If you are an active website owner, you must have heard about GDRP Compliance. If you haven’t, you should.
GDPR or General Data Protection Regulation is a consumer data privacy regulation created by the EU which comes into effect on the 25th of May 2018. Complying with GDPR is critical, even if you don’t do business directly in the EU.
GDPR is a huge change for businesses worldwide, and its impact will also be huge. But, there are a lot of misconceptions about it. We created this post to answer all the questions about GDPR and make a resource that website owners can use as a reference.
Before proceeding, we must clarify we are neither lawyers nor regulation experts. Please do not treat the information in this post as legal advice. This post is created to increase awareness and explain GDPR compliance in general.
GDPR stands for General Data Protection Regulation, which is a regulation created by the EU for data protection and privacy for all individuals within the European Union. GDPR will replace an older privacy law known as Directive 95/46/EC (the “Directive”), which was the privacy law since 1995.
GDPR’s primary aim is to give people more control over their personal data. It applies to businesses in the EU, and businesses outside the EU if they collect or process data of individuals residing in the EU.
GDPR was passed in 2016, and the deadline to be compliant is 25th May 2018. There is no grace period, so your business must be compliant before that.
GDPR affects all businesses that collect personal data (details on that later), and the definition of personal data is very wide.
GDPR is also retroactive. That means it applies to all customer data you’re storing or using, even if it was collected before May 25th, 2018.
If you operate a website and have any website visitors from EU, then you are affected by the GDPR. It does not matter if you don’t have an email list, don’t sell any products, or even don’t advertise, you still need to be compliant.
This is because GDPR affects any business that collects the personal data of people living in the EU. According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
As a website owner, the last part is important to remember. Even recording an IP address brings you under GDPR. Since most CMSs, including WordPress, collect IP addresses by default, that means website owners have to be compliant with GDPR.
Here are a few more examples of websites that will be affected by GDPR.
- A forum that has a user profile
- An eCommerce store that sells any product (physical or digital) and records user data (purchase or otherwise)
- An affiliate website that uses various tags for retargeting
- Any WordPress blog that allows users to comment
- Any WordPress blog that lets users sign up for email lists
- Any WordPress website that has analytics set up
In the simplest terms, if you operate any website, and are not blocking all EU traffic, then you will be affected by GDPR.
Penalties for Non-Compliance with GDPR
If your business is found non-compliant with GDPR, then you can be penalized for €20 million or 4% of your worldwide annual revenue, whichever is higher. The high costs have been put in place to encourage compliance proactively. Therefore, it is important to be compliant.
Under GDPR, your readers/users/customers have 8 rights related to their data. If you receive any request related to those rights, then you have to respond to the request within 30 days.
1. The right to be informed
Users have the right to know what data you collect and how is it used. That means you need to provide clear and concise information about why their personal data is being collected, how it will be saved, how long will it be saved, and who else will get access to it.
2. The right of access
Users have the right to access the data that has been recorded by the data controller upon request. The data controller is the entity that holds their data.
3. The right to rectification
Users have the right to have their inaccurate or incomplete data updated or rectified. If the data controller receives a request for rectification, they need to take the necessary steps to verify the accuracy of the data and update it if required.
4. The right to erasure (or to be forgotten)
Users have the right to have their personal data completely erased, and also prevent further collection of their data. If the data controller receives this request, the user is effectively withdrawing their consent for their data being recorded.
5. The right to restrict
Under certain circumstances, users can request to restrict or suppress the use and processing of their data. In this case, the data of the user may be recorded but not used for any purpose.
6. The right to portability
Users have the right to request their data in machine readable and human readable formats. They may use this data in any way they see fit and even transfer it to another data controller.
7. The right to object
Users have the right to object the use of personal data that includes personal interests. They may also object the use of the data in a specific way, and the data controller has to make sure that users are made aware of how their data will be processed.
8. The right not to be subject to automated decision-making
Users have the right to opt out of automated decision making when it can produce an adverse legal impact or anything similar.
