First, a disclaimer: We aren’t lawyers and this post should not be considered legal advice.

Topics

  1. What is GDPR?
  2. Is my website affected by GDPR?
  3. What do I need to do to be in compliance with GDPR?

What is GDPR?

GDPR, or The General Data Protection Regulation, is a set of regulations regarding the collection and processing of personal data. It applies to website operators both in the European Union (EU), as well as operators with no physical presence in the EU but engage with EU residents in some sort of business related activity. Non-compliance after GDPR takes effect on May 25, 2018 can result in significant fines.

Highlights

The highlights of GDPR as it applies to an affected website are:

  • Consent – before collecting any personal data, it must be made clear to the user what is being collected, why it’s needed, and how it will be used
  • User Access and Control of Data – users must have control to modify their data collection preferences, download their existing personal data, or revoke their consent completely and have their data deleted
  • Breach Alerts – operators must report data breaches within 72 hours

Is My Website Affected by GDPR?

Simply put, if your company is based in the EU or your website collects personal data from residents in the EU then GDPR probably applies to your website.

Personal data is information that can be used to identify someone. Examples include:

  • Name
  • Email
  • User ID
  • Social Security Number
  • Location

In addition to companies located in the EU, GDPR also applies to organizations outside of the EU that satisfy any of the following:

  • Offer goods or services to EU data subjects. Example: offering your site in a language spoken in the EU
  • Collects data on the behavior of EU data subjects. Example: Google Analytics
  • Stores or processes personal data of EU data subjects. Example: Storing name and shipping details for an online shop

Here’s a simple flowchart to help determine if your website is affected:

What do I need to do for my WordPress site to be in compliance with GDPR?

First, a site operator should understand what user data is being collected by their website and for what purpose. This information should be provided clearly on the site’s Privacy Policy page.

Inform

Thankfully, WordPress has recently added functionality to its core to help site operators comply with GDPR, including a feature that allows plugin and theme developers to add to a site’s Privacy Policy page automatically. In the future, this functionality will be leveraged by more and more developers to make it easier to understand if and why a plugin collects personal data, and to ensure your Privacy Policy page stays up to date.

Consent and Control

Secondly, you must get the user’s consent to use their personal data. This usually takes the form of a popup as the user first visits your website. In addition, you must provide a mechanism for that user to withdraw consent, download their data, or have their personal data completely removed. There are several plugins that can assist with this, and WordPress is also actively developing core features to address this. If a user chooses not to provide consent, to analytics for example, then that functionality of the site must be disabled for that user.

Breach Notifications

Thirdly, develop a plan of action in the event of a data breach. In some scenarios, this may mean filing a report with the relevant supervisory authority. In other scenarios where there is high risk to the rights and freedoms of affected data subjects, personal notifications must also be sent.