GDPR Compliance, WordPress and What it Means for Webmasters

If you are an active website owner, you must have heard about GDRP Compliance. If you haven’t, you should.

GDPR or General Data Protection Regulation is a consumer data privacy regulation created by the EU which comes into effect on the 25th of May 2018. Complying with GDPR is critical, even if you don’t do business directly in the EU.

GDPR is a huge change for businesses worldwide, and its impact will also be huge. But, there are a lot of misconceptions about it. We created this post to answer all the questions about GDPR and make a resource that website owners can use as a reference.

Before proceeding, we must clarify we are neither lawyers nor regulation experts. Please do not treat the information in this post as legal advice. This post is created to increase awareness and explain GDPR compliance in general.

What is GDPR

GDPR stands for General Data Protection Regulation, which is a regulation created by the EU for data protection and privacy for all individuals within the European Union. GDPR will replace an older privacy law known as Directive 95/46/EC (the “Directive”), which was the privacy law since 1995.

GDPR’s primary aim is to give people more control over their personal data. It applies to businesses in the EU, and businesses outside the EU if they collect or process data of individuals residing in the EU.

GDPR was passed in 2016, and the deadline to be compliant is 25th May 2018. There is no grace period, so your business must be compliant before that.

GDPR affects all businesses that collect personal data (details on that later), and the definition of personal data is very wide.

GDPR is also retroactive. That means it applies to all customer data you’re storing or using, even if it was collected before May 25th, 2018.

Why Should You Care About GDPR?

If you operate a website and have any website visitors from EU, then you are affected by the GDPR. It does not matter if you don’t have an email list, don’t sell any products, or even don’t advertise, you still need to be compliant.

This is because GDPR affects any business that collects the personal data of people living in the EU. According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

As a website owner, the last part is important to remember. Even recording an IP address brings you under GDPR. Since most CMSs, including WordPress, collect IP addresses by default, that means website owners have to be compliant with GDPR.

Here are a few more examples of websites that will be affected by GDPR.

• A forum that has a user profile
• An eCommerce store that sells any product (physical or digital) and records user data (purchase or otherwise)
• An affiliate website that uses various tags for retargeting
• Any WordPress blog that allows users to comment
• Any WordPress blog that lets users sign up for email lists
• Any WordPress website that has analytics set up

In the simplest terms, if you operate any website, and are not blocking all EU traffic, then you will be affected by GDPR.

Penalties for Non-Compliance with GDPR

If your business is found non-compliant with GDPR, then you can be penalized for €20 million or 4% of your worldwide annual revenue, whichever is higher. The high costs have been put in place to encourage compliance proactively. Therefore, it is important to be compliant.

GDPR – The Rules in Detail

Under GDPR, your readers/users/customers have 8 rights related to their data. If you receive any request related to those rights, then you have to respond to the request within 30 days.

1. The right to be informed

Users have the right to know what data you collect and how is it used. That means you need to provide clear and concise information about why their personal data is being collected, how it will be saved, how long will it be saved, and who else will get access to it.

2. The right of access

Users have the right to access the data that has been recorded by the data controller upon request. The data controller is the entity that holds their data.

3. The right to rectification

Users have the right to have their inaccurate or incomplete data updated or rectified. If the data controller receives a request for rectification, they need to take the necessary steps to verify the accuracy of the data and update it if required.

4. The right to erasure (or to be forgotten)

Users have the right to have their personal data completely erased, and also prevent further collection of their data. If the data controller receives this request, the user is effectively withdrawing their consent for their data being recorded.

5. The right to restrict

Under certain circumstances, users can request to restrict or suppress the use and processing of their data. In this case, the data of the user may be recorded but not used for any purpose.

6. The right to portability

Users have the right to request their data in machine readable and human readable formats. They may use this data in any way they see fit and even transfer it to another data controller.

7. The right to object

Users have the right to object the use of personal data that includes personal interests. They may also object the use of the data in a specific way, and the data controller has to make sure that users are made aware of how their data will be processed.

8. The right not to be subject to automated decision-making

Users have the right to opt out of automated decision making when it can produce an adverse legal impact or anything similar.

A Webmaster’s Responsibilities Under GDPR

In layman terms, your responsibilities as website owner under GDPR are:

• Inform users about your identity, the data you collect, why you collect it, how long do you store it, and who do you share it with
• Get clear and explicit consent from the user when collecting any data
• Let the users access and download the data you have collected about them
• Allow the users to delete their data if they wish to do so
• Inform the users within **72 hours of any data breach **

Understanding each of these rules is important, so let’s discuss them one by one.