In layman terms, your responsibilities as website owner under GDPR are:
- Inform users about your identity, the data you collect, why you collect it, how long do you store it, and who do you share it with
- Get clear and explicit consent from the user when collecting any data
- Let the users access and download the data you have collected about them
- Allow the users to delete their data if they wish to do so
- Inform the users within **72 hours of any data breach **
Understanding each of these rules is important, so let’s discuss them one by one.
Inform users about your identity, the data you collect, why you collect it, how long do you store it, and who do you share it with
This rule aims to inform users who is storing their data and how is it being used. Under GDPR, you have to be specific about the data you collect and gain explicit consent (discussed in #point 2) whenever you collect data.
To understand this rule, let’s take an example. Suppose that you run an eCommerce store. Here are the basics that you need to cover to comply with this rule.
- Explain to users what data you are collecting and on what pages
- If you collect email addresses, mention why you collect it and gain consent
- If you email users with abandoned cart emails, mention that, and gain consent
- If you collect their addresses for shipping, mention that and gain consent
- If you allow customers reviews, mention how and where the review can be shared and gain consent
- If users can share their product pictures, mention how they can be used and gain consent
- If you share their personal information with 3rd parties (e.g. a shipping company), mention that and gain consent
- If you store their information for any period (accounting, intelligence, retargeting, etc.), mention that and gain consent
The important thing to remember is that visitors need to be informed about every way that their data can be used. They also need to be informed of every 3rd party that gets access to their data.
Get clear and explicit consent from the user when collecting any data
The ‘clear’ aspect means that you have to use everyday language to make the visitor understand the data being collected. The specifics have to be clear and cannot be buried in legal terminology like the Terms and Conditions.
The ‘explicit consent’ means that every time you collect data, the visitor has to confirm it. Usually, it can be through a checkbox, but it is important that the checkbox is not checked by default.
Let the users access and download the data you have collected about them
On a user request, you have to give them access to all the data that you have collected about them. This should include data collected by plugins and themes. The latest version of WordPress has already presented a solution, and more details are discussed in a section below.
Under this rule, you have to provide your readers with access to the data they created. For example, if they read a few posts on your website, you have to share that data. But if you used some analytics to predict the type of content they would like to read, then you can skip that information.
Allow the users to delete their data if they wish to do so
This rule is similar to the rule above, but instead of just viewing their data, visitors can also request deletion of their data. The latest version of WordPress has this feature built in and we’ve discussed this in detail in a section below.
There are a few exceptions to this rule. If there is a legal reason for you to keep the data (like invoice data), then you can refuse to delete the data.
Inform the users within 72 hours if any data breach
If the data of your visitor is leaked in any way (hacked website, stolen computers, accidental password sharing), then your visitors, readers, or customer have to be informed of the leak within 72 hours. You also have to inform your local GDPR authorities about the leak, but that information is ambiguous.
It’s obvious that all WordPress websites will be affected by GDPR. To transition into a fully compliant website, you have to start thinking about your website from a customer data perspective.
Start by making a list of all the places where data is captured and think about the guidelines mentioned above. Think along these lines.
- Am I informing users that data is being collected
- Am I clear in mentioning what the data will be used for?
- Is there a way for my readers to provide explicit consent for this?
- Is there a way for my readers to withdraw consent for this?
- Can I make this data available to them upon request?
- Can I delete this data upon request?
- Can I anonymize this data upon request?
You have to ask yourself these questions for all the places that you collect user information from. Apart from this, you also need to know what kind of data your theme and plugins capture. Every theme and plugin you use has to be GDPR compliant as well.
WordPress websites usually collect data through the following methods.
- Registered Users
- Contact forms
- Traffic and analytics
- Email subscriptions
- Ad solutions
- Security plugins
You have to comply with GDPR is all these places. We will discuss the steps you need to take in the next section.
