DISCLAIMER: At PinkSEO, we do not have legal knowledge. We will assist our clients, but they got certified by a legal professional to be sure about legal requirements.We truly recommend you to do the same: we would never want your websites to be any less than compliant because of something you read on this page or on any other.
Edit May 17th: Less than one week before GDPR will be enforced. This article of mine has been having a massive volume of search since December 2017 when it was written. This is something that makes me happy as an SEO Specialist, showing once more that having a page to rank extremely well, no matter the popularity or competition of the subject is possible indeed.
Yet my goal is always to assist and provide useful information to the users of my site (welcome, by the way!).
After January now many more things about GDPR have become known. Although there still are many grey areas, we are now overwhelmed on a daily basis with emails asking us to re-subscribe to mailing lists (by the way, if you’d like to receive SEO tips in your inbox, you just have to please click here) and every corporate union is providing compliance tips and workshops.
If you have ANY doubt about the law, please take some time reading the Information Commissioner’s Office Website.
What I’d love to do in this article, further than sharing general info about GDPR (but most of us know by now what it is), is to share a bit of my own experience, what I did for compliance for PinkSEO, but mainly to open a discussion with you: what are YOU doing? Why and how? One of the aims of my site is to share information and grow together and in this moment of intense work & change we are all living due to GDPR, we should be doing it even more than in other moments, don’t you think?

Many of the clients we assist for SEO and Digital Marketing are asking for information about GDPR, the next very big new thing happening, so we decided to try and provide information as clear as possible about what it is and how will it affect the business of people having a website: particularly in this article we’d like to clarify how to make a WordPress website compliant to GDPR.

What is it

The General Data Protection Regulation is the new data protection law in the EU, the most important change in data privacy regulation in 20 years, which was approved by the EU Parliament on 14 April 2016.

Why does it happen:

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to give citizens of the EU control over their personal data and to change the approach of organizations across the world towards data privacy.

Who is going to be bothered by this: 

The GDPR law applies to data collected about EU citizens from anywhere in the world. As a consequence, a website with any EU visitors or customers must comply with the GDPR, which means that virtually all websites and businesses must comply.

Enforcement date:

25 May 2018.

Do I already have to start worrying about it?

In its recent report “Privacy and the EU GDPR,” TrustArc found that the 64% of the U.K. businesses have not started GDPR implementation yet.

Don’t let the 6 months time relax your mind too much. It looks like a long time, but it can be just not long enough if you have no clue about what GDPR is about and how it will affect your business.

There’s already a fair bit of anxiety out there about the GDPR, and after the Christmas holidays, companies will start worrying about it more seriously. At the moment, the usual mix of misinformation and misunderstanding accompanies a new regulation on this scale.

Will it affect the UK despite Brexit?

Yes. The UK still needs to implement the GDPR regardless of whether the country is in or out of the EU. The Government has stressed that it wants to maintain the unhindered
flow of data between the UK and the EU after Brexit. In an August 2017 position paper, the Government said that it “wanted to explore a UK-EU model for exchanging and protecting personal data that could build on the existing adequacy model”.

Which are the possible fines?

There are various slabs of penalties for non-compliance, according to the seriousness of the breach, which can get to the 4% of annual global turnover, up to a maximum of €20 million. Such a high amount of penalties has been proposed to increase compliance.

Is it something I already have to worry about?

GDPR looks like a really big change that we should all treat very seriously and look for solutions. If there’s one thing we learned so far, it’s that the EU is quite serious about those things. Those 4% fines don’t look any good.

How and by whom will GDPR be enforced?

Supervisory Authorities (SA) of different member states are going to be set up and each member state may have multiple SAs, depending on the constitutional, administrative and organizational structures. SAs will have considerable power to enforce the GDPR, with both investigative and corrective powers to check compliance with the law and suggest changes to be compliant, by:

  • carrying out audits on websites,
  • issuing warnings for non-compliance,
  • issuing corrective measures to be followed by deadlines.

Now that all the official information has been clearly explained, let’s check how to make sure that your WordPress website is compliant and that this new regulation won’t be a cause of damage.

First, an important disclaimer: we’re not lawyers and what follows isn’t legal advice. We want to help you understand the implications of the GDPR for WordPress webistes, but if you need concrete legal counsel, talk to a lawyer.

