Preparing Your WordPress Site for GDPR Compliance

To Whom Does GDPR Apply?

Everyone. This regulation is not one that applies only to organizations in the European Union as EU privacy regulations have applied in the past. If you have a website that an EU resident can visit, you're impacted! You need to know what's going on. This applies to businesses, non-profits, government agencies, and other organizations. It applies to organizations in the EU, organizations that offer goods and services to EU residents, and any organization that collects data on EU residents. In other words, everyone. No matter what the purpose of your website, it has a global audience. Check your Google analytics from time to time and see how many visitors you receive from EU countries. The numbers may surprise you.

As a reminder, the European Union countries are:

What Does GDPR Mean for Your WordPress Site?

Not too long ago, we published a comprehensive article about the European Union's General Data Protection Regulation. It's effective date is May 25, 2018. Here's a great infographic explaining its many far reaching components. As a website owner, there are three basic responsibilities that you are liable for fulfilling: Right to Access, Right to Be Forgotten, and Data Portability.

Please answer these questions:

1. Do you have a contact form, or any other form that collects personal information like name, email address, or phone#?
2. Can visitors post a comment anywhere on your website?
3. Can people purchase products through your website or eCommerce shop?
4. Do you provide a forum or message board?
5. Do you have a method where visitors can chat with your company directly?

If you answered 'No' to ALL of these questions, your site is probably in good shape and you may not have to do anything to mitigate the compliance risk. If you don't have the information, you don't have to protect it.

General Preparedness

If you answered 'Yes' to any of these question, please read on. Here are some general steps you need to consider:

1. Update your privacy policy
   • Include a GDPR compliance line
   • Specify what information you collect and store from website visitors. ( e.g. ip addresses, device information, access information, cookies, visit duration and tracking, mouse and swipe actions, email, phone, name, address and billing addresses )
   • Specify who has access to this personal data. (e.g. you, MailChimp, Google, Salesforce, etc.)
   • Specify the contact details of the assigned Data Protection Officer in your organization. For small businesses, this is probably you. Larger businesses and enterprises should have a dedicated senior-level person who carries indemnity insurance to cover the liability of this role. This person should receive data protection training and a certification.
   • Provide instructions on how to submit a data access request.
   • Specify how long you store personal information.
2. Remove all automatic opt-ins on your site. All checkboxes must be empty in online forms. An empty box cannot imply acceptance.
    
3. Collect only information you require to run your business.
   • Delete personal information that you no longer use that may be stored on servers, in excel spread sheets, etc.. This includes emails with file attachments that may contain personal information.
   • Keep only one version of personal information. You may keep copies for backup and restore purposes only. Up to 4 backups is acceptable. If you keep more, you have to justify it. The location of the backups needs to be captured in your data/security audit.
   • Collecting extra information in case you may use it in the future is unlawful. Information you have about individuals for which you have no use must be deleted.
4. All data breaches need to be recorded and actioned with preventive measures. Examples of data breaches include:
   • Personal information being passed or coming into the possession of an unauthorized data processor or subcontractor.
   • Passing of personal data into a non-GDPR compliant country.
   • Passing of personal data to a third party without the knowledge of the data subject.
   • Personal information leaked as a result of a website hack.
5. Have a security data breach response plan and process in place. Here's a link to a helpful toolkit that can help you get started developing a plan if you don't already have one: Security Breach Response Plan Toolkit
    
6. Have a process to comply with someone asking for a copy of their data.
   • Verify their identity
   • Make sure you have the data before processing the request, if you don't have the data, respond and say, “I don't have the data”.
   • Do not create more personal data while performing the request
   • Process the request
   • Record it in your data audit log
   • Do it within 20 days.
7. Update your contracts, NDA’s, and Privacy policies on your website.
   • All staff need to have signed NDA’s and data protection awareness training. A good rule of thumb is to include all staff even if they do not have direct access to personal information in the normal course of their duties.
   • All customer contracts have to be updated with a GDPR clause.

What You Can No Longer Do

1. You cannot send unsolicited emails to anyone. No more purchased lists or merging lists from different companies into other lists.
2. You cannot auto email from abandoned shopping carts offering discounts unless the shopper has opted in for email at the top of the checkout.
3. You cannot refuse to give customers their personal details on request.
4. You cannot send unsolicited text messages via mobile phone numbers.

Wow! That's a lot, isn't it? You may even be thinking, this must apply only to big businesses. They'll never audit a small business. This thinking is dead wrong! Even if you collect information from a single EU resident, you may be subject to a GDPR audit. They may not audit you right now, but they may at anytime in the future, even if you are not based in the EU. Why take the risk of being cited for non-compliance?

WordPress Specifics

Online Forms¹

Make sure you add a checkbox specifically asking the form user if they consent to you storing and using their personal information to communicate with them. The checkbox must be unchecked by default. Also mention if you will send or share the data with any 3rd-parties and why. The consent statement must include a link to your privacy policy.

Visitor Comments

Make sure you add a checkbox specifically asking commenters if they consent to storing their message attached to the e-mail address they've used to comment. The checkbox must be unchecked by default. Also mention if you will send or share the data with any 3rd-parties and why. The consent statement must include a link to your privacy policy.

Web Store Order Forms

Make sure you add a checkbox specifically asking the customer if they consent to you storing and using their personal information to ship the order. This cannot be the same checkbox as the Privacy Policy checkbox you should already have in place. The checkbox must be unchecked by default. Also mention if you will send or share the data with any 3rd-parties and why.

Forums and Message Boards

Make sure you add a checkbox specifically asking forum / board users if they consent to you storing and using their personal information and messages. The checkbox must be unchecked by default. Also mention if you will send or share the data with any 3rd-parties and why. The consent statement must include a link to your privacy policy.

Chat Bots

Make sure you add a checkbox specifically asking chat users if they consent to you storing and using their personal information and messages. The checkbox must be unchecked by default. It's also mentioning how long you will store chat messages or delete them all within 24 hours. Also mention if you will send or share the data with any 3rd-parties and why. The consent statement must include a link to your privacy policy.

Useful Plugins

Delete Me—This plugin is helpful in addressing the Right to be Forgotten. It provides a method for data erasure of a user's profile, comments, etc.. It's available to WordPress admins, but goes a step further if you are comfortable allowing users to delete their own data without having to create a request for it.

Security Audit Log—helps you perform a security audit on your website.

WordFence (Pro version)—Satisfies the GDPR legal requirement to assess and monitor the security of your website to ensure data breaches do not occur. If a breach does occur, you will receive a real time notification from the plugin.

Additional Advantage: Privacy Shield Framework

As an additional advantage, you can self-certify your site through the U.S. Department of Commerce’s Privacy Shield framework that they’ve designed with the European Commission and Swiss Administration to help protect US businesses from GDPR compliance issues. The cost for self-certification is scaled based on annual revenue.