GDPR is probably a term that has come across your radar recently in the form of a slew of emails from companies that you contacted in the distant and more recent past. It stands for General Data Protection Regulation and is a European law demanding that organizations that collect data over the internet be transparent about how the data will be used.
Although many of you run businesses and own websites in the US and other locations outside of Europe, if someone from Europe visits your website and uses your services in any way, you are impacted by the GDPR law and are liable to pay hefty penalties if you neglect to address this issue on your website.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) law that took effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.You have probably received multiple emails from organizations and individuals who seek to be compliant with the data policy reforms. The reason is because of the stiff fines that will be imposed upon those who are non-compliant.
The GDPR is effective for all companies or organizations that process personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. Penalties will be applied to organizations inside and outside of the EU.
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Does GDPR apply to my website?
YES! If people from the European Union are able to visit your site, GDPR applies to you.
Before they fine you, they will start with a warning, then a reprimand, then a suspension of data processing before they fine you. The large fines are intended to gain the attention of large companies and ensure that they do not ignore the consequences.
What is required under GDPR?
The detailed version can be read here.
- Tell the user: who you are, why you collect the data, for how long and who receives it.
- Gain clear consent, before collecting any data
- Let users access their data, and take it with them
- Let users delete their data
- Let users know if data breaches occur
- Large companies must appoint a data protection officer.
Is WordPress GDPR Compliant?
As of WordPress 4.9.6, the core of self-hosted WordPress sites is GDPR compliant. Due to the dynamic nature of websites, additional steps need to be taken by each site owner.
GDPR tools on WordPress
- Comment consent box: Users who comment on blog posts must actively elect (via a checkbox) to have their name and email saved as cookies on their browser. The cookies make it easier for them to log in automatically next time they want to comment on the blog.
- Exporting and Erasing Personal Data: WordPress now has additional tools on the tools menu for exporting and removing personal data.
- Additional areas that require GDPR compliance not included in core: Contact forms, analytics, email marketing, ecommerce, membership sites, etc. If you ask users for information, ask for the bare minimum, and you need to explain how you will use that information, who will receive it and how long you will store it. You can add a compulsory check box to agree to the Terms and Conditions Agreement to your site, or merely have a clause at the bottom that says something like “Data submitted by this form will be used by Acme International and no one else”.
The developers of software used on WordPress websites are experienced at making changes to match up to the later versions of the PHP coding language, security issues and other changes affecting the WordPress platform. Many have already added GDPR compliance into their tools. You can check if your plugins are up to date on the WordPress Repository. This will not tell you if they are GDPR compliant unless they elect to do so.
Sounds like a lot?
It is. Remember that GDPR has been created to protect people like us. It demands transparency when collecting personal information to let people know what you will use it for. Enable people to opt-in when sharing information with you.
Fortunately, using WordPress as a Content Management System affords us several tools to make that process a lot easier for our community.
Let me know if I can help you with making your website GDPR compliant.
I am not a lawyer and I am not in a position to offer legal advice. If you are concerned regarding GDPR compliance, please consult an internet lawyer.
- Data protection infographic by European Commission
- Principles of the GDPR by European Commission
- The discussion on Google Fonts and GDPR compliance