WordPress GDPR Compliance🔐A Complete Solution Guide
There must be many questions going around in your mind right now, like: 🔹Is WordPress GDPR compliant? 🔹How to make WordPress website GDPR compliant? 🔹Which are the best GDPR Compliance Tools in WordPress? 🔹 How will it impact website owners? & many more. Let’s dive in to the basics and learn about GDPR and WordPress compliance .
TABLE OF CONTENTS
🛡️What is GDPR?
These days the topic of concern is GDPR. You might have heard of the term GDPR being discussed everywhere around the web. To explain it in a simple way, it’s a law built for the data protection. The GDPR or General Data Protection Regulation is a new data privacy law effective from May 25th, 2018. It particularly provides the citizens control over their personal data and change the data privacy approach of the companies all across the globe. GDPR is one of the positive steps taken for the individuals and brands.
There are two main features of the GDPR:
- Personal data
- Processing of the personal data
For the better understanding let’s discuss it in detail;
Personal Data: Any piece of the data is considered as a personal data – like name, place, income, health information, date of birth, email, address, or even an IP address.
- Processing of the personal data: Any process performed on your personal data. So, a simple storing of an IP address on your web servers or any database is considered as a processing of personal data.
You can get yourself familiar with the articles below. This will make your transition to the GDPR less difficult.
- Art. 5: Principles relating to the processing of personal data.
- Art. 6: Lawful bases of personal data processing.
- Art. 12 – 22: Data subject rights (access, data portability, right to be forgotten, etc.)
- Art. 25 & 32: Companies should implement the necessary protection measures to protect the personal data of the data subject.
🛡️GDPR Compliance Checklist -Infographic
👉We recommend you to check out – The GDPR Checklist.
🛡️What does GDPR mean for your business or organization?
On the 25th May 2018, the General Data Protection Regulation (GDPR) comes into effect across all EU member states. The GDPR provides one framework data protection law representing a significant harmonization of data protection requirements and standards. Having just one horizontal framework law to deal with will benefit business, promote responsibility when dealing with personal data, and help ensure that the same data protection standards apply across the globe.
The digital age of consent and the circumstances in which an individual’s data protection rights can be restricted. Accordingly, it is important for all businesses and organizations to be aware that they will be required to comply with the data protection standards and obligations set out in both the GDPR and the Irish Data Protection Act 2018 (due to be published by the Government in early 2018).
The checklist have been designed to assist in particular the small and medium enterprise sector, who may not have access to extensive planning and legal resources. Using this guide, along with our twelve-step GDPR and You guide, will help those businesses in particular to prepare for a business future that is data-protection compliant.
If you process personal data as part of your business, the GDPR applies to you. It is important to remember that:
- Customer AND employee data is personal data
- Simply storing personal data electronically or in hardcopy constitutes ‘processing’ personal data.
🛡️How GDPR relates to a WordPress website?
The involved personal data refers to “any information relating to an identified or identified natural person”:
- even an IP address, and so on.
For example, a simple operation of storing an IP address on your web server logs constitutes a situation in which you are processing a personal data of a user
How does WordPress site collect user’s data?
It is basically done by any of these few steps:
- user registrations,
- contact form entries,
- analytics and traffic log solutions,
- any other logging tools and plugins,
- security tools and plugins.
🛡️Is WordPress GDPR Compliant?
Several GDPR enhancements are added by the WordPress core team to ensure that WordPress is GDPR compliant.This is perfectly true that due to the dynamic nature of various websites, there is no single plugin, platform or solution that can offer 100% GDPR compliance. The GDPR compliance process depends on the type of website, the data you store, and how you process data on your site.
Yes, WordPress 4.9.6, the WordPress core software is GDPR compliant.
WordPress, by default store the commenters name, email and website as a cookie on the user’s browser. This allows the users to leave comments on their favorite blogs because those fields were per-populated.
Due to the GDPR consent requirement, WordPress has added the comment consent checkbox. By this a user can leave a comment without checking this box. This means that they would have to manually enter their name, email, and website every time they leave a comment.
Update: Note that If your theme is not showing any of the comment privacy checkbox, then please make sure that you have updated to the WordPress 4.9.6 and are using the latest version of your theme. Please ensure that you are logged-out when testing to see if the checkbox is there.
Data Export and Erase Feature
WordPress offers its site owners to honor user’s request for exporting the personal data as well as remove their personal data. The data handling features can be found under the Tools menu inside WordPress admin.
🛡️Who will GDPR Impact?
