If you run a WordPress website you should be aware of the General Data Protection Regulation (GDPR) and how it impacts you. If you don’t know about GDPR, you should probably take the time to become familiar with it soon. Failure to comply by the active date could result in hefty fines and devastating consequences.
What is GDPR
The General Data Protection Regulation is a consumer protection measure passed by the EU and planned to go into effect on May 25, 2018. While the proposal is aimed at countries in the EU it actually has a worldwide impact.
Consider how many visitors you could have to your website from countries outside of your own. Chances are, if you are like most websites, you get visitors from the EU daily. The GDPR is applicable to any business collecting personal data from a citizen of the EU even if you are based in the United States. This is why your website (no matter how small or big) must be compliant with GDPR or you can face heavy fines, etc.
What Data Is Covered By GDPR
GDPR covers a lot of different personal data. The official data points covered are:
- Health and genetic information
- Biometric data
- Racial, political, and sexual data
- Political information
- Basic personal information such as name and address
- Typical Web data, including location, IP address, and cookies
The data points on the list probably don’t affect most websites, at least at first. But pay close attention to the last two data points. Suddenly you may have a problem if you run a typical blog and/or website.
Is My Website Affected?
Do you have a contact form or chat box on your website? If so, Data Point 5 puts you in the middle of GDPR compliance. You will need to take action.
Now consider Point 6. Do you have the cookie warning popup on your website now? You may not be using them directly yourself, but ads on your site probably are. Or do you use Google Analytics? If so, you are using cookies and tracking user interaction, country information, pages viewed, etc.
What Do I Need to Change on My Website?
As you might expect, the typical website will need to change or add several items to become compliant and if you use WooCommerce or other eCommerce system you have additional changes that must be made. These include but not limited to:
- Terms and Conditions: You should also include a separate terms and conditions page.
- Current Forms: Any collection, newsletter signups, or contact forms cannot have any prefilled data, including text fields and checkboxes.
- Comment Forms: Sadly these will also need consent and checkbox. The WordPress team is working now to incorporate some GDPR requirements into core – so stay tuned!
- eCommerce: You must add a checkbox specifically asking the customer if they consent to you storing and using their personal information to ship their order. The checkbox must be unchecked by default. You must state if you will send or share the data with any third parties and why and what specifically (shipping/postage companies, order packers, etc., need their name/address).
- Limit Collected Data: You will want to capture only the bare information needed to operate your website. Do not capture extra data for future use, as this is illegal. If you have any databases or spreadsheets with collected data, consider destroying them if they are not crucial to business operations. Collected data may be backed up, but the location must be recorded in a security audit log.
- Have a Security Breach Plan: Your data breach plan must be complete and include actionable items.
- Document Any Breaches: All data breaches will need to be recorded, including a list of preventive measures that were taken.
- Have a Clearly Defined Process for Personal Data Requests: You will need a process for users to request their personal data. This process should include some form of user verification. Be careful to not store more personal data as part of this process. The request must be recorded in a data security log and must be responded to within 20 days.
- Pass the NDAs Around: Anyone that has access to your blog data will need to sign a NDA (non-disclosure agreement) to protect the information collected.
What Else Changes?
GDPR compliance affects both the website and actions taken with the information collected. There are a few things you will need to stop doing as of the compliance date. These include:
- You cannot send unsolicited emails ever again.
- You cannot send emails from abandoned shopping carts or deal sites unless the user has specifically opted in for the service.
- You cannot send unsolicited text messages.
You must strive for complete data transparency as well. To that end, if a user asks for their data that you may have collected, you have to gather it and give it to them. This could be difficult when it comes to web data.
Some websites may require more work to become compliant. This is especially true for those that have forums, order forms, or chat popups.
As you can see, complying with the GDPR measures can involve a complicated series of tasks. It is impossible to cover everything in one blog post or to address each site’s individual needs. If you find it daunting, contact your webmaster or contact us to see how we can help your website become GDPR compliant.