You might have heard of the term “GDPR” being discussed around the web. It’s a pretty hot topic right now, especially with all that is going on with data breaches and security in the news. To put it simply, GDPR is a privacy law designed to give citizens back control of their personal data. Hands down, GDPR is impacting how the entire internet deals with data. The scary part is that the deadline was May 25th, 2018 and many questions regarding GDPR are still plaguing people:
Many have a tendency to put off what they don’t understand. Taxes are a good example. For a lot of us, GDPR has simply been lower priority on our checklists. But GDPR is here and you really should take a few moments and determine whether or not you need to make changes to the way your business and or website operates. If you don’t there could be hefty fines involved.
Don’t worry, we’ll try and explain everything you need to know about GDPR below, as well what you can do to prepare. But we aren’t lawyers, so we’ll try not to bore you with all the legal details.
Please note that this post is for informational purposes only, and should not be considered legal advice.
GDPR stands for the General Data Protection Regulation. It’s a privacy law that was approved on April 14, 2016, by the European Commission to protect the rights of all EU citizens (28 member states) and their personal data. This replaces the 95/46/EC Directive on Data Protection of 24 October 1995 and is much more extensive than the Cookie Law of 2011 (soon to be replaced by the new EU ePrivacy regulation which goes hand in hand with GDPR) . The rollout plan for the regulation was set for two years, with a deadline of May 25th, 2018.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years… EU GDPR
If you want to read the extensive official PDFs of the regulation (11 chapters, 99 articles) we recommend checking out gdpr-info.eu, as they have everything in a neatly arranged website.
There are a few key terms to get a handle on:
If personal data is accessed or stored or used in any way, that is considered processing. The full GDPR definition of processing includes all of the following actions taken on personal data as constituting processing of that data: collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, transmission, disclosure, dissemination, combination, alignment, restriction, erasure, or destruction.
There are seven basic principles that apply to the controller under GDPR:
Individuals with protection under GDPR (EU citizens) have seven rights under GDPR that the processor must be prepared to uphold:
Unfortunately, not everything is always black or white when it comes to things like this, so here are a few additional things to keep in mind:
Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, social security number, location data, an online identifier (IP address or email address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;. It also controls what can be done with the personal information (Art. 4).
While the new GDPR regulations were designed to protect the rights of EU citizens, it essentially impacts everyone on the web. That’s right, everyone! This is regardless of where a business is established or where its online activities take place. If your website is processing or collecting data from EU citizens, then you must abide by the GDPR regulations.
Here are just a couple examples of websites located outside of the EU that would still be impacted:
You can probably see where we are going with this. Unless you’re explicitly blocking all EU traffic, which most of you probably aren’t, then your site will fall under GDPR regulations.
If your business doesn’t comply with GPDR you can get sanctioned up to 4% of the annual worldwide turnover or fined up to €20 million (the higher of the two), per infringement. There is also a tiered approach to fines. For example, a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. (Art. 83)
If you’re a small ecommerce shop or WordPress developer these fines could be devastating!
Now for the reason you’re probably all reading this blog post, and that is how to make your WordPress site GDPR compliant. Unfortunately, unlike our normal tutorials, we can’t give you a simple step by step tutorial as becoming compliant will vary per site. But here are suggestions to get on the right track, as well as additional things to be aware of.
If you have any concerns about GDPR compliance (which most of you probably will) we always recommend hiring a lawyer, even if it’s just temporarily. This is one of those areas we strongly urge you to not try and tackle on your own. A lawyer can provide you with legal advice specifically tailored to your situation. If you get this wrong, it could result in hefty fines.
We recommend going through your entire WordPress site and determine where data collection and processing occurs, as well as where that information is stored, and for how long. This includes things such as:
After you pinpoint all of these you need to confirm that you’re asking for the visitor’s permission, as well as disclosing how the data collected is used.
Dejlig Lama & Peter Suhm originally started working on a project called GDPR for WordPress. This was going to provide plugin developers with a simple solution to GDPR validate their plugin and offer website administrators the overview and tools to handle the administrative tasks involved with being GDPR compliant. However, the great news is that this is now becoming part of WordPress core.
You can now follow the GDPR Trac tickets as well as the roadmap for GDPR compliance. They are hoping to have everything finished by the May 25th, 2018 deadline. This is just as important for WordPress users as it is for developers, as GDPR compliance is going to be a two-way street. WordPress users will need new features built into plugins they are already using such as checkboxes, prompts, etc. to make sure they are compliant when collecting data.
With Gutenberg and now these GDPR changes, there is a lot coming down the pipeline for WordPress 5.0.
With GDPR it’s now time to update your terms and condition pages, privacy pages, affiliate terms, as well as any other legal documents or agreements you might have. You can no longer have forms without checkboxes, unless they all under lawfulness of processing. In other words, there must be a way for the user to specifically consent. Gone are the days of just throwing terms in a link at the bottom and assuming the user will read them.
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. (Source: EU GDPR)
Again, this is an area we recommend roping in a lawyer. If you’re just running a simple blog, at least use a tool like iubenda or something similar to generate stronger privacy policies.
A new privacy page feature was added in WordPress 4.9.6. You can now designate a privacy page on your site and it will show on your login and registration pages. We also recommend putting it in your footer.
According to Art. 20, any business that collects data must also offer the ability to for the user to download it and take/transfer the data elsewhere.
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Make sure you have a system in place yet to provide a user with a downloadable file of their data if requested (.csv, .xml, etc). If you can’t currently offer this, you might want to hire a WordPress developer.