No matter what kind of website you operate, it is important that you become compliant with GDPR as soon as possible. Here are the steps that you need to take to make your WordPress website compliant.
Based on the basic guidelines highlighted above, you need to make changes in the following areas:
- Your Terms & Conditions page
- Your Comments
- Your opt-in forms (newsletter, lead magnets, subscription form, contact forms)
- Your analytics
- Any other page where you collect user information
Step 1: Terms and Conditions
Specifically, you have to include the following information:
- Who you are – Include your name or organization name, address, contact information, etc
- What data is collected – Mention that you record the IP Address, name, email and other information that you collect. This information will differ from website to website
- Why you collect the data – Mention specifically why you collect the data that you do.
- How long is the data retained – Mention how long will you retain the data
- How is the data shared – Who else do you share the data with? If you send email newsletters, then you share your data with your email service provider. Mention all the services that you share data with.
- How do customers download their data – Describe the process of how customers can access their information. The latest version of WordPress will help you achieve this, and we discuss it in the last section.
- How to delete their data – Describe how customers can delete or ask their data to be deleted. The latest version of WordPress has this feature as well, which we discuss in the last section
- Contact Information of your Data Protection Officer – In most cases, this will be your email address
Step 3: Your Comments
Since comments will be stored on your website and qualify as personal data, that means that you have to have the explicit consent of the user before capturing their information. The latest version of WordPress has this feature as well.
Step 4: Contact Forms
Any contact form and other venues from where a user can submit their information have to be made compliant by adding information about what data is being captured and how will it be used. You will also need to add a checkbox for users to provide consent to use this data.
Step 5: Analytics
Step 6: All pages that capture information
Review all the pages which might capture user information (via content upgrades, etc.) and follow GDPR guidelines on those pages as well.
Step 7: All plugins, themes, and 3rd party services
Review your themes, plugins, and other 3rd party services (email service, etc.) and make sure that all of them are GDPR compliant. Failure of a theme or plugin to be compliant implies that you are also non-compliant with GDPR.
Since WordPress is such an important and huge part of the web, the WordPress team has made many changes in the latest version (4.9.6) to comply with GDPR regulation. Let us walk you through the important changes and how you can configure WordPress to be compliant.
The process works this way.
- A user requests to view or delete their data (via comments, contact form, or other means)
- The site admin goes to the export or erase personal data setting and enters the readers’ email ID, and clicks ‘send request’
- The reader receives an email with a confirmation link to confirm their request
- If the user clicks the link, their request is confirmed, and the site admin can send them an email with their personal data with the click of a button
- The user can download the file and view their personal data. The file is deleted after 72 hours for security purposes
- If the request is for deletion, then the site admin can delete the data after the reader has confirmed their request
WordPress has also made changes to the comment system. Since a website will save the IP Address and the email of the commenter, it is important to take explicit consent from the commenter.
In the new version, when a visitor comments, they will have to check a checkbox for WordPress to save a cookie on their computer.
We are happy to announce that all MyThemeShop products are GDPR compliant. If you use only MyThemeShop products, then your website is already on the path to compliance.
Here are the steps we’ve taken to make MyThemeShop products compliant with GDPR.
- For viewing and removal of data, MyThemeShop uses WordPress core features that we described in the section above. When a user requests their data, all data recorded by MyThemeShop products is also included in the report. If a user requests the removal of their data, all the data recorded by MyThemeShop products will also be deleted.
- Do I need to hire a data protection officer?
Not necessarily. Hiring a Data Protection Officer (DPO) is only mandatory if you run have a data controller with more than 250 employees.
- I run a personal blog on WordPress. Do I need to be compliant as well?
Also, use the upcoming WordPress features to become compliant easily. Since the cost of non-compliance is so high, it is better to be safe than sorry.
- What is meant by explicit consent?
Explicit consent means that every request for data capture must be specifically agreed. Since most consent on websites is through checkboxes, explicit consent means that check boxes must be unchecked by default.