Inform users about your identity, the data you collect, why you collect it, how long do you store it, and who do you share it with

This rule aims to inform users who is storing their data and how is it being used. Under GDPR, you have to be specific about the data you collect and gain explicit consent (discussed in #point 2) whenever you collect data.

To understand this rule, let’s take an example. Suppose that you run an eCommerce store. Here are the basics that you need to cover to comply with this rule.

• Mention your business details and contact information in your privacy policy
• Explain to users what data you are collecting and on what pages
• If you collect email addresses, mention why you collect it and gain consent
• If you email users with abandoned cart emails, mention that, and gain consent
• If you collect their addresses for shipping, mention that and gain consent
• If you allow customers reviews, mention how and where the review can be shared and gain consent
• If users can share their product pictures, mention how they can be used and gain consent
• If you share their personal information with 3rd parties (e.g. a shipping company), mention that and gain consent
• If you store their information for any period (accounting, intelligence, retargeting, etc.), mention that and gain consent

The important thing to remember is that visitors need to be informed about every way that their data can be used. They also need to be informed of every 3rd party that gets access to their data.

Get clear and explicit consent from the user when collecting any data

The ‘clear’ aspect means that you have to use everyday language to make the visitor understand the data being collected. The specifics have to be clear and cannot be buried in legal terminology like the Terms and Conditions.

The ‘explicit consent’ means that every time you collect data, the visitor has to confirm it. Usually, it can be through a checkbox, but it is important that the checkbox is not checked by default.

Let the users access and download the data you have collected about them

On a user request, you have to give them access to all the data that you have collected about them. This should include data collected by plugins and themes. The latest version of WordPress has already presented a solution, and more details are discussed in a section below.

Under this rule, you have to provide your readers with access to the data they created. For example, if they read a few posts on your website, you have to share that data. But if you used some analytics to predict the type of content they would like to read, then you can skip that information.

Allow the users to delete their data if they wish to do so

This rule is similar to the rule above, but instead of just viewing their data, visitors can also request deletion of their data. The latest version of WordPress has this feature built in and we’ve discussed this in detail in a section below.

There are a few exceptions to this rule. If there is a legal reason for you to keep the data (like invoice data), then you can refuse to delete the data.

Inform the users within 72 hours if any data breach

If the data of your visitor is leaked in any way (hacked website, stolen computers, accidental password sharing), then your visitors, readers, or customer have to be informed of the leak within 72 hours. You also have to inform your local GDPR authorities about the leak, but that information is ambiguous.

How Will Your WordPress Website be Affected?

It’s obvious that all WordPress websites will be affected by GDPR. To transition into a fully compliant website, you have to start thinking about your website from a customer data perspective.

Start by making a list of all the places where data is captured and think about the guidelines mentioned above. Think along these lines.

• Am I informing users that data is being collected
• Am I clear in mentioning what the data will be used for?
• Is there a way for my readers to provide explicit consent for this?
• Is there a way for my readers to withdraw consent for this?
• Can I make this data available to them upon request?
• Can I delete this data upon request?
• Can I anonymize this data upon request?
• Does my privacy policy mention all the required details about data use?

You have to ask yourself these questions for all the places that you collect user information from. Apart from this, you also need to know what kind of data your theme and plugins capture. Every theme and plugin you use has to be GDPR compliant as well.

WordPress websites usually collect data through the following methods.

• Registered Users
• Comments
• Contact forms
• Traffic and analytics
• Email subscriptions
• Ad solutions
• Security plugins

You have to comply with GDPR is all these places. We will discuss the steps you need to take in the next section.

Steps You Need to Take to Become Compliant

No matter what kind of website you operate, it is important that you become compliant with GDPR as soon as possible. Here are the steps that you need to take to make your WordPress website compliant.

Based on the basic guidelines highlighted above, you need to make changes in the following areas:

• Your Terms & Conditions page
• Your Privacy Policy
• Your Comments
• Your opt-in forms (newsletter, lead magnets, subscription form, contact forms)
• Your analytics
• Any other page where you collect user information

Step 1: Terms and Conditions

The terms and conditions are the basic rules that bind your visitors to your website, while the privacy policy deals with the data you gather. Include relevant information about GDPR compliance and also the process of how users can place requests regarding their data.

Step 2: Privacy Policy

Since GDPR deals primarily with consumer data, the most important changes that you will need to make will be in your privacy policy.

