How the GDPR Affects Your WordPress Website

How the GDPR Affects Your WordPress Website

After many years of planning, the General Data Protection Regulation (GDPR) finally went into effect on May 25th. Even though it’s been a long time coming, almost half of all companies were not compliant when the GDPR became enforceable. If your site is one of them, or if you haven’t already researched how the GDPR concerns you, there’s no time to waste as you may be faced with a significant fine otherwise.

The GDPR is very important, even if your site is not located within the EU. However, while it’s a big deal, it doesn’t have to be a headache to comply with. The regulation basically requires you to be transparent with the data your site collects, how it’s used, and gives your users the ability to remove it at any time.

In this article, we’ll go into more detail on the GDPR and what you need to be aware of. We’ll also look at the steps you need to take in order to make your site compliant, such as updating your privacy policies. Let’s go!

What the General Data Protection Regulation (GDPR) Is (And Why You Can’t Ignore It)

The home page for the GDPR portal.

The GDPR is a new piece of EU legislation that became enforceable on May 25th 2018. Its purpose is to increase the rights of EU citizens when it comes to their privacy and personal data online.

In the simplest terms, this will require sites and businesses to be transparent about using their user’s data. This involves requesting explicit consent, providing clear information on how the data is handled, and being up-front with the amount of time they intend to store it. Users also have the right to request copies of their data, or have it deleted at any time. The goal is to create a safer online environment for users, while holding sites accountable for how they store data.

How the GDPR Affects Your WordPress Site

While the GDPR is created and enforced by the European Union, it will apply to all websites that collect personal data from citizens of the EU countries, which means it will apply to almost all websites, regardless of geographic location.

Failure to comply can have devastating effects on your business. Two levels of fines are currently in place, with the lower level up to €10 million or 2% of the company’s global annual turnover, whichever is the higher. The second level doubles these figures, with €20 million or 4% of the company’s global annual turnover.

So, what do you need to do to avoid these consequences? Fortunately, WordPress has worked hard to make this process easier for site owners, and we here at WPWebHost have also collected information about what we’re doing for GDPR. We’re going to take a look at some of the most pressing steps you need to take to make your site compliant right now.

3 Steps Towards Making Your Site Compliant

The following three steps represent the most important changes you need to make to ensure your site is GDPR-compliant. However, this is not a comprehensive list, but rather a primer you can use as a jumping-off point.

As such, we recommend you refer to additional documentation to make sure your site matches the legislation’s requirements. GDPR Associates and the Information Commissioner’s Office are both great resources for simple but extensive information on how to become compliant.

Step 1. Document All of the Data You Collect

The GDPR has provided a list of eight rights for individuals to which all compliant sites must adhere. These effectively outline what your users have the right to know and request, which you must be able to comply with. For example, this involves the right to access and delete their data at any time. It also includes the right to move their data, as well as the right to decline and remove consent to store their data.

For this reason, you need to be aware of all personal data you currently store. You also need to know how you’ve collected it, as well as how you’re currently handling and protecting it. This applied to all data you have on users, but also extends to subscribers, members, customer, and employees, amongst others.

It’s also important that you’re aware of (and transparent about) how you use this data. This includes whether or not you share it with any other parties. The key is to be knowledgable and transparent. You need to know and so do your users.

Step 2. Update Your Privacy Policies

Speaking of transparency, an important part of the GDPR is providing clear information for users about how their private data is handled. This means you’ll need to update your existing privacy policy and privacy noticed to include information that matches the requirements outlined by the GDPR.

Along with being open about what data you’re storing, how, and for what length of time, you also need to make your users aware of the lawful basis you have to process their data in the first place. This information needs to be immediately visible when browsing to your website, so visitors can give their explicit permission to keep their data immediately.

If you do not currently have a privacy policy in place, or are unsure as to how to update it, there is plenty of help available. This guide from Econsultancy includes both information and examples of how to create a GDPR-compliant policy. We also recommend checking out popular privacy policy services, such as iubenda. They also offer a comprehensive GDPR guide that contains practical instructions on how to create compliant policies.

Step 3. Prepare to Deal with Data Breaches Immediately

As you’ve probably noticed, transparency is a pillar of the GDPR. This also extends to when your site is compromised, such as in the event of a data breach. A data breach is any situation where private and confidential information is leaked, either intentionally or unintentionally.

If your site suffers a data breach, you must report this to your users within 72 hours. However, if the breach is likely to negatively impact individual’s rights, you need to inform them of this immediately.

This step consists of two important aspects. The first of which is making sure your site can boast some robust security to prevent malicious attacks from causing a breach. You should also make sure that data is unlikely to be leaked accidentally. The second aspect is that you need to have a system in place to report breaches as soon as they occur.

To achieve this, you need to create a strategy. This involves considering your security systems and how they could be strengthened, but it also concerns how you deal with a breach when it happens. Consider how you contact your users, the information you are required to give them, and how to inform the media in the event of a breach. This article from the NCC Group contains a wealth of information about how to create a strategy, so study it well and make sure you’re prepared if the worst happens.

Conclusion

Many sites still find themselves struggling to become GDPR compliant, even after the May 25th deadline. If yours is one of them, you need to take action right away. Otherwise, you’ll find yourself liable to pay a hefty fine, and could see a loss of trust from your visitors. By understanding how the GDPR affects your site, and what the regulation requires from you, making your site compliant shouldn’t be a headache.

In this article, we’ve discussed some of the most important steps towards making your site GDPR compliant. These include:

  1. Document all data you collect.
  2. Update your privacy policies.
  3. Prepare to deal with data breaches immediately.

Do you have any questions about the GDPR? Let us know in the comments section below!

Image credit: Pixabay.

About the Author
Andy Andy
Product Manager of WPWebHost, building WordPress from scratch.