You might have heard about GDPR unless you are living under a rock with no internet connection.
GDPR or General Data Protection Regulation is a European Union(EU) Law that went into effect on May 25, 2018.
In this article, we will explain What is GDPR? and How to make your WordPress GDPR compliant?
You can also read the official PDF that has detailed(11 chapter, 99 articles) information about all the policies at gdpr-info.eu.
- What is GDPR?
- What does GDPR states?
- Is WordPress GDPR compliant?
- Areas you need to Address
- WordPress plugins for GDPR
#1 What is GDPR?
GDPR is a replacement of the 1995 Data Protection Directive, which until now provided a minimum standard for the processing of data. The main aim of this law is to give individuals control over their personal data.
GDPR not only imply to businesses in the EU but everyone who collects and processes data of individuals residing in the EU.
GDPR was passed in 2016 with a deadline to compliant by 25 May 2018.
Penalties for Non-Compliance
If a business is non-compliant with GDPR, it can face a fine of up to 4% of the company’s global annual revenue or €20 Million, whichever is higher. Such big amounts of the fine are enough to cause panic and distress among businesses.
Although GDPR is not the bad guy here, by setting such high amounts of fines, they just want to protect consumers from data breaches.
#2 What does GDPR states?
We have compiled the most important points you need to know:
2.1 Processing of personal data
Personal data shall be processed only if:
- The Data is collected lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate reason and not further processed for any reason (data limitation)
- Data should be adequate, relevant and limited for the purpose it was collected (data minimization)
- Data need to be processed in a manner that provides complete security to the data subject
2.2 Clear and explicit Consent
Here, clear means to use simple language so that the user understands what you are asking? For explicit content, you need a positive opt-in with clear wording and separate from other terms and conditions.
2.3 The Rights of Data Subject
According to GDPR, the data subject has the following rights:
a) The right of Access
The data subject has the right to obtain information about:
- The purpose of processing of data
- To whom the personal data will be disclosed
- The period for which personal data will be stored
- The rectification and erasure of personal data
b) Right to rectification
The data subject has the right to rectification of inaccurate personal data.
The data subject can have incomplete personal data completed, taking into account the purpose of processing.
c) Right to erasure
The data subject has the right to ask for the erasure of personal data on the following grounds:
- The information is no longer required for the reason it was collected
- The personal data was processed unlawfully
- Data needs to be deleted due to some legal obligations
- If he/she wants to withdraw the consent
d) Right to restriction
The data subject has the right to the restriction of the processing of personal data.
This can be done if the accuracy of personal data is contested, the processing is unlawful or the data is no longer required for the purpose of processing.
If the personal data is restricted, the data has the exception of storage, and can only be processed with the proper consent of the data subject.
e) Right to data portability
The data subject has the right to get personal data regarding him or her, in a structured manner. Further, that data can be transmitted to another controller without any obstacles.
Personal data can also be transmitted from one controller to another directly.
f) Right to object
The data subject has the right to object, at any point in the processing of personal data.
The controller can no longer process the personal data unless they provide a compelling reason which overrides the interest and right of the data subject.
2.4 Data Protection Officer
Now GDPR requires you to hire a data protection officer(DPO). This is required only if you are a big company and process a large amount of data. Data Protection Officer shall be responsible for the following task:
- To inform and advice the data processor of their obligation regarding data protection provision
- Assignment of responsibilities, awareness- raising, and training of staff involved in data processing and audit
- Cooperating with the supervising authority
Note: In case you are confused about whether you need to hire a DPO or not, do consult a lawyer.
2.5 Data Breach
In case of a data breach, the controller needs to inform the supervising authority within 72 hours. And if the data breach is likely to result in a high risk, the controller needs to communicate this to the data subject.
The communication of data breach to the data subject is not required if:
- The data controller has taken appropriate measure, and the measures are applied to the data affected during the data breach
- It would involve disproportionate efforts.
- The controller has taken measures to ensure that there is no longer any high risk associated with the data breach
#3 Is WordPress GDPR compliant?
No single platform can offer 100% GDPR compliance. But with its recent update WordPress 4.9.6, WordPress has tried its best by adding several core features to make WordPress GDPR compliant.
- 3.1 Data Portability
- 3.2 Comments
- 3.3 Privacy Policy
3.1 Data Portability
In WordPress 4.9.6 new features have been added regarding data handling. Site owners now have easy access to export a ZIP file containing the user’s personal data.
Go to Tools > Export Personal Data in the sidebar located on your WordPress dashboard. You will also get the option to erase personal data without any hassle.
3.2 Comments
Earlier WordPress used to store the name and email address of anyone who comments as a cookie on the user’s browser.
