You might have heard about GDPR unless you are living under a rock with no internet connection. GDPR or General Data Protection Regulation is a European Union(EU) Law that went into effect on May 25, 2018. In this article, we will explain What is GDPR? and How to make your WordPress GDPR compliant?

You can also read the official PDF that has detailed(11 chapter, 99 articles) information about all the policies at gdpr-info.eu.

Table of Content

1. What is GDPR?

2. What does GDPR states?

3. Is WordPress GDPR compliant?

4. Areas you need to Address  

5. WordPress plugins for GDPR

1. What is GDPR?

GDPR is a replacement of 1995 Data Protection Directive, which until now provided a minimum standard for processing of data. The main aim of this law is to give individuals control over their personal data. GDPR not only imply to businesses in EU but everyone who collects and process data of individuals residing in EU.

GDPR was passed in 2016 with a deadline to compliant by 25 May 2018.

Penalties for Non-Compliance 

If a business is non-compliant with GDPR, they can face a fine of up to 4% of the company’s global annual revenue or €20 Million, whichever is higher. Such big amounts of the fine are enough to cause panic and distress among businesses.

Although GDPR is not the bad guy here, by setting such high amounts of fine, they just want to protect consumers from data breaches.

2. What does GDPR states?

We have compiled the most important points you need to know:

2.1 Processing of personal data

Personal data shall be processed only if:

  • The Data is collected lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate reason and not further processed for any reason (data limitation)
  • Data should be adequate, relevant and limited for the purpose it was collected (data minimization)
  • Data need to be processed in a manner that provides complete security to the data subject

2.2 Clear and explicit Consent

Here, clear means to use simple language so that the user understands what you are asking? For explicit content, you need a positive opt-in with clear wording and separate from other terms and conditions.

2.3 The Rights of Data Subject

According to GDPR, the data subject has the following rights:

a) The right of Access

The data subject has the right to obtain information about:

  • The purpose of processing of data
  • To whom the personal data will be disclosed
  • The period for which personal data will be stored
  • The rectification and erasure of personal data

b) Right to rectification

The data subject has the right to rectification of inaccurate personal data. The data subject can have incomplete personal data completed, taking into account the purpose of processing.

c) Right to erasure

The data subject has the right to ask for the erasure of personal data on the following grounds:

  • The information is no longer required for the reason it was collected
  • The personal data was processed unlawfully
  • Data needs to be deleted due to some legal obligations
  • If he/she wants to withdraw the consent

d) Right to restriction

The data subject has the right to the restriction of processing of personal data. This can be done if the accuracy of personal data is contested, the processing is unlawful or the data is no longer required for the purpose of processing.

If the personal data is restricted, the data has the exception of storage, and can only be processed with proper consent of data subject.

e) Right to data portability

The data subject has the right to get personal data regarding him or her, in a structured manner. Further, that data can be transmitted to another controller without any obstacles.

The personal data can also be transmitted from one controller to another directly.

f) Right to object

The data subject has the right to object, at any point in the processing of personal data. The controller can no longer process the personal data unless they provide a compelling reason which overrides the interest and right of the data subject.

2.4 Data Protection Officer

Now GDPR requires you to hire a data protection officer(DPO). This is required only if you are a big company and process a large amount of data. Data Protection Officer shall be responsible for the following task:

  • To inform and advice the data processor of their obligation regarding data protection provision
  • Assignment of responsibilities, awareness- raising, and training of staff involved in data processing and audit
  • Cooperating with the supervising authority

Note: In case you are confused about whether you need to hire a DPO or not, do consult a lawyer.

2.5 Data Breach

In case of a data breach, the controller needs to inform the supervising authority within 72 hours. And if the data breach is likely to result in a high risk, the controller needs to communicate this to the data subject.

The communication of data breach to data subject is not required if:

  • The data controller has taken appropriate measure, and the measures are applied to the data affected during the data breach
  • It would involve disproportionate efforts.
  • The controller has taken measures to ensure that there is no longer any high risk associated with the data breach

3. Is WordPress GDPR compliant?

No single platform can offer 100% GDPR compliance. But with its recent update WordPress 4.9.6, WordPress has tried their best by adding several core features to make WordPress GDPR compliance.

3.1 Data Portability

3.2 Comments

3.3 Privacy Policy

3.1 Data Portability

In WordPress 4.9.6 new features have been added regarding data handling. Site owners now have easy access to export a ZIP file containing the user’s personal data. Go to Tools > Export Personal Data in the sidebar located on your WordPress dashboard. You will also get the option to erase personal data without any hassle.

wordpress gdpr data portability

3.2 Comments

Earlier WordPress used to store name and email address of anyone who comments as a cookie on user’s browser. Now a consent checkbox has been added, in the latest WordPress version. This checkbox asks users for explicit consent.

wordpress gdpr comment

Note: In case your theme is not showing the checkbox, make sure you have updated your WordPress and your theme.

