How to Make your WordPress Website GDPR Compliant
- What’s GDPR?
- GDPR requirements
- Users rights under GDPR
- How to make your WordPress website GDPR-compliant?
- Conclusion
What’s GDPR?
The GDPR, a short form for General Data Protection Regulation, is a European Union law that aims to give European Union’s citizens control over their data. This law took effect from 25th May 2018 and seeks to provide EU citizens with much better control over the way their personal data is collected, stored, or used online.
Does GDPR affect my WordPress website?
You might be wondering, am I subject to GDPR if my business is not in the European Union? The answer is yes you can be affected.
Although the GDPR is targeting the businesses in the European Union, it also applies to website owners or developers across the EU who are tracking, collecting, storing, or using any personal data of a European Union citizen.
What happens if I don’t comply?
After 25th May 2018, businesses that will not have complied with the GDPR requirements will face a huge fine of up to 4% of their annual company revenue. But it will start first with a warning, then a reprimand, then the suspension of data processing, and then if you continue violating it, will impose the fines. While this is mainly targeted at huge businesses such as Facebook and Amazon, it is always safe to obey the rules.
GDPR requirements
The main aim of the GDPR is to protect the users’ personally identifying information such as name, email, phone number, IP address, physical address, photo, health status, online behavior, etc. and hold businesses accountable in the way they track, store or use this data. In the quest to achieve this, businesses are required to meet the following requirements:
1. Explicit consent
As a business, if you have the intention of collecting data from a European Union citizen you should obtain permission to do so in a clear and transparent manner.
This requires that you seek a positive opt-in for example explaining clearly what you are going to use the data for, no pre-ticking of checkboxes, and separating it from other terms and conditions. The following picture shows an instance where the explicit content of the user is sought.
Also, you cannot just send emails to people simply because they submitted their data in your contact form, remember that they did not opt into your newsletter subscriptions by just signing up.
2. Rights over their data
To collect personal data from users, you must explain for them why you need the data, how and where the data will be stored, and used. Also, the user has the right to download their data, opt-out anytime, and also have their data deleted.
3. Data processing officer
The organization processing large amounts of personal data is required to assign a data protection officer, whose responsibility is to advise the company about the GDPR compliance. However, this is not a requirement for small businesses. You can consult your attorney if you are in doubt.
4. Data breach notification
In case of data breaches in an organization, the organization is required to notify the relevant authorities within 72 hours, unless the data breach does not pose any risk to personal data. If it is risky, the organization should as well notify the impacted individuals. This is meant to prevent any cover-ups.
5. Regular training and awareness
Organizations should train employees on the GDPR requirements, their responsibility towards the protection of personal data, and how to identify any cases of data breaches.
6. Personal data transfers
In case the personal data is processed by a third party, the one in control of the data has the responsibility to protect the data and ensure the GDPR requirements are observed.
7. Limitation of collection, storage, and usage of data
Organizations are required to limit the collection, storage, and processing of personal data. They should only collect necessary data, use it for the intended purpose, and not keep it once the processing is complete. This is aimed at ensuring that no other personal data apart from the necessary one is requested, it is used for a legitimate purpose and is deleted once the intended purpose is done.
8. Assessment of new actions on personal data
A data protection impact assessment should be conducted whenever there is a new change in an organization, for example, a new project, product, process, or change in the way personal data is processed. This is meant to weigh the effect of the change on the personal data.
Users rights under GDPR
Under the GDPR, users (or even any individual even before signing up) have a lot of rights, which include:
Right for information
The owner of personal data has the right to be informed on why the data is being collected and how it is being collected and used.
Right to access their data
The individual has the right to access and download their data from the website free of charge.
Right for data rectification
The individual has the power to rectify their personal data in case they feel it is not accurate, or completes it if it is not.
Right to be forgotten
The user has the right to opt-out and has their data erased.
Right to processing restriction
An individual has the power to suppress the processing of their personal data anytime.
Right to data breaches notification
In case of any data breaches, an individual has the right to be informed by the website owner within 72 hours from the time it occurred.
Right to objection
An individual has the power to forbid the use of their personal data for marketing or any other purpose.
Right to decision making
The user cannot be subject to a decision made without human involvement.
How to make your WordPress website GDPR-compliant?
After having seen why the GDPR is crucial, it is now time to dive into the main thing. To make your website GDPR compliant, you need to consider the following:
1. Transparency in the collection, processing, and usage of personal data
If you are collecting any personal data (email, country, city, phone number, gender, etc…) from your website, you need to tell your users the following:
- Who you are
- What personal data you collect
- Why you are collecting the data
- Where and how long the personal data will be stored
- How you are going to use their data
- How the personal data will be made secure
2. Themes and plugins
As a website owner, you are responsible for how a theme, plugin or any third party software collects personal data from your website. While many known themes and plugins are GDPR compliant, you should still audit the theme or plugins you are using to make sure they comply with the GDPR requirements.
These are some of the plugins you might be using and need to be addressed:
Google analytics
Just like most website owners, you might be using the Google Analytics plugin (or manual install of Analytics tracking code) to collect website statistics. This collects various personal data e.g. IP address, cookies, browsing behaviors, etc. For your website to be GDPR compliant, you are required to:
- Anonymize personal data before processing or storage
- Give users a cookie notice before any form of tracking is done
These can be a bit challenging to implement if you are just pasting the code from Google Analytics to your website. But if you are using the MonsterInsights plugin, then it can be easier as they have released an add-on called EU compliance add-on that automates the process.