Without any other thoughts, GDPR will impact everyone having web presence. While the new GDPR regulations were designed to protect the rights of EU citizens and that’s right you all will be affected. This is regardless of where the online activities will take place and where your business is established. If your website is processing or collecting data from the users, then you must follow the GDPR guidelines.
Quoting few of the examples:
- WordPress community site that gathers all the personal information for each user profile.
- WordPress theme shop that has accounts signup to purchase themes or plugins.
- A WordPress blog that has a newsletter subscription widget or any visitors comment.
- E-commerce store that sells products online.
- WordPress site that uses analytics software.
You can probably take a clear watch on where you are going with this.
🛡️WordPress GDPR Compliance – Must be taken seriously
Webmasters have time until May 2018 to comply with the regulations set by the GDPR. The penalty for non compliance can be up to € 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
There are various slabs of penalties according to the seriousness of the breach, which have been described in the FAQ section of the GDPR portal.
🛡️Key Aspects of WordPress GDPR that will affect site owners
If you haven’t disconnected your online presence then there’s a definite chance that you have heard of GDPR compliance or this new law passed for the individuals and businesses.
There are six main ways in which this will affect website owners:
- How you collect data your user’s data via forms (contact forms, newsletter signups etc.)
- How you collect analytics data
- What you do with the data
- Where the data is stored
- How you communicate with your customers and contacts
- The plugins and themes you use
Let’s discuss about various GDPR compliance tools in WordPress, in detail.
Contact forms, comment forms, newsletter signups etc: There should be transparency in collecting the information from the users. The personal data you collect from your them via a form will already be covered by data protection legislation, but GDPR will make it sure that you have to put few extra safeguards in place. The personal data covered by the legislation includes not only names and addresses of individuals but also photos, such as avatars and photos they upload.
When collecting data via any form on your site, you must provide the details of how you will use this data. This means a pop-up, redirection to another page on your site, or an email with the information. You should provide your users with details of how to contact you to get access to their information or in any case if they want to delete it.
- Always provide the details why you are using this data and how you will see it.
- Offer a double opt-in to ensure you have an informed consent.
- Provide Unsubscribe option or forget me while sending out emails.
- If you share data, please intimate the users and ask for their consent.
- Use plugins, themes that are GDPR compliant.
- Tell your users how they can enter or delete their data.
Sales data: In case you sell something via your website, you are obviously gathering the personal information of your users. For this you will not only need their names, email ids, but also credit or debit cards too. So, if you gather emails when making sale on your website then add those email addresses to the mailing list and tell your users about this. Gain their specific consent for holding their data and using it in a way.
- Follow all the points in the checklist above for the contact forms.
- If you are using data you obtain in the sales process for other purposes, such as emails or special offers, state this when collecting the data and give your users the option to opt out.
- Always opt for a third party service to take payments and avoid collecting financial data yourself.
- Add an easily accessed ‘My Account’ page on your website where people can access and delete their data.
- Tell users about the data breach if any happens during the time and give them the option to delete their data.
- Use an e-commerce plugin that is GDPR-compliant.
Analytics Data: If you want to go with the SEO and conversion optimization, you will collect analytics data to measure the overall performance. GDPR covers this data and most of the software won’t attempt to track the individuals. If you are planning to track the sales in your analytics software, so please be careful not to track the level of individual customers.
- Keep your reporting and analytics to the level of anonymous group data. Don’t use analytics software to track individual data.
- Avoid analytics software to track IP addresses.
Few instructions to the website owners:
Discussing few instructions that should be followed by a website owner in order to secure it’s users data:
- Before collecting any information get a consent of the user.
- Inform your users about any breach that occur.
- Make a transparent relationship with your users and inform them about everything, who you are, why do you collect data and for how long you are going to use it.
- Give complete control to your user to access and take their data.
- Give the user right to delete their data.
🛡️How to make WordPress site GDPR compliant?
The main aim of making a WordPress site GDPR compliance ready is to protect the user’s data. Now, maybe for any of the reason you’re probably all reading this blog post, but each site may provide you different steps. We can give you the suggestions to get on the right track, as well as additional things to be aware of.
- Audit personal data: The most important thing we need to do is carry out a complete GDPR compliance audit of our WordPress website. Remove the unwanted information or the data that is not necessary as it can harm your website. Here, your half of the work is done now. Carry out further steps.
- Request consent: The Right to Access states that before any data collection takes place – before the user submits the form – they must be aware that the form is collecting their personal data with the intent to store it and give an explicit consent to this.
