First, a disclaimer: We aren’t lawyers and this post should not be considered legal advice.
GDPR, or The General Data Protection Regulation, is a set of regulations regarding the collection and processing of personal data. It applies to website operators both in the European Union (EU), as well as operators with no physical presence in the EU but engage with EU residents in some sort of business related activity. Non-compliance after GDPR takes effect on May 25, 2018 can result in significant fines.
The highlights of GDPR as it applies to an affected website are:
- Consent – before collecting any personal data, it must be made clear to the user what is being collected, why it’s needed, and how it will be used
- User Access and Control of Data – users must have control to modify their data collection preferences, download their existing personal data, or revoke their consent completely and have their data deleted
- Breach Alerts – operators must report data breaches within 72 hours
Simply put, if your company is based in the EU or your website collects personal data from residents in the EU then GDPR probably applies to your website.
Personal data is information that can be used to identify someone. Examples include:
- User ID
- Social Security Number
In addition to companies located in the EU, GDPR also applies to organizations outside of the EU that satisfy any of the following:
- Offer goods or services to EU data subjects. Example: offering your site in a language spoken in the EU
- Collects data on the behavior of EU data subjects. Example: Google Analytics
- Stores or processes personal data of EU data subjects. Example: Storing name and shipping details for an online shop
Here’s a simple flowchart to help determine if your website is affected:
Consent and Control
Secondly, you must get the user’s consent to use their personal data. This usually takes the form of a popup as the user first visits your website. In addition, you must provide a mechanism for that user to withdraw consent, download their data, or have their personal data completely removed. There are several plugins that can assist with this, and WordPress is also actively developing core features to address this. If a user chooses not to provide consent, to analytics for example, then that functionality of the site must be disabled for that user.
Thirdly, develop a plan of action in the event of a data breach. In some scenarios, this may mean filing a report with the relevant supervisory authority. In other scenarios where there is high risk to the rights and freedoms of affected data subjects, personal notifications must also be sent.