Here is what everyone has been confronted with last year, the general data protection regulation, or simply GDPR. It is the law, imposed by the European Union (EU) to protect the privacy of the people of the EU. And whilst many websites are still not (fully) compliant with this law, it is something that needs to be taken care of, if this is the case with your website.
Just before we get started, I am in no way a layer, and nothing in this article should be considered legal advice. I Just want to rather raise awareness towards GDPR compliance and explain in plain English what it is all about, and what helpful tools have shown up that you can use and which can help you with GDPR.
In addition, it will also help for you to read articles like this, to become knowledgeable about the topic of GDPR.
WordPress programmers took care of many legislative requirements, making the platform GDRP proof, and installing plugins that focus on GDPR, go a long way making your website compliant with the law.
Fines imposed by the new regulation can be significant, some violations are subjects to €10 million or 4% of global annual turnover. But, before you panic, when supervisory authority do find out your website is not compliant with the law, first a warning will be issued, then a reprimand, then a suspension of data processing and finally if you are still not compliant the fines will be issued.
You will see that once you understand the GDPR regulations, the new law makes pretty good sense. And although it might seem to go quite far towards responsibilities and accountabilities of a controller in some issues, it all can be managed without too much hassle.
The practical implications of these changes include, but are not limited to online businesses (especially those in advertising), social media, technical networks and analytics sectors.
Just because this is a European law, it applies to any website in the world, who have visitors coming from the European Union and collecting their information.
What is GDPR all about
So, what is this law all about? GDPR, stands for General Data Protection Regulation, and it is created to prevent companies from processing personal data illegal and irresponsible, which visitors left on their website. This data is considered personal and therefore labelled as perosnal identifiable information (PII). Reckless handling of this data could breach the privacy of people like you and me.
This is what this law has been designed to do; protecting the user’s personal data. For any business to whom GDPR applies, the law holds them to a higher standard when it comes to data collection. For instance, users’ consent must be given before their personal information to be collected, for sensitive data, explicit consent is required.
User’s consent is an important part of GDPR. On every point where data is collected, an unchecked checkbox that users must tick to give consent should be included. This means consent must be “freely” given. Silence, inactivity or pre-ticked boxes will make the consent invalid and as a result, it will be considered a breach of the law.
That said, there are two main aspects to GDPR: personal data and, processing of personal data. This personal data can be name, emails, physical address, IP address, health information, income, etc. This is any information, that can be used, to identify a natural person. The processing of are all the actions taken and performed on this data, such as storing a user’s IP address.
Types of personal data
There are two main aspects to GDPR, personal data and processing of personal data.
Personal data is data that can be used to identify a natural person, such as name, email, physical address, IP address, etc. Much more data that can be collected to identify a natural person. Therefore, each situation needs to be examined individually to make sure complaince with the law is achieved.
The processing of personal data are all the actions taken and performed on this data, such as collecting, storing, erasing, deleting, etc.
Key areas of GDPR
As a website owner, there are three main elements you need to know and control. These are, right to access, right to be forgotten and data portability.
- The right to be forgotten, this is another important part and enables users the option to erase their personal data and stop further data collection and processing. When a user uses this right, it withdrawals the consent for their personal data to be used.
- The data portability clause states that users have the right, to take possession of their personal information, through a download for instance, and transfer this data to a different controller.
There are many ways your website can collect data, some you probably where not familiar with. Here are a few examples:
- user registrations,
- users placing comments,
- users submitting the contact page,
- analytics and traffic log solutions,
- security tools and plugins.
A breach is when personal data gets disclosed, or has the potential, to unauthorized people, accidentally or intentionally. As a result of a breach, the likelihood and severity of the risk to people’s rights and freedoms must be established.
You must make sure, you have enough recourses, procedures and policies in place, to detect a breach. This will improve your ability to make decisions, when it is considered necessary to report the breach.
When this is the case, a breach must be reported within 72 hours, after becoming aware, to the relevant authorities. When the breach is considered high risk, both relevant authorities as well as users who are impacted must both be notified.
When a breach is considered harmless and imposes no risk to the individuals, reporting is not required.
Data breaches can include:
- Unauthorised third-party access to personal data;
- Deliberate or accidental action (or inaction) by a controller or processor;
- Sending personal data to an incorrect recipient;
- Loss or theft of devices continuing personal data;
- Changing or updating personal data without permission; and
- Loss of availability of personal data.
GDPR for your website
Now, we got that covered, lets talk about how you can make your website GDPR compliant.
Next, you should be able to provide users with a copy of their information. That means, putting mechanisms in place that gives users the ability, to control their data.
Also, any additional plugins you have installed on your website, should be GDPR compliant. This means you should go by all your plugins one by one to make sure they are.
Exporting and erasing personal data
By default, WordPress is able to export or erase personal data on request from users. If you scroll down to tools, you can see the option “export or erase personal data”. When you click on either one of them, it will take you to a new page, where you can enter a user’s username or email address.
After you clicked on “send request”, the user appears in a table on the same page, showing its status “pending”. This sends an automatic email to the user, containing a link the user has to click, in order to validate his identity.
Once validated, their status in the table, changes from pending to complete. Now you can hover over their username, and click on “download personal data” link. This downloads a file with all the user’s information, that you can then send them.
GDPR Data Request Form Plugin
I recommend you install a plugin for this called “GDPR Data Request Form”. This plugin inserts a small form on your site, that enables users to submit a request. You can place this form in your privacy statement.
When done, users automatically appear in the same table, as just mentioned. The user will get a confirmation saying:
Your inquiry has been submitted. Check your email to validate your data request.
Once validated, you will now receive this request in the backend, download the information you have about this user in a zipped HTML file, and send this user. That’s it! This plugin makes the process very easy and smooth.
WP GDPR compliance plugin
With regards to the right to access, users must have the ability, to give approval (through an unchecked checkbox) whenever they leave personal data on your website. With this checkbox, they opt-in and declare they approve.
Locations on your site can be the contact page. Or, when visitors leave a comment on your blog. With the WordPress Gutenberg update, this should be included by default. However, if you are using a theme that overrides this feature, you should include it through a plugin. For this, you can install WP GDPR Compliance
Don’t Collect Unnecessary Data
I also recommend, you do not store unnecessary data. For instance, when someone contacts you by the contact page, just have this message delivered to you email inbox, instead of storing it on the website database. This prevents the possibility of a law violation, and by not storing it in the database, you now do not have to worry about anymore.
Staying current and knowing what is going on around you on this hot topic, educates you with regards to GDPR. That doesn’t mean you need to get into GDPR topics every day. But, you should now and then do research about this, or at least look into it. I hope this article will help you make your website compliant with the law.