Contact forms
For your website forms to be GDPR compliant, you should implement the following measures:
- Seek explicit consent from users to collect and store their personal data
- Seek explicit consent from the users in case you are using their data for marketing purposes e.g. in the email newsletter
- Compliance with the data deletion requests from the users
- Cookies, ip and user-agent tracking disabling for forms
Some of the WordPress plugins e.g. WPForms, Contact Form 7, Ninja Forms do not store form data on their site and so do not require you to have a data processing agreement. They store the form data in your WordPress database instead. You just need to add a required consent checkbox in your form and explain what is it about.
You can try using the WPForms contact form plugin as it has added various GDPR improvements that make it easy to add a GDPR consent field and disable user IP and cookie collection.
Email marketing forms
If you collect user data from email marketing forms, just like the contact forms, you need to seek explicit consent from the user through the following:
- A required consent agreement checkbox that requires a user to click before opting-in
- A double opt-in requirement if a user signs up for an email marketing list, an email is sent out to the user with a link to click and confirm the subscription
WooCommerce
This is probably the most popular eCommerce plugin for WordPress. In case you are using it, please go through this GDPR compliance guide from the WooCommerce team.
Useful GDPR plugins
Though no plugin can assure 100% compliance, the following plugins can help you with the automation of the GDPR compliance process.
MonsterInsights – With the EU compliance add-on, it is easy to automate the process without much struggle.
WPForms – It has various GDPR improvements which make it easier for you to add a GDPR consent field, disable user cookie, IP collection, and disable entries.
Delete Me – It allows users to delete their profiles on your site.
Cookie Notice for GDPR & CCPA – This plugin enables you to easily add the EU cookie notice on your website.
3. Request explicit user’s consent
The GDPR standards require that the users be actively involved in the collection of personal data on your website. This means that the use of pre-checked consent checkboxes is not allowed and will be taken as a breach.
4. Visitors’ rights over data access and erasure
As a website owner, you are required to tell your users what personal data you collect and to delete their data after the intended purpose is completed. Also, the users should have the power to opt-out anytime e.g. by unsubscribing.
5. Cookie tracking notice
You should let your website visitors know that your website uses cookies and trackers that process personal data, and allow them to decide whether they want their personal data processed or not. Example below.
If you are not sure how to display cookie notices on your website, you can use a plugin such as the GDPR Cookie Consent Plugin to implement this. The plugin is an excellent all-in-one and easy-to-use solution for anyone looking to display a cookie notice on their website. The best part is you can set it up in under 2 minutes and
6. Data sharing permission
The data you collect from your website mostly is used to offer a better experience on website and not to share with any third parties. In case you need to use their personal data for any other purpose like email campaigns then make sure to seek permission first.
7. Acquire an SSL certificate
This ensures encryption of user data between their browser and your server hence protecting personal sensitive information e.g. credit cards, SSL certificates have never been easier to get, if you have a cPanel hosting, it’s most probably integrated with Let’s Encrypt or CloudFlare, so you can get your site secured in matter of seconds, just make sure to redirect all traffic from HTTP to HTTPs.
8. Firewall installation
A firewall protects your website against cyber-attacks and hence make the users’ data is secure. To achieve this, you can use firewall plugins like Wordfence Security, All In One WP Security & Firewall or any other plugin for that.
9. Robust login system
To avoid cases of cyber-attacks and stealing of personal data, you need to consider having a strong and secure login system.
This can be achieved through two-factor authentication which is more secure than just username and password. You can use a Two-factor authentication plugin to achieve this.
10. Hosting provider compliance
Ensure that your website server has placed adequate security measures and should have a data processing agreement that explains how they store the data stored on their systems.
11. Privacy policy page
You should have a privacy policy page to inform the users about the following:
- The type of data you collect
- Why you collect the data
- How you store and use the data
- How they can obtain a copy of their personal information you store
- How they can have their data erased in case they need to
A new privacy policy setting has been created in the latest WordPress versions to enable you to easily create and display the privacy policy page.
12. Remote backups
You need remote backups for restoring your website in case the server is down. And also make sure the backup itself is secure.
13. Use of a GDPR compliance plugin
You can download a GDPR plugin e.g. GDPR or WP GDPR Compliance which enable you to comply with most of the required GDPR requirements for example:
- Management of cookies
- Getting a user explicit consent for the privacy policy when they register on your website
- Data erasure requests handling
- Data breach notifications
- Record keeping of all personal data sent from plugins to third-party sites
- Seeking for privacy policy consent when you make changes to your privacy policy
- Handling your users’ requests to access or transfer their data
Conclusion
The GDPR compliance is not there to punish you but to secure the users’ data and offer a safe and better online experience.
With the common data breaches nowadays, these standards really come in hand. It is necessary that you comply with them to safeguard yourself and your users, and we hope that this article gave you enough information to understand what is GDPR compliance, and you are able to make your WordPress website GDPR compliant.
Please note that this blog is not a replacement for any lawyer consultancy needed, you always better get back to your lawyer or the law firm you work with to ensure that everything you do in your WordPress site GDPR compliant.