WordPress has developed to become one of the most popular content management system (CMS) online. As of April 2018, according to w3techs.com, WordPress was used by 30.6% of the leading 10 million websites. Citing the need for their citizens need to have control over their personal data as well as change the approach of organizations all over the world on data privacy, The European Union came up with the GDPR.
What is GDPR?
GDPR in full stands for General Data Protection Regulation and is a new data protection regulation in the EU, though it’s going to affect websites all over the world as any business wishing to conduct to business in the EU must be fully compliant. The regulation came into effect on May 25th, 2018 and requires WordPress users to comply or face the consequences. The regulation is stricter and more restrictive when compared to the EU Cookie Law.
Having a look at the publications of the regulation in the EU’s Official Journal could somehow throw you off balance as the terms used can be complicated to understand, especially if you’re not a lawyer. This is why we feel it is crucial for us to break down what is vital for you to know on the understanding that this will not in any manner constitute as legal advice because we are not lawyers.
What You Need to Know in General
So how does this pertain to running a WordPress site?
- Personal data constitutes any information relating to an identified or identifiable natural person. For instance, email, name, address or even IP address. It is safer to think that any piece of data can be considered as personal data.
- Processing of personal data refers to dispensation or any set of operations performed on collecting personal data. For example, the simple act of storing an IP address on your web server logs involves processing a user’s personal data.
Is This Serious?
One of the questions you may be asking yourself is whether you should take the regulation seriously. The answer is YES! Webmasters had until May 2018 to comply or else face a hefty fine. The penalty for non-compliance can be up to € 20 million or in case of an undertaking, 4% of the organization’s total annual worldwide revenue, whichever is higher.
Despite the hefty fine, there are slabs of other penalties depending on the seriousness of the breach. Check out their description in the FAQ section of the GDPR portal.
Supervisory Authorities (SA) are expected to be put up in different countries to help monitor GDPR compliance.
However, don’t be intimidated by the hefty fines. SAs will first notify you with a warning that you’re in breach of a GDPR regulation and give you time to remedy yours in compliance. If not, the next level will be to receive a reprimand that you violate a GDPR regulation and liable to a fine. In case you do nothing, then your data processing will be suspended and a hefty fine subjected upon you.
Requirements of GDPR
As discussed above, the objective of GDPR is to protect user’s personal information and to hold to account businesses collecting and using the user’s personal data.
- Explicit Consent – Using clear wording, separate from other terms and conditions, you must seek explicit consent from a user in the EU to collect their personal data.
- Rights to data – You must inform users where, why and how their personal data is going to be used and stored. They can also have access to download the data and eventually ask for their data to be deleted.
- Breach Notification – If the breach is considered harmless and constitutes a risk to personal data, it should be reported to the relevant authorities within 72 hours of the breach.
- Data Protection Officers – If you process large amounts of personal data, let’s say a public company, then you are required to appoint a data protection officer.
These are simple regulations to abide by but how do you ensure your WordPress site is GDPR compliant?
WordPress GDPR Compliance
The WordPress core (4.9.6) team has added enhancements to ensure that the self-hosted WordPress.org is GDPR compliant. However, you have to understand that due to the dynamic nature of websites, no single plugin, platform or solution can offer total GDPR compliance. The compliance process will vary with the type of website, data you collect and store and how you process the same data.
By default, WordPress 4.9.6 comes with the following GDPR enhancement tools:
Typically, WordPress stores the commenters’ personal data such as email, name, and website as a cookie on the user’s browser. To comply with GDPR, WordPress has added a checkbox to ask for consent to use personal data. If the user does not check the box, then they are required to enter their details manually every time they wish to leave a comment.
If your theme is not showing the comment privacy checkbox be sure to update WordPress to the 4.9.6 version.
Data Export and Erase Feature
Site owners can now honor users’ request for downloading their data and permanently deleting their data in line with GDPR data handling requirements. This feature can is found under the Tools menu inside WordPress admin
Despite the areas discussed there are additional parts on your website that are impacted by GDPR. These include analytics, contact forms, online stores, membership sites and email marketing among others. WordPress has enabled its users to add compliance features such as checkboxes to seek consent from their site users.
Go through your site and add on consent features that will render your site GDPR compliant. Being on the right side of the law is essential.