Site icon MonstersPost

Why is GDPR Vital for Your WordPress Website? 7 Important Steps to Take Right Now

GDPR

On May 25, 2018 - always a year ago from today - the GDPR came into force aimed to regulate the rules for personal data processing of the EU citizens.

GDPR stands for General Data Protection Regulation. The new regulations should increase the level of data protection and provide citizens of the European Union more control over their data.

In case your company website collects information about visitors and users, knowledge and compliance to these new the GDPR requirements is a must. Ignorance and non-completion lead to large fines - up to €20 million - which you most likely would not want to pay…

What are the main principles of GDPR and why the new regulations are so vital for website owners? How to make sure your WordPress website is GDPR compliant? And most importantly, what happens if you keep ignoring one?

In this article, we will try to interpret the GDPR regulations from the aspect that one will be useful for the website owners - and not only those working directly with the EU citizens. Finally, we will give you practical advice on how to make your WordPress site GDPR compliant.


Click on the following titles for faster navigation:

What is GDPR and What Does It Protect?

Personal data stands for any information that helps to identify a specific individual. In the GDPR definition, personal data is information provided both for a particular web resource (first and last name, gender, email or phone), or automatically collected one. The latter kind of information may be the user’s location, device (including IP address), operating system, etc.

In addition, there is one more kind of personal data collected by Internet resources. Those are how many pages a particular user has viewed, what queries he searched for, which posts on social media he liked/commented, etc. Such information helps to determine the user’s interests, as well as his social status, religious beliefs, or political views.

Payment information can be classified as a special group of personal data. This and the information above is from now on supposed to be protected by GDPR.

GDPR (General Data Protection Regulation) consists of 99 articles aimed to govern the relationship between those who provide their personal data (EU citizens) and those who collect, process, and utilize this data in their activity (Internet services, web resources, commercial and non-profit companies, organizations).

Click here if you want to get acquainted with the full text of GDPR regulations.

Accordingly, GDPR protects any information about a person that identifies one in some aspect, either gender, age, place of residence, or mental, cultural, economic, and social identity.

New terms: Data Controller & Data Processor

To move further, first of all, let's clarify the new terms introduced in the GDPR regulation - data controller and data processors.

Data controllers are referred to as companies or organizations that collect user data. Data processors are companies that process them on behalf of controllers. Controllers carry the most responsibility and make agreements with the processors on the observance of the GDPR rules when processing data that was transmitted by controllers.


To Whom Will GDPR Concern?

GDPR has an extraterritorial influence. The new rules will apply to everyone who works with data of EU residents. It does not matter if you have branches in Europe or not, or where the company was registered and where it in general processes user data.

If at least one of your customers has an EU citizenship, your company has no choice but to complain about the GDPR regulations. The document currently covers 28 countries and still includes Great Britain until their full Brexit.

The unified business data regulations should:


GDPR Principles & Requirements

GDPR is based on 8 main principles documented in the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data back in 1980. In GDPR, they’ve been rephrased in 7 main points.

So, personal data shall be:
  1. Processed legally, fairly and in a transparent manner;
  2. Collected for specified, explicit and legitimate purposes - and not for further processing;
  3. Adequate, relevant and limited to what is necessary;
  4. Precise, accurate, and relevant;
  5. Kept for no longer than is necessary for the purposes for which the personal data are processed;
  6. Kept confidential and processed in a manner that ensures appropriate security of the personal data;
  7. Finally, the data controller should be ready to demonstrate his compliance at any time it’s requested.

Besides, the controller is obliged to set forth the purpose of collecting personal data to users in a simple and accessible manner. In addition, users should have easy access to information about their already collected data. The information must be accurate, protected, and stored for a limited time only. Finally, the controller shall not collect extra information about the user - just the one he needs to make his service provision better.


Get the GDPR Offer by TemplateMonster now


What Are the User Rights?

In accordance with GDPR, the EU citizens have the right to either agree with the data collection, or reject, delete, and control which of their personal data is processed by their visited websites.

In general, the following regulations provide users with more freedom and control over the information they can share with companies.

Let’s go over these rights one more time:

Why Do I Have to Know It?

If everyone keeps ignoring GDPR, it may have bad consequences. Even the smallest American company working for a local market but owns a website can’t be 100% sure none of their visitors will be an EU citizen.

After all, It makes sense to check your customer base again, and then decide on further actions.

For example, 6 months after the release of guidelines, PwC surveyed 200 CEOs of large US companies to find out how the real impact of GDPR on their business. The results made it clear that most firms took the GDPR regulations very seriously and even put data protection as their top priority.

76% of respondents even had a plan to spend at least $1 million on GDPR the following year. Meanwhile, 54% of respondents plan to de-identify European personal data to reduce GDPR risk exposure.


How Will GDPR Regulations Affect the Company’s Work?

The biggest change to happen in your company after the implementation of GDPR won’t be about getting used to the new rules and policies. It’s rather about a revision of the company’s attitude to personal data and its protection.


What If I Neglect the Rules?

Ignorance of the GDPR principles leads to large fines of €10-20 million or 2 to 4% of the company's annual turnover.


7 Steps to Make Your Website GDPR Compliant

1. Let Users Know You Want to Use Their Personal Data

As a company who works with someone’s personal data, you have to be 100% transparent with all users coming to your website. People want to know which information (even if it’s only cookies) you are about to collect and why you actually do it.