3.3 Privacy Policy

GDPR requires companies to be transparent about how they collect and use personal data. It requires an updated privacy policy. And now owners can design their own privacy policy page and add this privacy policy page to log in and registration page. If you have a footer menu, do include your privacy policy there.

Make sure your privacy policy is clear and simple to understand, mention all the ways in which you are collecting and storing personal data of data subject.

wordpress gdpr privacy policy

4. Areas you need to Address  

It doesn’t matter what kind of WordPress site you operate, you need to be compliant with GDPR. Here are some areas you need to work on to make your WordPress GDPR compliant:

4.1 Analytics

4.2 Contact Forms

4.3 E-commerce

4.1 Analytics

If you are using Google Analytics then Google is your Data Processor. Google Analytics collects and tracks personal data like IP Address, users ID, cookies and many other behavior profiles. According to Google’s privacy policy, they are working hard to be GDPR compliance.

To be GDPR compliant, you need to give a notice and ask Users consent before tracking their data and storing Users ID. This is not possible if you are simply copying and pasting Google Analytics code manually on your site. It is recommended to manage your tracking using tag manager.

Tag manager enables you to set User ID only when the User has given consent for identification.

Also, the tracking code that was considered standard until now requires additional code snippet.

Just add ga(‘set’, ‘anonymizeIp’, true); if you are using Universal Code or gtag(‘config’, ‘<GA_TRACKING_ID>’, { ‘anonymize_ip’: true }); if you are using gtag.js code.

4.2 Contact Forms

If you are using a contact form on your website and storing the entries, you will have to provide an extra level of transparency.

Below is the list of things required in a contact form to be GDPR compliance

  • Get explicit consent to store process users information
  • If you are going to use the data for marketing purposes you require a separate consent
  • Disable cookies and IP tracking
  • Be able to comply to data access and deletion request on demand

WordPress GDPR compliance contact form

4.3 E-commerce

E-commerce companies are heavily impacted by GDPR as they need to collect personal information ranging from the physical address to credit card information.

If you run an E-commerce store, make sure you undertake the steps mentioned below:

  • If you have a big store, appoint a DPO
  • Update your privacy policy
  • Use secure and encrypted channels
  • Get explicit consent if you are using data for marketing purpose
  • Provide users the right to access and delete their personal data

5. WordPress Plugins for GDPR

No plugin can offer 100% GDPR compliance but many plugins can help you automate some aspects. We have compiled a list of plugins that help you make WordPress GDPR compliance:

5.1 WP GDPR Compliance

5.2  WP GDPR

5.3 WP Security Audit Log 

5.4 Complianz GDPR

5.5 Delete Me

5.1  WP GDPR Compliance

WP GDPR Compliance Plugin is designed to work flawlessly with WordPress. It easily integrates with major WordPress add-ons like Contact Form 7, Woocommerce and WordPress comments.

It also:

  • Allows the users to delete their data from the website
  • Provides notification regarding any possible data breach
  • Allows you to add contact DPO form
  • Provides cookie popup consent, newsletter unsubscribe and request data archive

WP GDPR Compliance

5.2 WP GDPR 

This plugin allows DPO and Data Controller to easily fulfill their obligations towards GDPR. It is integrated with Woocomerce, MailChimp, Gravity Forms, and Contact Form DB7.

Other features include:

  • Allows users to delete their personal data
  • Consent Management
  •  Allows you to easily configure privacy policy page
  • Users can access their data via admin dashboard
  • Provides data breach notification

WP GDPR

5.3 WP Security Audit Log 

This plugin records and monitors everything that happens on your WordPress site. It is a comprehensive and complete WordPress activity log solution. WP Security Audit Log keeps a record of

  • Post and Page changes
  • Tag and Categories changes
  • Widget and Menus changes
  • User changes
  • User profile changes
  • Multisite Network Changes
  • Plugin and Themes Changes

WP Security Audit Log

5.4 Complianz GDPR

This plugin helps you provide conditional cookie warning and customized cookie policy. It also blocks all third-party cookies.

Features:

  • Integrates with WordPress privacy feature and google analytics
  • Generate legally validated cookie policy
  • Scans your site for cookies and social media services
  • Blocks third-party cookies
  • Show YouTube videos without placing cookies

Complianz GDPR

5.5 Delete Me

One of the biggest right offered by GDPR is ‘Right to be forgotten’. This plugin basically helps you delete users personal data upon their request. You can, of course, do it manually or let your user do it themselves.

Features:

  • Enable and disable delete link on the profile page
  • Delete user from the entire multisite network or current Site only
  • Delete comments
  • Provide Email notification when user delete themselves

Delete Me

Conclusion

With the example of recent data breaches in big companies, we do need some strict guidelines. GDPR is the right step in ensuring transparency in data processing. Follow the above-mentioned steps and make your WordPress GDPR compliant.

Do you have any other questions regarding GDPR compliance?

Let us know in the comment section below

Disclaimer

None of the information in this article should be considered as a legal advice. In case you want complete legal information/advice regarding GDPR, contact a lawyer.