Now a consent checkbox has been added, in the latest WordPress version. This checkbox asks users for explicit consent.
Note: In case your theme is not showing the checkbox, make sure you have updated your WordPress and your theme.
3.3 Privacy Policy
GDPR requires companies to be transparent about how they collect and use personal data. It requires an updated privacy policy.
And now owners can design their own privacy policy page and add this privacy policy page to log in and registration page.
If you have a footer menu, do include your privacy policy there.
Make sure your privacy policy is clear and simple to understand, mention all the ways in which you are collecting and storing the personal data of data subject.
#4 Areas you need to Address
It doesn’t matter what kind of WordPress site you operate, you need to be compliant with GDPR. Here are some areas you need to work on to make your WordPress GDPR compliant:
- 4.1 Analytics
- 4.2 Contact Forms
- 4.3 E-commerce
4.1 Analytics
If you are using Google Analytics then Google is your Data Processor.
Google Analytics collects and tracks personal data like IP Addresses, users ID, cookies, and many other behavior profiles. According to Google’s privacy policy, they are working hard to be GDPR compliant.
To be GDPR compliant, you need to give notice and ask for Users’ consent before tracking their data and storing Users’ ID. This is not possible if you are simply copying and pasting Google Analytics code manually on your site.
It is recommended to manage your tracking using tag manager.
Tag manager enables you to set User ID only when the User has given consent for identification.
Also, the tracking code that was considered standard until now requires an additional code snippet.
Just add ga(‘set’, ‘anonymizeIp’, true); if you are using Universal Code or gtag(‘config’, ‘<GA_TRACKING_ID>’, { ‘anonymize_ip’: true }); if you are using gtag.js code.
4.2 Contact Forms
If you are using a contact form on your website and storing the entries, you will have to provide an extra level of transparency.
Below is the list of things required in a contact form to be GDPR compliance
- Get explicit consent to store process users information
- If you are going to use the data for marketing purposes you require a separate consent
- Disable cookies and IP tracking
- Be able to comply to data access and deletion request on demand
4.3 E-commerce
E-commerce companies are heavily impacted by GDPR as they need to collect personal information ranging from physical address to credit card information.
If you run an eCommerce store, make sure you undertake the steps mentioned below:
- If you have a big store, appoint a DPO
- Update your privacy policy
- Use secure and encrypted channels
- Get explicit consent if you are using data for marketing purpose
- Provide users the right to access and delete their personal data
#5 WordPress Plugins for GDPR
No plugin can offer 100% GDPR compliance but many plugins can help you automate some aspects.
We have compiled a list of plugins that help you make WordPress GDPR compliance:
5.1 WP GDPR Compliance
WP GDPR Compliance Plugin is designed to work flawlessly with WordPress.
It easily integrates with major WordPress add-ons like Contact Form 7, Woocommerce, and WordPress comments.
It also:
- Allows the users to delete their data from the website
- Provides notification regarding any possible data breach
- Allows you to add contact DPO form
- Provides cookie popup consent, newsletter unsubscribe and request data archive
5.3 WP Security Audit Log
This plugin records and monitors everything that happens on your WordPress site. It is a comprehensive and complete WordPress activity log solution.
WP Security Audit Log keeps a record of:
- Post and Page changes
- Tag and Categories changes
- Widget and Menus changes
- User changes
- User profile changes
- Multisite Network Changes
- Plugin and Themes Changes
5.4 Complianz GDPR
This plugin helps you provide conditional cookie warnings and customized cookie policies. It also blocks all third-party cookies.
Features:
- Integrates with WordPress privacy feature and google analytics
- Generate legally validated cookie policy
- Scans your site for cookies and social media services
- Blocks third-party cookies
- Show YouTube videos without placing cookies
5.5 Delete Me
One of the biggest rights offered by GDPR is the ‘Right to be forgotten’. This plugin basically helps you delete users’ personal data upon their request.
You can, of course, do it manually or let your user do it themselves.
Features:
- Enable and disable delete link on the profile page
- Delete user from the entire multisite network or current Site only
- Delete comments
- Provide Email notification when user delete themselves
Conclusion
With the example of recent data breaches in big companies, we do need some strict guidelines. GDPR is the right step in ensuring transparency in data processing.
Follow the above-mentioned steps and make your WordPress GDPR compliant.
Do you have any other questions regarding GDPR compliance?
Let us know in the comment section below
Disclaimer: None of the information in this article should be considered as legal advice. In case you want complete legal information/advice regarding GDPR, contact a lawyer.
1 thought on “WordPress GDPR Compliance: Everything You Need to Know”
Dear Pooja,
This is a wonderful article, Thank you!
May I know if I should download all the plug-ins under point 5 so that it is closer to GDPR compliance?
Awaiting your reply