You have been hearing about it, or you would not be here. Yes, The GDPR is being talked about a lot right now, it came into effect on May 25, 2018. Which means that all websites under the scope of that law should be GDPR compliant by now, however, we know that is not the case. A lot of website owners still do not know what GDPR is, if it applies to them or what it means for their WordPress Websites and their businesses. To put it simply The Law was implemented to give internet users control over how their personal data is used. Therefore, it impacts how the entire internet deals with data and privacy.
Getting down to business, we will look into:
What is GDPR?
GDPR, short for General Data Protection Regulation. It’s a privacy law that was given approval on the 14 of April 2016, this is after 4 years of debate and preparation. The GDPR was created to replace the Data Protection Directive and focuses on these 3 core factors:
- Harmonize data privacy laws across Europe
- Protect and empower all EU citizens’ data privacy
- Reshape the way organizations across the region approach data privacy.
The policy was implemented by European Union lawmakers and applies to all businesses operating within the EU. Now you are thinking “My business is in the US (or wherever you are), what does this have to do with me?”, this is if you are not a part of the EU. The GDPR does not only apply to businesses established in the EU but also to businesses that provide goods or services to customers in the EU. Therefore, as long as your website “potentially” allows people in the EU to enter their data, to be stored or used in any way, you need to comply with the law and follow all the policies under the GDPR in how you process this data. Processing of this data basically refers to how it is used, stored, transferred, and what it is used for. If you wish to learn more about the GDPR we recommend the Official Source, it will help you to answer any other questions you may have.
How Does GDPR Affect Your Website?
As stated earlier the GDPR is meant to give internet users control over their personal data, so what is considered personal data?
- Name
- Address
- Localization
- Online identifiers (IP address, cookie data)
- Health information
- Income
- Cultural profile
- and, more.
Therefore, if there is even the possibility that your website collects any data that is considered personal from visitors in the EU, then you are affected, in the sense that you now need to ensure that your website is GDPR compliant. The law puts focus on ensuring that visitors are informed about how you use (“process”) data that they entered into your website, it is with this transparency that the law aims to give internet users control over their data. That way they can make an informed decision when they choose to submit or not submit their personal information to your business.
Combine all this in a nutshell, you need consent from the visitor, to store and process their data and there should be a system in place for them to make requests regarding their personal data. To obtain valid consent, you need to describe the extent and purpose of your data processing in plain language to the visitor, prior to processing any personal data and all consent must be logged.
Consequences Surrounding GDPR?
For a law that covers such a broad scope, I am sure you are thinking about the consequences. So, what will happen if you choose to ignore the GDPR?
When compared to the DPD (Data Protection Directive), the GDPR gives authorities a lot more enforcement and investigative power, this, in turn, attract much larger fines for non-compliance. The fines are calculated based on a number of factors, such as: How many people were affected, prior infringement, etc. You can read more about this in Article 58 of the GDPR. It is important to note that in all cases the greatest fines will be imposed. Below is a possible scenario in case of non-compliance to give some clarity as to the aggressive approach the lawmakers have taken to enforce this law.
Case 1: If it can be determined that non-compliance was related to technical measures, such as certifications, then the fine could amount to more than €10 million or 2% of global annual revenue.
Case 2: In case of non-compliance with key provisions of the GDPR, authorities can charge a fine up to and greater than €20 million of 4% of global annual revenue.
Huge fines! Imagine what this would do to you if you run a small or medium-sized business. So, if you are not yet GDPR compliant then its time to set things right while you still can, you sure you do not want to have a €10 million fine to think about. The larger fines will be issued out to entities who violated the fundamental rights of internet users. I recommend you scope these out here. So as a WordPress Website Owner how do you avoid these consequences?
How to Make Your WordPress Website GDPR Compliant?
Firstly, you want to determine if your current workflow is sufficient, ie how you store and process visitors data. Therefore, you need to visit all the points of your website that allows a user to enter data and ascertain if you allow the visitor to give proper consent and if you disclose exactly how their data will be used. If you are an online store, for example, you may want to check your checkout pages, your contact forms, discount popups, commenting/review sections, google analytics and any ad service or analytic tool you are running. In short, you need to ensure that all the software you use is GDPR compliant inclusive of external systems that have access to visitors data through your website.
In order to ensure that you review your workflow properly, you probably should consult with a lawyer, especially if your business is a part of the EU or target EU customers directly. A lawyer will be able to offer professional consult that is specific to your website and your business.
WordPress has included some GDPR compliant features as of WordPress 4.9.6. This allows you to set up a privacy page that will show on registration and login pages. So, updating your WordPress version (if you have not, which you should have) will be a great idea for GDPR compliance. If you are an online store that uses WooCommerce, then you do not need to worry, as of WooCommerce 3.4 a lot of GDPR specific improvements have been made. The checkout page is now more customizable with requesting consent. A setup is now also available that allows users to request their personal data or its removal.
Summary
GDPR was a big move by the EU lawmakers and is definitely a big deal for internet users and WordPress Websites. The policies have already been implemented (since May 25, 2018), so if you operate within the scope of the GDPR and you are not yet compliant then you need to make some changes. If you need to do some more research here are a few good sources:
GDPR Official Site
Who the GDPR applies to
Making WordPress GDPR compliant
If you liked our article or have any question, drop a comment below. We will update this article as we learn more about the GDPR so if you have any points that you think we should mention then we would love to hear it. Thank you!