Is Your Website GDPR Compliant? Big Fines Likely If No!

The General Data Protection Regulation

The European Union’s General Data Protection Regulation is a new data protection law that goes into effect on May 25, 2018. The aim of the GDPR is to give EU citizens control over their personal data. It changes the approach businesses world-wide must apply to data privacy. It is the biggest change to data protection in the EU since the 1995 Data Protection Directive.

The GDPR prescripts some significant changes that have the potential to impose a profound impact on many websites that collect and use information about individuals, even if the organization has no physical presence in the EU but collects and uses personal data of EU based individuals.

By now you may be thinking to yourself, “I don’t do business with anyone in the EU. This has no bearing on me.” That may be true, but even if you have no physical presence in the EU or intend to do business with anyone living in the EU, you have a website that invites a global audience. All websites invite a global audience, so it does have a bearing on you. When was the last time your Google Analytics showed a period where your site had no visitors from an EU country?

There are two primary aspects of the GDPR: “personal data” and “processing of personal data.” Here’s how it relates to running a WordPress powered site:

• personal data means “any information relating to an identified or identifiable natural person”—like name, email, address, or even an IP address,
• processing of personal data means “any operation or set of operations which is performed on personal data”. Just storing an IP address in your web server logs is processing of a user’s personal data. All webservers store IP addresses of your site visitors.

There is also a classification called “_sensitive personal data_”, which means any information concerning an individual’s

The importance of preparing for and ensuring compliance with the new law cannot be overstated because of the huge fines of 4% of worldwide turnover up to €20m that could be levied for breaches. At exchange rates current as of the time of this writing, €20m is over $24.5m USD!

To demonstrate just how important compliance is to major businesses, six months after the guidelines were released in 2016, PwC surveyed 200 CxOs of large US firms to assess the GDPR impact. The results reveal that a majority of the firms have designated the GDPR guidelines as their top data protection priority, with 76% of them prepared to spend in excess of $1 million on GDPR. Even Forbes muses if the GDPR is the “next Y2K”.

WordPress GDPR compliance

What does all of this mean to you? How do you make your website compliant so you won’t experience any WordPress GDPR problems?

Let’s consider some of the usual ways in which a WordPress site might collect user data:

The first step in bringing your site into compliance is to conduct a security audit. In general, a security audit reveals how data is being processed and stored on your servers. From there, we can determine the steps that are required to comply with the GDPR.

Some key aspects of WordPress GDPR compliance that you need to implement, regardless of security audit results, include:

Breach notification

If your website is experiencing a data breach of any kind, that breach needs to be communicated to your users within 72 hours of its discovery. A data breach may result in a risk for the rights and freedoms of individuals, due to which, notifying users in a timely manner is a necessity. In WordPress, the term “user” may mean regular website users, contact form entries, eCommerce customers, commenters, and possibly others.

How often do you monitor your website for signs of a security breach? Under the GDPR, you now have a legal requirement to assess and monitor the security of your website. The ideal way is to monitor web traffic and web server logs. At the very least, this clause encourages you to use the best security practices available to ensure data breaches do not occur. We can provide the kind of monitoring you need and inform you in real-time of suspected breaches through our Manage or Master Website Care Plans¹.

Data Collection, Processing, and Storage

Under the GDPR, all users have the Right to Access, Right to Be Forgotten, and the right to Data Portability.

• Right to Access—provides users with complete transparency in data processing and storage. User have the right, to know what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing and storage of the data. EU users must also be provided with a copy of their data free of charge within 40 days of you collecting it.
• Right to Be Forgotten—gives users an option to erase personal data, and stop the further collection and processing of the data. This involves the user withdrawing consent for their personal data from being used.
• Data Portability—this clause grants users the right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller. It’s encouraged to enforce data policies that enable the processing and storage for only that data that is absolutely necessary. Site owners and controllers should adopt potentially safer policies for data, by limiting the number of data points they collect.

As a WordPress site owner, you have to publish a detailed policy on the personal data points you’re using and how they are being processed and stored.

Next, you need to provide users with a copy of their data. This is the most difficult part of compliance. However, when the time comes, we can only hope that most plugin or tool developers—for those you use on your site—have provided updates with their own solutions to this. Still, it’s advised to have a system in place to extract the required data out of your database. This will very likely require a custom solution.

Truthfully, it may be the wisest move to avoid data storage altogether if you can in certain cases. For example, contact forms could be configured to send all communication directly to your email address instead of storing their details on the server.

WordPress Plugins

Plugins that you use on your site need to comply with the GDPR rules. There may be plugins on your site that haven’t been updated in a long time or seemingly abandoned by their developers. While the “how” of plugin development is beyond your control, as the site owner, it remains your responsibility to ensure that every plugin can export, provide, and erase any user data it collects.

This can be problematic for some of the most popular plugins out there. For example, tools like Gravity Forms or Jetpack have tons of modules whose job is to collect user data. How will these tools comply with the GDPR exactly? What does this mean to you?

Under the rules, plugins need to approach data compliance from the perspective of the site owner…You! If the nature of the plugin includes anything related to personal data collection, it needs to establish a data flow and inform about the processing of personal data.

If you are the developer of a plugin, provide your users with an addendum that they can add to their website’s privacy policy in order to make them GDPR compliant. Using Gravity Forms as the example again, its developers need to let users know how personal data being entered in a contact form is going to be published, and provide an option to remove it themselves, if desired.

As for the other example plugin, Jetpack, Automattic has confirmed on Twitter that they are preparing Jetpack for the GDPR, and further updates would appear in their new privacy related features.

Another popular form tool, Formidable Forms, has published a couple of blog posts so far about building GDPR compliant forms. While this is a good start, their approach may not go far enough. See https://formidableforms.com/gdpr-compliant-formidable-forms/ and https://formidableforms.com/v2-05-forms-gdpr-compliance-view-compatibility/.

You need to make sure you check with the developers of your most important plugins to see how they plan to handle GDPR compliance. If they have no plans, consider finding a replacement tool.

External Tools

There are tools that you may be using on your site to collect names and email addresses that are external to your WordPress installation. Think about an email marketing tool like MailChimp, for example. It’s very common to integrate these types of tools with your WordPress website. You might use the collected email addresses to send promotional emails, newsletters, or white papers. Depending on how you’ve collected those addresses, they may not have been obtained by getting explicit consent from the users.

For instance, a checkbox that’s selected by default counts as a violation. Under the GDPR, everything relative to your online presence where personal information is collected needs to explicitly request consent and have a privacy policy in place. There are other inferences, too. If you buy a mailing list for some kind of bulk marketing campaign, it would be illegal for you to send emails to the recipients, because no one explicitly granted you their permission to receive emails from you.

Closing Thoughts

The final responsibility for GDPR compliance lies with you, the site owner. There is nothing to suggest that WordPress itself plans any changes to its structure to ensure GDPR compliance. The only assigned change in their planning logs is the addition of a privacy policy for WordPress.

There are many benefits for any business that uses this opportunity to adopt a fresh approach to data privacy and protection. Consider adapting a Privacy by Design approach and its 7 Foundational Principles as a strategy. Compliance with the GDPR is not just an additional burden—it is also a way to build and strengthen trust with customers and employees, enhance business reputation, grow the value of data assets, and enhance risk mitigation.

We don’t know how the GDPR can be enforced if you have no physical presence in the EU, but why risk the chance. The investment you make into developing a GDPR compliance strategy, compliant website, and on-going monitoring is a lot less than facing a protracted legal battle and possible fines.