On May 25, 2018 - always a year ago from today - the GDPR came into force aimed to regulate the rules for personal data processing of the EU citizens.
GDPR stands for General Data Protection Regulation. The new regulations should increase the level of data protection and provide citizens of the European Union more control over their data.
In case your company website collects information about visitors and users, knowledge and compliance to these new the GDPR requirements is a must. Ignorance and non-completion lead to large fines - up to €20 million - which you most likely would not want to pay…
What are the main principles of GDPR and why the new regulations are so vital for website owners? How to make sure your WordPress website is GDPR compliant? And most importantly, what happens if you keep ignoring one?
In this article, we will try to interpret the GDPR regulations from the aspect that one will be useful for the website owners - and not only those working directly with the EU citizens. Finally, we will give you practical advice on how to make your WordPress site GDPR compliant.
Personal data stands for any information that helps to identify a specific individual. In the GDPR definition, personal data is information provided both for a particular web resource (first and last name, gender, email or phone), or automatically collected one. The latter kind of information may be the user’s location, device (including IP address), operating system, etc.
In addition, there is one more kind of personal data collected by Internet resources. Those are how many pages a particular user has viewed, what queries he searched for, which posts on social media he liked/commented, etc. Such information helps to determine the user’s interests, as well as his social status, religious beliefs, or political views.
Payment information can be classified as a special group of personal data. This and the information above is from now on supposed to be protected by GDPR.
GDPR (General Data Protection Regulation) consists of 99 articles aimed to govern the relationship between those who provide their personal data (EU citizens) and those who collect, process, and utilize this data in their activity (Internet services, web resources, commercial and non-profit companies, organizations).
Click here if you want to get acquainted with the full text of GDPR regulations.
Accordingly, GDPR protects any information about a person that identifies one in some aspect, either gender, age, place of residence, or mental, cultural, economic, and social identity.
To move further, first of all, let's clarify the new terms introduced in the GDPR regulation - data controller and data processors.
Data controllers are referred to as companies or organizations that collect user data. Data processors are companies that process them on behalf of controllers. Controllers carry the most responsibility and make agreements with the processors on the observance of the GDPR rules when processing data that was transmitted by controllers.
GDPR has an extraterritorial influence. The new rules will apply to everyone who works with data of EU residents. It does not matter if you have branches in Europe or not, or where the company was registered and where it in general processes user data.
If at least one of your customers has an EU citizenship, your company has no choice but to complain about the GDPR regulations. The document currently covers 28 countries and still includes Great Britain until their full Brexit.
The unified business data regulations should:
GDPR is based on 8 main principles documented in the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data back in 1980. In GDPR, they’ve been rephrased in 7 main points.So, personal data shall be:
Besides, the controller is obliged to set forth the purpose of collecting personal data to users in a simple and accessible manner. In addition, users should have easy access to information about their already collected data. The information must be accurate, protected, and stored for a limited time only. Finally, the controller shall not collect extra information about the user - just the one he needs to make his service provision better.
Get the GDPR Offer by TemplateMonster now
In accordance with GDPR, the EU citizens have the right to either agree with the data collection, or reject, delete, and control which of their personal data is processed by their visited websites.
In general, the following regulations provide users with more freedom and control over the information they can share with companies.Let’s go over these rights one more time:
If everyone keeps ignoring GDPR, it may have bad consequences. Even the smallest American company working for a local market but owns a website can’t be 100% sure none of their visitors will be an EU citizen.
After all, It makes sense to check your customer base again, and then decide on further actions.
For example, 6 months after the release of guidelines, PwC surveyed 200 CEOs of large US companies to find out how the real impact of GDPR on their business. The results made it clear that most firms took the GDPR regulations very seriously and even put data protection as their top priority.
76% of respondents even had a plan to spend at least $1 million on GDPR the following year. Meanwhile, 54% of respondents plan to de-identify European personal data to reduce GDPR risk exposure.
The biggest change to happen in your company after the implementation of GDPR won’t be about getting used to the new rules and policies. It’s rather about a revision of the company’s attitude to personal data and its protection.
Ignorance of the GDPR principles leads to large fines of €10-20 million or 2 to 4% of the company's annual turnover.
1. Let Users Know You Want to Use Their Personal Data
As a company who works with someone’s personal data, you have to be 100% transparent with all users coming to your website. People want to know which information (even if it’s only cookies) you are about to collect and why you actually do it.
Providing this information is easy. Just use pop-up messages or bumpers at the top or bottom of your page to inform users right from the first second they visit your website.