New features regarding data handling were added in WordPress 4.9.6. Site owners can now export a ZIP file containing a user’s personal data as well as erase a user’s personal data. There is also a new email-based method that they can use to confirm personal data requests.
Due to the fact that many websites collect data from all over the globe and with tighter restrictions on personal data, many companies are now certifying under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. These were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
Read more about the benefits of self-certifying under the Privacy Shield.
In terms of encryption, there are different parts to this: encryption of your web traffic (HTTPS) and encryption where your data is stored. We always recommend you encrypt your web traffic, regardless of GDPR. The benefits of moving to HTTPS far outweigh the cons and that is where the web is headed.
The term encryption itself is actually only mentioned a few times in the GDPR and is not necessarily mandatory.
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption (Recital 83).
So while it appears encryption is not legally required to comply with GDPR, it’s highly recommended, as you are responsible for the data. If you’re using a WordPress host like Kinsta, we are powered by Google Cloud Platform which means all data is encrypted at rest. Read more about GDPR encryption.
Any WordPress plugins or theme specific features you have installed that collect or store personal data must be updated for your site to be fully GDPR complaint. If you’re a WordPress developer, you should hopefully already have a plan in place for implementing GDPR changes for users. We’ll include some popular plugins and configurations below, along with direct links to how they’re handling GDPR.
One of the easiest ways to comply with GDPR is to simply add a required checkbox to your contact form that allows the user to consent that their submitted data is being collected and stored. However, the important part here is “easiest.” Not all contact forms necessarily need consent. This can fall under what is called lawfulness of processing.
Check out additional WordPress contact form plugins.
Even comment plugins are collecting personal information. So just like with contact forms, one of the easiest ways to make sure you are compliant is to add a consent checkbox. But again, this can fall under what is called lawfulness of processing.
A consent checkbox was recently added to native comments in the latest WordPress 4.9.6 Privacy and Maintenance Release (as seen below).
Everything from newsletters plugins, survey plugins, quiz plugins, push notification plugins, and your email marketing software will be impacted by GDPR.
Any third-party service or plugin that collects data. This includes things such as Google Analytics, A/B testing plugins, heat map services, remarketing platforms, etc. In regards to Google Analytics itself, it might be recommended to anonymize the IP.
As of April, Google launched a new data retention settings for Google Analytics. These controls give you the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers. You can access these settings under Admin → Property → Tracking Info → Data Retention.
Do you need a cookie prompt if you’re only using Google Analytics reporting and not display advertising? It depends. Check out this great post from Jeff on GDPR Compliance with Google Analytics – Do You Need Cookie Consent?
Any type of WordPress eCommerce solution is of course heavily impacted by GDPR as these collect sales data, personal information, user account data, and have integrations with third-party payment processors.
Beyond the documentation above, we also highly recommend checking out this great blog post on 12 ways to make your WooCommerce website GDPR compliant.
Community plugins, forum plugins, and membership plugins a lot of times store additional personal information aside from the integrated WordPress signup process.
Even third-party APIs collect data. A good example of this is Google Fonts. Most of you probably are using Google Fonts, whether it’s baked into your WordPress theme or you manually added it. You really have to look into each API and find out data the provider is collecting. In some cases, data collection is allowed for lawful bias without consent (Recital 49).
This can be a lot of work and downright confusing as some companies, even Google, might not provide simple yes or no answers. Check out this conversation between developers on whether or not Google Fonts are GDPR compliant. You could always host your Google fonts locally on your own CDN and this then resolves the issue.
We’ll keep this post updated as some WordPress plugin developers are currently working on adding GDPR compliance features. Or even more scary, many haven’t even started yet. If you have concerns regarding a plugin you have running, check with the developer directly to see how they plan to handle GDPR.
While simply asking for consent as shown above is the easiest way to comply with GDPR, it’s not the only way. In fact, in some cases, data processing is permitted without consent due to the term known as lawfulness of processing. Here are just a few examples:
Data processing is permitted if it’s necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 (1) b)
Data processing is permitted when it’s necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (Art. 6 (1) f)
Note: This does not apply to processing carried out by public authorities in the performance of their tasks.
For further examples, we recommend checking out the post on Lawful Basis for Processing by White & Case LLP.
Below are a few helpful plugins we also recommend checking out that can help:
Beyond confused? 😦 Don’t worry, GDPR can be a lot to wrap your head around and it’s a massive change in regards to personal data collection. If you’re concerned about your own WordPress site, it might be wise to invest in a GDPR audit by an expert, preferably one that works solely with WordPress. We recommend checking out the GDPR Audit from Angled Crown.
Due to the fact that Kinsta is based in Europe, we’ve had tighter restrictions on our data from the very beginning. But as is every company right we have revisited each of our policies with our legal team regarding data processing, collection, and storage; as well as our WordPress site and blog to ensure we were fully compliant by the deadline. Kinsta utilizes Google Cloud Platform which is fully committed to GDPR and we have reviewed all of our third-party vendors and integrations to arrange for similar GDPR-ready data processing agreements.
A few changes we’ve implemented include:
As a Kinsta client, you are referred to as a data controller. This means you are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR.
As you have probably grasped by now, GDPR is a really big deal! It’s impacting almost every WordPress site on the web. The deadline has come and gone, therefore we encourage everyone to take the time, do your research, and ensure your site is fully compliant. If you don’t, you could be looking at some pretty hefty fines!
Got any questions about GDPR and WordPress? Drop them below in the comments. Or if you know of another popular WordPress plugin that is already GDPR compliant let us know and we’ll add it above!
Send this to a friend