Providing this information is easy. Just use pop-up messages or bumpers at the top or bottom of your page to inform users right from the first second they visit your website.

2. Give Clear Description

Clear and easy to read explanation is the key to leaving your customers consent with your website terms.

For instance, you can expand your consent form and make it more detailed. Once a person is about to click on “I agree to the Terms & Conditions” checkbox, make sure he knows which personal data will be processed based on his consent.

For a better user’s comprehension, you may even use different consent forms as pop-up messages for various type of personal information (one for email, address, and phone; another for location, etc.)

3. Follow the GDPR Requirements

GDPR set new requirements regarding the pop-up forms that give websites a user consent (or rejection) to their data processing.

From now on, this form must comply with common standards. For examples, forms that have already put tick marks are no longer allowed. In addition, each user must have easy access to instructions on how to withdraw consent for data processing.

4. Use Double Opt-In

Although the new regulations say nothing about double opt-in (a subscription confirmation), I highly recommend you use one.
You have probably received letters asking you to confirm your email after you left your email address on someone’s site. To confirm your consent to receive messages from a resource, you had to follow a temporarily active link from the email.

In fact, the double opt-in technique improves the quality of your client base, and that helps to avoid spam complaints or a high bounce rate.

Double opt-in is rather useful for new users. So if want you collect additional data about existing customers, you wouldn’t need to repeat this trick multiple times.

5. Delete Personal Data On Demand

6. Inform If Data is Lost

Once you have the user data, you’re 100% responsible for its safety.
If data is stolen as a result of hacker attacks, the info is leaked, or you lose it in some other way, you must inform users of the matter within 5 days!

7. Remember About “Old” Users

If you already have a substantial client base (some of the old clients might not even visit your website anymore), a good idea will be sharing the new data regulations via email. This way, you can easily request to give their consent to the new GDPR rules.


WordPress Website and GDPR: Key Aspects

Whew, guess it was a long way down to finally get to our major question =)

If your company runs business using a WordPress site, you should have wondered how to make it GDPR compliant.

First things first, let’s figure out what a standard WP website may use to collect user data:

These are 3 main aspects of the WordPress GDPR you should know about:

1. Breach Notification

According to GDPR rules, in case your website experiences some kind of data breach, users must be informed about one. Data breaches can result in any sort of data loss, which may consequently violate individual rights and freedoms.

This means you must notify users as soon as possible. The GDPR says the notification must be sent to users within 72 hours since the break is exposed. Apart from users, data processors should notify data controllers as soon as they are aware of the data breach.

When it comes to WordPress website, you may wonder which of your website visitors are actually considered as “users”. After all, it can both mean regular users, commenters, or those who once filled in a contact form.


2.Data Collection, Processing & Storage

The three terms correspond to the following three elements: Right to Access, Right to Be Forgotten and Data Portability.

For WP website owners, this means you’d have to do a little more work than before. From the previous 7 steps, I advised you to publish the data policy to the tiniest detail.

After you complete and publish the policy, make sure you are ready to provide users with a copy of their data, as some of them may request it now or later. This can a daunting and one of the most difficult procedures to accomplish. After all, it’s a rule can you can’t ignore it.

It’s also highly recommended to have a system in place to derive data out of your database.

Finally, a good idea will be dividing data storage by its kinds to avoid having it altogether in one place.


3. Use of Plugins

Since most of the current WordPress plugins work with user data as well, they also must comply with the GDPR rules in a certain way. As a WP website owner, you can spend a lot of time figuring out which of your installed plugins are GDPR compliant and which are not.

So according to the following regulations, each plugin must establish a data flow with a WP website and always inform about its data processing.

Most likely, the majority of popular and well-known WordPress plugins have already updated their new data policies. So now you can use those without fearing to violate GDPR.

Ionut Neagu, CEO of Themelsle, gives a short comment on this matter:

GDPR looks like a really big change that we should all treat very seriously and look for solutions. If there’s one thing we learned from VAT, it’s that the EU is quite serious about those things. They keep introducing more and more regulations and then put new mechanisms in place to enforce them. Those 4% fines aren’t looking good.

Not only WP plugins will have to change their data policy though. A lot of digital marketing tools that you can integrate with your WordPress website will need to adjust. For instance, email marketing tools that send automated emails to all the recipients from the list.

Doesn’t matter which way you run your email marketing campaigns, one is clear - owners of the email addresses from your list must give their consent to the new GDPR data regulations.

Moreover, you are not allowed to buy a mailing list from a third-party because sending emails to email addresses without their consent is considered illegal.



Bottom Line

So let’s summarize this entire chunk of text in several key statements:
These 7 steps will help your website remain GDPR compliant:
  1. Let users know you want to use their personal data;
  2. Give a clear description of the terms;
  3. Follow the GDPR requirements;
  4. Use double opt-in technique;
  5. Delete personal data on demand;
  6. Inform users if data is lost;
  7. Remember about “old” users.
I truly hope you have completed all of the above steps by May 2018.

Otherwise, you can be in real trouble =(

Wish you to stay out of trouble and always abide by the law!



Read Also

I Need a website for my small business. Where do I start?

Top 5 Website Navigation Mistakes and How to Avoid Them

Use these Marketing Tools to Optimize Your Website

What to Consider When Creating a Logo for Your Website

An SEO Checklist That Will Make Your New Website Launch A Success