How to make your WordPress website GDPR compliant
It’s fair to say that the biggest change to the field of data privacy happened when the General Data Protection Regulation (GDPR) was introduced back in May of 2018.
Bringing all of the European data privacy laws into one piece of regulation, GDPR means that citizens in the EU have much better and stronger control over how their personal data is being handled by companies worldwide.
While this law is mainly relevant to online companies in the EU, it also impacts developers and website owners outside of the EU. If you are collecting or tracking any sort of data from individuals within the EU, you need to adhere to the rules in place.
When you consider that WordPress powers more than 30 percent of global websites and 60 percent of the CMS market, it is clear that there is a high chance that many of these websites will need to concern themselves with GDPR.
With that being said, in this blog post, we are going to take a look at GDPR in further detail, revealing the steps that you need to follow to make sure that your website is GDPR compliant.
Understanding an individual’s rights as per GDPR
Before we can take a look at the different steps you need to take to make sure that your GDPR website is compliant, we first need to understand what new rights users have due to this legislation. After all, you are not going to be able to provide compliance if you do not understand the ins and outs of this law.
There are nine different rights that users have been granted as a consequence of GDPR:
– The right to be informed (a person has the right to be informed about how you collect and use their personal data)
– The right to access (a user has the right to access the personal data you have about them in an electronic copy, free of cost)
– The right to rectification (a user is able to rectify any personal data you have about them that is not accurate)
– The right to erasure (a user can leave a site and have their personal data erased at any moment)
– The right to restrict processing (a user can suppress or restrict their personal data being processed at any moment)
– The right to data portability (a user can download and reuse their personal data for their own purposes)
– The right to object (a user can prevent the use of any particular data for any purpose at any moment)
– The right to be told about data breaches (a user must know within 72 hours of a data breach to your website)
– Rights relating to automated decision making (the GDPR regulation means that users are not allowed to be subject to decisions made without their active information)
As you can see, there are nine rules that you need to adhere to when it comes to handling user data.
It is important to realize that these rules are not negotiable. Even if you only have a few website visitors from the EU and most of your other visitors are from the United States or Asia, you still need to make sure you adhere to GDPR.
The good thing is that these are great principles to follow and adhere to in terms of making sure all of your users are protected. Plus, it will help you to comply with other data and security laws in place around the world.
How can you make your WordPress website GDPR compliant?
There are a number of different steps you can take to make sure that your WordPress website adheres to GDPR.
Reassess the way you collect, process, and store data
There is only one place to begin, and this is with how you handle data on your WordPress website. It is imperative to manage consent on your website effectively. Therefore, not only do you need to think about how you use and store data but also how you are going to keep your customers informed and give them options in terms of the data you collect.
The manner in which you collect and track user data via your WordPress website plays a critical role in determining how compliant your site is with GDPR. According to this law, if you are collecting any sort of data about a person on your website, you need to clearly tell them the following:
– Who you are
– What personal data you are collecting
– Why you are collecting the data
– How you will ensure the data is secured
– For what reason you are collecting the data
– How long you are going to be storing the data
– Where it is going to be stored
These are the key areas you need to cover when informing users about your data collecting efforts. It is imperative to be transparent. Irrespective of the personal data you are collating and what medium you are using, explicit consent is now imperative when monitoring and collecting personal data, so you cannot afford to cut corners here.
Make sure that your approach to consent is legal
In the previous section, we mentioned how important it is to manage consent effectively. It is important to realize that under GDPR some of the approaches to GDPR that were previously used would now be considered a breach.
If you use pre-checked or opt-out options, for example, this is no longer acceptable, and so you need to work on changing your approach to consent immediately to ensure your business does not receive a hefty fine.
As per GDPR, some examples of legal consent requests that are approved include:
– Responding manually to a consent email
– Selecting from ‘yes’ or ‘no’ options
– Clicking an opt-in link or button
Audit all of the personal information you gather
It is imperative to take stock of where you are currently at in terms of data collection and processing. This is why we recommend taking a complete audit of users’ personal data collected via your WordPress website.
This is not only going to help you in terms of discovering what data is essential in running your website, but you can get rid of any data that does not have any sort of real value or use.
Delete any personal data that you do not use anymore, and this is one of the easiest yet most effective steps you will take on your mission to becoming GDPR compliant.
Audit plug-ins and themes
GDPR does not only apply to your WordPress website’s front-end, but it is also applicable in terms of the code of your site. As a site owner, you are ultimately going to be responsible for any third-party software, plug-in, or theme you use. The manner in which they collect data impacts whether or not you are GDPR compliant, as you are using their software on your WordPress site.
While the majority of the well-known themes and apps have adapted well and have stringent data collection methods in place since the introduction of GDPR, you should not simply assume that this is going to be the case. Instead, you need to make sure that you audit all of the plug-ins and themes you use.
Whenever you add a new piece of software to your website, do your due diligence and make sure that it has stringent data collection methods in place. The last thing you want to do is fall foul of GDPR through something that was not even your own doing.
One of the best things to do is make the most of one of the available GDPR compliance plug-ins, such as the WP GDPR Compliance tool, which can help you to determine whether there are any GDPR issues on your website so that you can take the required action.
Document everything
If you have followed our previous recommendation regarding getting rid of any data that you do not need, you now need to write down all of your procedures and policies in accordance with GDPR.
This will enable you to have a clear understanding of what you need to do if there is a personal data breach or if one of your users makes a request to have access to the personal data you have collected about them.
Make sure your business adheres to GDPR
So there you have it: everything you need to know about GDPR and how to make sure your business is compliant. We hope that the information and advice that we have provided you with above will help you to get a better understanding of the steps you need to take to make sure your WordPress site is compliant.
This is something that site owners simply cannot ignore. You need to do everything in your power to make sure that your site adheres to the GDPR rules and regulations. Otherwise, you could find yourself in deep waters, with heavy fines to pay.