2. Give Clear Description
Clear and easy to read explanation is the key to leaving your customers consent with your website terms.
For instance, you can expand your consent form and make it more detailed. Once a person is about to click on “I agree to the Terms & Conditions” checkbox, make sure he knows which personal data will be processed based on his consent.
For a better user’s comprehension, you may even use different consent forms as pop-up messages for various type of personal information (one for email, address, and phone; another for location, etc.)
3. Follow the GDPR Requirements
GDPR set new requirements regarding the pop-up forms that give websites a user consent (or rejection) to their data processing.
From now on, this form must comply with common standards. For examples, forms that have already put tick marks are no longer allowed. In addition, each user must have easy access to instructions on how to withdraw consent for data processing.
4. Use Double Opt-In
Although the new regulations say nothing about double opt-in (a subscription confirmation), I highly recommend you use one.
You have probably received letters asking you to confirm your email after you left your email address on someone’s site. To confirm your consent to receive messages from a resource, you had to follow a temporarily active link from the email.
In fact, the double opt-in technique improves the quality of your client base, and that helps to avoid spam complaints or a high bounce rate.
Double opt-in is rather useful for new users. So if want you collect additional data about existing customers, you wouldn’t need to repeat this trick multiple times.
5. Delete Personal Data On Demand
6. Inform If Data is Lost
Once you have the user data, you’re 100% responsible for its safety.
If data is stolen as a result of hacker attacks, the info is leaked, or you lose it in some other way, you must inform users of the matter within 5 days!
7. Remember About “Old” Users
If you already have a substantial client base (some of the old clients might not even visit your website anymore), a good idea will be sharing the new data regulations via email. This way, you can easily request to give their consent to the new GDPR rules.
Whew, guess it was a long way down to finally get to our major question =)
If your company runs business using a WordPress site, you should have wondered how to make it GDPR compliant.First things first, let’s figure out what a standard WP website may use to collect user data:
1. Breach Notification
According to GDPR rules, in case your website experiences some kind of data breach, users must be informed about one. Data breaches can result in any sort of data loss, which may consequently violate individual rights and freedoms.
This means you must notify users as soon as possible. The GDPR says the notification must be sent to users within 72 hours since the break is exposed. Apart from users, data processors should notify data controllers as soon as they are aware of the data breach.
When it comes to WordPress website, you may wonder which of your website visitors are actually considered as “users”. After all, it can both mean regular users, commenters, or those who once filled in a contact form.
2.Data Collection, Processing & Storage
The three terms correspond to the following three elements: Right to Access, Right to Be Forgotten and Data Portability.
For WP website owners, this means you’d have to do a little more work than before. From the previous 7 steps, I advised you to publish the data policy to the tiniest detail.
After you complete and publish the policy, make sure you are ready to provide users with a copy of their data, as some of them may request it now or later. This can a daunting and one of the most difficult procedures to accomplish. After all, it’s a rule can you can’t ignore it.
It’s also highly recommended to have a system in place to derive data out of your database.
Finally, a good idea will be dividing data storage by its kinds to avoid having it altogether in one place.
3. Use of Plugins
Since most of the current WordPress plugins work with user data as well, they also must comply with the GDPR rules in a certain way. As a WP website owner, you can spend a lot of time figuring out which of your installed plugins are GDPR compliant and which are not.
So according to the following regulations, each plugin must establish a data flow with a WP website and always inform about its data processing.
Most likely, the majority of popular and well-known WordPress plugins have already updated their new data policies. So now you can use those without fearing to violate GDPR.
Ionut Neagu, CEO of Themelsle, gives a short comment on this matter:
GDPR looks like a really big change that we should all treat very seriously and look for solutions. If there’s one thing we learned from VAT, it’s that the EU is quite serious about those things. They keep introducing more and more regulations and then put new mechanisms in place to enforce them. Those 4% fines aren’t looking good.
Not only WP plugins will have to change their data policy though. A lot of digital marketing tools that you can integrate with your WordPress website will need to adjust. For instance, email marketing tools that send automated emails to all the recipients from the list.
Doesn’t matter which way you run your email marketing campaigns, one is clear - owners of the email addresses from your list must give their consent to the new GDPR data regulations.
Moreover, you are not allowed to buy a mailing list from a third-party because sending emails to email addresses without their consent is considered illegal.
Otherwise, you can be in real trouble =(
Wish you to stay out of trouble and always abide by the law!
Subscribe to our newsletter and access exclusive content and offers available only to MonsterPost subscribers.