Specifically, you have to include the following information:

• Who you are – Include your name or organization name, address, contact information, etc
• What data is collected – Mention that you record the IP Address, name, email and other information that you collect. This information will differ from website to website
• Why you collect the data – Mention specifically why you collect the data that you do.
• How long is the data retained – Mention how long will you retain the data
• How is the data shared – Who else do you share the data with? If you send email newsletters, then you share your data with your email service provider. Mention all the services that you share data with.
• How do customers download their data – Describe the process of how customers can access their information. The latest version of WordPress will help you achieve this, and we discuss it in the last section.
• How to delete their data – Describe how customers can delete or ask their data to be deleted. The latest version of WordPress has this feature as well, which we discuss in the last section
• Contact Information of your Data Protection Officer – In most cases, this will be your email address

An important thing to know is that WordPress 4.9.6 (released May 17th) has many features which will let you do many of the tasks discussed above. It also has a privacy policy generator which guides you on what information needs to be included in your privacy policy. We have discussed the details in the last section.

Step 3: Your Comments

Since comments will be stored on your website and qualify as personal data, that means that you have to have the explicit consent of the user before capturing their information. The latest version of WordPress has this feature as well.

Step 4: Contact Forms

Any contact form and other venues from where a user can submit their information have to be made compliant by adding information about what data is being captured and how will it be used. You will also need to add a checkbox for users to provide consent to use this data.

Step 5: Analytics

You need to review all analytic solutions that you use on your website and mention the data being captured in your privacy policy.

Step 6: All pages that capture information

Review all the pages which might capture user information (via content upgrades, etc.) and follow GDPR guidelines on those pages as well.

Step 7: All plugins, themes, and 3rd party services

Review your themes, plugins, and other 3rd party services (email service, etc.) and make sure that all of them are GDPR compliant. Failure of a theme or plugin to be compliant implies that you are also non-compliant with GDPR.

Upcoming WordPress Compliance

Since WordPress is such an important and huge part of the web, the WordPress team has made many changes in the latest version (4.9.6) to comply with GDPR regulation. Let us walk you through the important changes and how you can configure WordPress to be compliant.

When you install or update to the 4.9.6 version, the first thing you will see is a notification about setting up a privacy policy and the addition of new tools to WordPress.

You can navigate to Settings -> Privacy to create a privacy policy.

You will reach the following page. Here you will select an existing page where you want to place your privacy policy. If you don’t have a dedicated one, you can always create one. For this example, we created a new page.

WordPress will create a page and share the basic information that you should have on your privacy policy. Do not publish it outright. The text shared by WordPress is a sample privacy policy. Take the time to review the content in the policy, add or remove data, and only then publish the policy.

Apart from the privacy policy, WordPress has also added tools for users to view their data, and even request deletion of their data. Currently, the process is manual, but we’re sure that more tools will come along later that will help automate the process.

The process works this way.

• A user requests to view or delete their data (via comments, contact form, or other means)
• The site admin goes to the export or erase personal data setting and enters the readers’ email ID, and clicks ‘send request’
• The reader receives an email with a confirmation link to confirm their request
• If the user clicks the link, their request is confirmed, and the site admin can send them an email with their personal data with the click of a button
• The user can download the file and view their personal data. The file is deleted after 72 hours for security purposes
• If the request is for deletion, then the site admin can delete the data after the reader has confirmed their request

WordPress has also made changes to the comment system. Since a website will save the IP Address and the email of the commenter, it is important to take explicit consent from the commenter.

In the new version, when a visitor comments, they will have to check a checkbox for WordPress to save a cookie on their computer.

How Has MyThemeShop Prepared for GDPR?

We are happy to announce that all MyThemeShop products are GDPR compliant. If you use only MyThemeShop products, then your website is already on the path to compliance.

Here are the steps we’ve taken to make MyThemeShop products compliant with GDPR.

• All MyThemeShop products will describe the data they record, and for what purpose. Site admins will have to provide explicit consent about the use of the data. Once they give consent, they can then update their privacy policy describing the use of the data.
• For viewing and removal of data, MyThemeShop uses WordPress core features that we described in the section above. When a user requests their data, all data recorded by MyThemeShop products is also included in the report. If a user requests the removal of their data, all the data recorded by MyThemeShop products will also be deleted.

FAQ’s About GDPR

• Do I need to hire a data protection officer?

Not necessarily. Hiring a Data Protection Officer (DPO) is only mandatory if you run have a data controller with more than 250 employees.

• I run a personal blog on WordPress. Do I need to be compliant as well?

GDPR is a regulation only for corporate entities. If you monetize your business in any way, then you will be considered a business. Even if you don’t monetize your website, but use any service that collects user data in any way, make sure they are compliant with GDPR and update your privacy policy accordingly.

Also, use the upcoming WordPress features to become compliant easily. Since the cost of non-compliance is so high, it is better to be safe than sorry.

• What is meant by explicit consent?

Explicit consent means that every request for data capture must be specifically agreed. Since most consent on websites is through checkboxes, explicit consent means that check boxes must be unchecked by default.