How GDPR Affects on WordPress?
In this article, we will see how GDPR affects on WordPress site owner and developer.
GDPR or General Data Protection Regulation will be officially applied from May 25, 2018. This will be a turning point for all over the digital world in general and for WordPress site owner and developer too.
How GDPR Affects on WordPress Site?
For the website owner, GDPR will have effects in many different ways:
- How we collect data via forms (contact forms, newsletter signups etc.)
- How we collect analytics data
- What we do with that data
- Where the data is stored
- How we communicate with customers and contacts
- The code we use – plugins and themes.
In a WordPress site, data can be collected via various ways including contact form entries, user registrations, comments, newsletter signups, analytics. This will play a vital role in determining whether or not WordPress site is GDPR compliant.
Under GDPR, if we’re collecting data through WordPress site, we have to clearly tell users who we are, what data we’re collecting, why we’re collecting it, how long we’re going to store it, who will be able to access it and for what purpose. Explicit consent of users is now mandatory to collect and process personal data.
Themes and Plugins:
Being a WordPress site owner, we’re responsible for all data collection and storage methods by a theme, plug-in or third-party software on our site. Therefore, it’s essential to audit all third-party plug-ins and themes to meet the regulation.
To check the theme and plug-ins on our website to see if they are in compliance with the GDPR rules, we can use WP GDPR Compliance plug-in. By this way, we can identify key issues related to GDPR compliance.
If our website is an online store or marketplace with WooCommerce or any kind of eCommerce platform, you need to pay attention to this point!
Under GDPR, the using of opt-out options and pre-ticked consent boxes to collect any personal data will now be considered as a violation. It means that active involvement of the users on your WordPress site, including all marketing materials like newsletters, is now imperative to meet the new regulations.
According to the new regulation, some perfect examples of lawful consent requests are clicking an opt-in button or link online, selecting from an equivalent yes or no option and responding clearly to an email requesting consent.
What Can Be Done to Make a WordPress Site GDPR Compliant?
The main point of making a WordPress site GDPR compliance ready is to protect the right of people giving you their data. Let’s look twice at the checklist to make your WordPress site GDPR compliant:
Audit Personal Data:
The first and foremost thing we need to do is carry out a full GDPR compliance audit of our WordPress site. This will help us determine factors like:
- Who we hold data on?
- What personal data do we collect?
- Where is the collected data being stored?
- What we use the data for?
- Do any third parties handle the data?
- How long is the data stored for?
- Is it secured in every way?
Once getting all the above factors, it will become pretty easy for us to find out what data is absolutely necessary for proper functioning of the WordPress site. If there is any information not necessary, just simply remove or delete it along with its processing points. As the result, the haft of the work is done!
Now, we need to have a clear plan on how we handle the data. Let’s write down your policies and procedures about how you do it on your site. This is inevitable to demonstrate our compliance with the new GDPR regulation.
- Subject Access Requests: Mention how you will verify the identity and fulfill the user’s request to access, update or delete their personal data.
- Data Security: Describe what efforts you’re putting into keeping users’ personal data safe and secure. This may involve techniques like access control, data anonymization, and encryption.
- Data Breaches: Any personal data breaches which you think may significantly harm individuals must be brought to the attention of relevant supervisory authority within 72 hours of you become aware of the breach. If the breach is serious enough, you must have to notify the concerned individuals too.
Inform the Audience:
Maintain Privacy by Design:
Privacy by Design means instead of treating data protection as an afterthought or addendum, it should be incorporated into the design of a system from the onset. To be more specific, the designer should implement appropriate technical and organizational measures at the very core of any system.
Privacy by design encourages website owners to ask users only for the absolutely necessary data.
Enhance Online Payments:
If you’re running an eCommerce WordPress site, then you are likely to be collecting personal details before redirecting the customer to the payment gateway. If this is the case, you need to modify your web processes to automatically delete any sensitive personal data after a certain period of time, for example, 60 days.
Since the GDPR regulation doesn’t specify the exact number of days, it is your own decision as to after how many days the sensitive data must be deleted.
Request Explicit Consent:
This is an important point. Anyone whose data you collect must give explicit consent for you to use their personal data. Consent must be explicit, given freely and separately for each processing purpose, and can be withdrawn at any time. Here the word ‘explicit’ means all opt-in boxes must be empty/unchecked by default and the user must manually and voluntarily tick the box to give his consent to collect his/her personal data. In other words, there must be no automatic opt-ins existed on your WordPress site.
Consider Appointing a DPO:
Finally, if your WordPress site has to deal with the monitoring or processing large amounts of personal data, consider employing a Data Protection Officer (DPO) who is not only responsible for all data protection related activities but also ensures the compliance of your WordPress site with the GDPR regulations. A DPO can be any person within your organization or externally hired.
How GDPR Affects on Web Developers
GDPR doesn’t just apply to website owners who are processing data. The developers also have a responsibility to ensure that their code is compliant.
This will apply to developers building site for clients and to developers writing code in the form of plugins and themes for wider distribution. The main ways in which GDPR will affect developers are:
- In the use of third-party themes and plugins when creating sites for clients.
- When creating plugins or themes which include a form where users will input personal data.
- When linking to third-party APIs to access or process data.
- When coding analytics functionality or anything which can identify a user via their IP address, location or other means.
Using Third-Party Themes and Plugins
When using third party themes or plugins on our site, we need to ensure that the themes and/or plugins are GDPR-compliant, and or whether we can configure them in a way that is compliant. In addition, we should ensure that the client is aware of the legislation and tell them if their site includes functionality that is affected.
You can pay attention to the checklist as below:
- Follow the guidelines for website owners above when installing and configuring plugins or third party themes.
- Tell your client if their site includes functionality affected by the legislation and point them in the direction of relevant information.
- If in the course of development and testing you collect personal data, delete all of it at the end of this period.
- When you hand the site over to the client, ensure that any data collected is going to the client and not to you (it can be easy to forget to edit an email address in a contact form’s settings).
Developing Themes and Plugins
It’s no matter if you’re developing a theme or a plugin for a specific client project or for wider distribution, the regulations will apply if your code includes the facility to collect personal data.
Once coding, we need to ensure that it possible for client or users can comply with the legislation. This will include any data capture, either overt via forms or e-commerce, or covert via cookies or APIs.
The point we should know:
- If your code includes any kind of input for personal data, make sure that this includes the option for the site owner to add information on how the data will be used and that where relevant you include a double opt-in.
- If your code tracks data via cookies, ensure that this can’t be used to directly identify individuals.
- If your code links with a third party API, ensure that API is GDPR-compliant.
- If your code sends data to a third party API, include the option for website users to opt out.
- If your code is affected by the regulations, add details of this to your documentation. Include guidance on how website owners can use your theme or plugin in a way that is GDPR-compliant.
- For more information on work being done on WordPress and GDPR, follow the WordPress GDPR team.
- If in doubt and the gathering of a specific piece of data isn’t absolutely necessary for your code to work, don’t gather the data.
WPThemeGo WordPress Themes & Plugin Development
Currently, our developer has been studying and will update in our themes and plugins to make sure that all of them will meet the requirement of GDPR.
For more detail information, you can follow the links as below:
2. GDPR for WordPress