How does GDPR relate to a WordPress site?

Involved personal data pertains to “any information relating to an identified or identifiable natural person”:

  • name,
  • email,
  • address,
  • phone
  • even an IP address, and so on.

Processing personal data refers to “any operation or set of operations which is performed on it”. For example, a simple operation of storing an IP address on your web server logs constitutes a situation in which you are processing of personal data of a user.

How might a standard WordPress site generally collect user data?

Through:

  • user registrations,
  • comments,
  • contact form entries,
  • analytics and traffic log solutions,
  • any other logging tools and plugins,
  • security tools and plugins.

How to make a WordPress website compliant to GDPR?

  1. Request explicit consent. The Right to Access states that before data collection takes place – before the user submits the form – they must be aware that that form is collecting personal data with the intent to store it and give an explicit consent to this.
  2. Inform the user. You must let them know which of their data will be stored and use, how, where, and for what purpose. To keep things simple and easy in your form, you will need a privacy info that fully discloses your data collection and storage practices, and then to link to that privacy policy from the form when you request consent.
  3. Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to a number of data points.
  4. Keep user data organized and accessible. The Right to Be Forgotten gives users an option to erase personal data, and stop further collection and processing of the data. The Data Portability clause of the GDPR provides users with a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller. You must be able to provide a user with a copy of all personal data you have on them on request, free of cost within 40 days and to delete them on request. If you always collect an email address when you collect personal data of any type, submissions could easily be searched by it and the user contacted through that mean.
  5. Have an open channel for user requests. A simple form for consent withdrawal and/or request to view on your privacy policy page (which is linked to by any form which collects personal data) will let the user contact you in a very easy and clear way, setting up an email action that notifies you each time this form is submitted.
  6. Breach notification. Under the GDPR compliance, if your website will ever experience a data breach of any kind, that breach will have to be communicated to your all of users in a timely manner (within 72 hours of first becoming aware of a breach) because that data breach could result in a risk for the rights and freedoms of individuals. The ideal way is to monitor web traffic and web server logs, but a practical option is to use the Wordfence plugin with notifications turned on. In general, this clause encourages one to use the best security practices available to ensure data breaches do not occur.

However, the complexity here is the definition of the term “user”: users may be regular website users, contact form entries, and potentially even commenters. This clause of the GDPR thus creates a legal requirement to assess and monitor the security of your website.

Are there any tools that will help me with it?

Some of them already exist, like the Security Audit Log plugin, which can help you perform a security audit on your website. However, we can assume that when the time comes, most plugin developers or tool developers – for the tools and plugins that you have on your site – will have already come forward with their own solutions to this. It may be wise to avoid data storage altogether in certain cases.

Do also plugins we use on our WordPress site have to comply with the GDPR rules?

Yes, all of them. As a site owner, it is your responsibility to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules. This can still mean some tough times for some of the most popular plugins out there. Each plugin needs to establish a data flow and inform about the processing of personal data. Possibly plugins will provide their users with an addendum that they may add to their website’s terms in order to make them GDPR compliant.

We hope that this overview of How to make a WordPress website compliant to GDPR has been useful; in the next articles, we will provide some more information regarding the implications of GDPR for email marketing and e-commerce websites, that we’ve been asked by our clients to provide, as well.

Do you need to register with the ICO?

I spent 5 minutes taking the self-assessment quiz here and I suggest you all do it to decide if you – as an individual or on behalf of your business or organisation – need to register with the ICO. Personally, I need to register and I can do it here. The fee for my registration is £35 for this year, you can pay it with direct debit, auto reneweing year after year.

This compliance checklist is very useful, too.

A Free GDPR WordPress Plugin worth checking

The ICO we just mentioned above uses the free Cookie Control  V8 plugin themselves, which is compliant with GDPR:

Cookie Control is a JavaScript module that can help make a website compliant with EU cookie legislation; and specifically in version 8 with the General Data Protection Regulation’s (GDPR) guidelines on the use of cookies.

What changes did you do and which plugins do you use on your WordPress sites to make them compliant?

Are there any tips you would like to share with us? Answer in the comments, let’s share your knowledge regarding these complicated topics!