your site, you seal the message in an envelope so that the recipient can open and read it anytime.
The best part about having an SSL certificate is that it signals to the users that the organization equally values the personal information security as they share with you. Some other benefits of having this security certificate, installed on the site, help in carrying out different activities such as collecting payment information by complying with the safety standards established by PCI – Payment Card Industry. Not to mention, Firefox and Chrome are the two most popular browsers that now clearly warn about the insecure site access.
Practice #4 – Keep Data Accessible and Organized
With the new GDPR, you must remain ready to answer users’ requests in terms of deleting or accessing their personal data. For this, establish a process to comfortably and instantly locate or even delete the personal data and provide users, a copy of their personal data, in just 30 days from accepting the request. If you wish to provide it free or charge a small fee, that’s totally your call.
For this, the plugin WP GPDR can be used as it helps users to request access to the personal data. It is a free plugin that also gives owner an overview of the requests.
Practice #5- Update the Site’s Privacy Policy Statement and Inform Users
The GDPR also requires the organizations processing personal data to provide accessible and clear information about how the personal data of users is being utilized. This can be done by updating or providing a Privacy Policy Statement on the website.
Once you have reviewed the held data and removed the unnecessary one, you must start developing or updating your Privacy Policy statement.
The ICO (UK’s Information Commissioner’s Officer) comprehensive guide about GDPR offers a privacy notice checklist and what must be included in the checklist that you can use to update your statement and terms of use. At a minimum, the Privacy Policy of your site must include the followings;
- Why and how your site collects and processes private data?
- How you gain and record individuals’ consent?
- What sort of personal data is shared with other 3rd parties?
As the best practice, you should also incorporate the following points in your Privacy Policy statement;
- Consequences in case personal information are not provided by the user
- The steps were taken by your organization to ensure personal information security
- Ways users can manage as well as update the private information
- Information, with regards to data subject rights and what you cannot do with their personal data.
These terms of use or Privacy Policy statement are separate from the consent of users. After updating the policy you should notify users via notices. Always makes sure that your users actively confirm the acceptance of the updated policy. You cannot just assume their consent in terms of any of the above-listed and other included matters.
Practice #6 – Build a Consent Form
Once your site Privacy Policy is updated, you should build a consent form. The terms of use are to inform users about the use of personal information whereas a consent form is to obtain agreement on processing and collecting their information. A GDPR compliant consent form includes the followings recommendations of the ICO guideline;
- It must be separate from other terms and conditions or unbundled.
- There must not be any imbalance in the controller and individual relationship
- The user must know that they may withdraw their consent and it should be easy to perform
- All the information of the consent must be properly documented
- The consent form must mention the name of your organization and every other 3rd party that may rely on that data
- Pre-ticked opt-in boxes must be invalid
- It must offer different consent options with regards to different types of data processing.
To help yourself with consent forms you can use the plugins like GDPR Consent. This plugin makes sure to obtain users’ permission before collecting their personal data.
Practice #7 – Make a Plan for Data Breach and Establish a Data Privacy Culture
You must have a plan to deal with an uncertain data breach. The plan must elaborate the processes you will keep in place to successfully detect the breach, stop it, and prevent other breaches. Also, the plan must outline the measures that will be taken to inform the affected users’ within 72 hours of knowledge of a breach. For this, you can use the Wordfence plugin.
Since GDPR is not at all a single person game, you need to establish a complete data privacy culture. Everyone associated with your site and organization must be aware and hold a good understanding of these requirements. So encourage your entire team to take personal data just like a valuable asset and integrate transparency of data into their BAUs.
Conclusively, we hope the article and the discussed practices will help you easily transit your WordPress site into a GDPR compliant platform. By following these practices you can effortlessly make your WordPress site GDPR ready. But make sure to go through the regulations in detail so that you don’t miss out any basic requirement that might get you in some legal trouble.
If your site is GDPR compliant or if you have any important information about GDPR regulation; feel free to share with us in the comment section below.
Alex is fascinated with “understanding” people. It’s actually what drives everything he does. He believes in a thoughtful exploration of how you shape your thoughts, experience of the world.