- Hire a Lawyer: There may be many concerns regarding GDPR so it’s always recommended hiring a lawyer. A lawyer can definitely help you with the legal advice for your situation. If not abided by the GDPR guidelines you may have to pay hefty fines.
- Design privacy: This encourages the controllers to enforce different data policies that enable the processing and storage of only that data which is necessary. This can encourage site owners and controllers to adopt potentially safer policies for data, by limiting the access to a number of data points.
- Keep user’s data organized and accessible: The Right to Be Forgotten gives users an option to delete their personal data, stop further collection and processing of the data. The Data Portability clause of the GDPR provides users with a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller. You must be able to provide a user with a copy of all personal data you have free of cost within 40 days. If you always collect an email address when you collect personal data of any type, submissions could easily be searched by it and the user contacted through that mean.
- Breach notification: If at any time your website experience data breach, that should be communicated to your users as that data breach could result in the risk for rights and freedom. Most ideal way is to monitor web server logs, web traffic to keep yourself updated.
- Check your WordPress plugins, themes, API’s, services: If in case, you have any plugins or themes in your WordPress website for the data collection or storing personal data then include popular plugins and services that are GDPR compliant.
- Appoint a DPO: If your website deals in large amount of personal data processes then appointing a Data Protection Officer(DPO) is definitely a good decision. DPO is responsible for the data protection, activities and also ensure that the website is following GDPR regulations.
🛡️Best WordPress GDPR Plugins:
There you go now and you can find several plugins that can help automate some aspects of GDPR compliance for you. However, there is no plugin that can offer 100% compliance due to the dynamic nature of different websites.These plugins simply assists website owners to comply with European privacy regulations (GDPR).
E-Just keep yourselves updated and be aware of any WordPress plugin that fully claims to offer 100% GDPR compliance. They specifically don’t know what they’re talking about, and it’s best for you to avoid them completely.
Below is our list of recommended WordPress GDPR plugins:
The plugin will help you become GDPR compliant. This plugin will show a notice with Accept and Reject options. The cookie value is automatically set to ‘null’. If a user clicks on ‘accept’ the value will be ‘yes’ and if he/she clicks on ‘reject’ the value is set to ‘no’. Developers checks this value to set cookie. Admin can add cookie details from the backend.
The plugin assists its website owners to comply with the GDPR regulations. WP GDPR Compliance currently supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0).
The plugin allows you to automatically add share buttons to the pages, posts, blog page and product sites. You can also use the plugin as a widget. The share button automatically sends data to the users. They don’t need to click on share button.
The plugin is designed to help you prepare your website for the GDPR regulations related to cookies but there is no assurance that it will make your site 100% GDPR compliance.This plugin is just a template and needs to be setup by your developer for the better work platform.
This plugin offer customizable consent banner to handle the user consents and give its users opt-in and opt-out of the categories. This is one of the easy way to allow the users to withdraw or change their consent.
One of the best tool to make your website GDPR compliant. Allows its users to track, manage and withdraw the consent. Also it is developer-friendly. Everything can be extended, every feature and template can be overridden.
The plugin uses WordPress Corer tools for the GDPR compliance. Offers few tools to handle the privacy user requests. The plugin allows website administrators to display Data Request Forms in frontend and also can be easily integrated.
This addon creates an additional section on the Easy Forms for MailChimp form builder. All MailChimp forms will have a checkbox above the submit button accompanied by text so that you can customize to confirm the user consents to their data being submitted.
A plugin that offers an easiest way to make your Gravity Forms GDPR-compliant. This adds new privacy features to Gravity Forms where your users can automatically download, submit or delete their form submission for the site admin.
A plugin that allows its users to enable or disable services that can store or track user’s data. Also allows users to remove emails from MailChimp, remove personal data from WordPress site and allows admin to delete particular data.
Reloaded version of the original Limit Login Attempts plugin for Login Protection by a team
assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.
WP GDPR –
Make your website GDPR compliant and automate the process of handling personal data while integrating.
📂GDPR Infographic (PDF)
As of now, you must be aware of the fact that GDPR is a pretty big term that is going to impact your entire WordPress website and businesses showing online presence. If your website is not compliant, don’t panic. Keep you work going, work towards the compliance and get it done asap! This is in general that not meeting up to the standards of GDPR compliance guidelines can tax your pockets heavily.
*Note: We are not lawyers. Nothing on this website should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.
Read Other Interesting Posts: