Does GDPR Apply To My Website?

Does GDPR Apply To My Website

“...User confidence is crucial for digital economy. Customer as a product and unsafe privacy are not sustainable business models. Digital is sophisticated enough to combine Security, Convenience and Personal Privacy.”

Stephane Nappo

Does GDPR Apply To You?

If you're working in the EU, have a website that is visible, sells or interact in any way with a resident or business in the EU then yes.

It applies to businesses, non-profits, government agencies and anyone doing anything online or offline that collects data.

The safest thing to do is assume it applies to you and then carry out steps you need to do to comply.  The less you interact with people, the less you have to do.

The European Union countries are:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom

It doesn't matter where your website is hosted, if it's still visible in any of these countries, then GDPR applies to you.  Even if you don't intend to do business with anyone in the EU, if you check your Google Analytics you will probably find you are getting a few visitors from the EU, even if you didn't target them.

Frankly, by the time you've gone through the machinations of seeing how many EU visitors you have and implementing steps to restrict visibility or action on your site, for most website owners, it's just easier to go through the GDPR compliance motions.

What Does GDPR Mean for Your WordPress Site?

It's effective date is May 25, 2018. As a website owner, there are three basic responsibilities that you are liable for fulfilling: Right to Access, Right to Be Forgotten, and Data Portability - basically the owner of the data, being able to remove it.

If you answer YES to any ONE of these following questions then GDPR applies to you.

  1. Do you have a contact form, or any other form that collects personal information like name, email address, or phone#?
  2. Can visitors post a comment anywhere on your website?
  3. Can people purchase products through your website or eCommerce shop?
  4. Do you provide a forum or message board?
  5. Do you have a method where visitors can chat with your company directly?

If you answered 'No' to ALL of these questions, your site is probably in good shape and you may not have to do anything to mitigate the compliance risk. If you don't have any information, you don't have to protect it.

I've Answered Yes - Now What?

If you answered 'Yes' to any of these question, please read on. Here are some general steps you need to consider:

Update your privacy policy to include a GDPR compliance statement.  Then state the following:

  • The information you collect and store from your website visitors. This could include their IP address, name, email, phone number and other data you use directly in your sales and marketing to contact them, as well as cookies, visit duration and tracking, mouse and swipe actions.
  • Specify who has access to this personal data and if you make it available to any other third party (e.g. you, MailChimp, Google, CRM, etc.)
  • Name a person who is responsible for data monitoring and management in your business. For small businesses, this is probably you.
  • Tell people how they can ask you to access their data.
  • Tell people how long you keep their information for.
  • Remove all automatic opt-ins on your site. All checkboxes must be empty in online forms. An empty box cannot imply acceptance.
Collect the only information you require to run your business.
  • Delete personal information that you no longer use that may be stored on servers, in spreadsheets, or other documentation.  This includes emails with file attachments that may contain personal information.
  • Keep only one version of the personal information. You may keep copies for backup and restore purposes only. Up to 4 backups are acceptable. If you keep more, you have to justify it. The location of the backups needs to be captured in your data/security audit.
  • You cannot keep the information you aren't using straight away, just in case you may need it in the future.

All data breaches need to be recorded and actioned with preventive measures. Examples of data breaches include:

  • Personal information being passed or coming into the possession of an unauthorised data processor or subcontractor.
  • Passing of personal data into a non-GDPR compliant country.
  • Passing of personal data to a third party without the knowledge of the data subject.
  • Personal information leaked as a result of a website hack.
  • Have a security data breach response plan and process in place. Here's a link to a helpful toolkit that can help you get started developing a plan if you don't already have one:

 

Have a process to comply with someone asking for a copy of their data.

  • Verify their identity
  • Make sure you have the data before processing the request, if you don't have the data, respond and say, “I don't have the data”.
  • Do not create more personal data while performing the request
  • Process the request
  • Record it in your data audit log
  • Do it within 20 days.

Update your contracts, NDA’s, and Privacy policies on your website.

  • All staff need to have signed NDA’s and data protection awareness training. A good rule of thumb is to include all staff even if they do not have direct access to personal information in the normal course of their duties.
  • All customer contracts have to be updated with a GDPR clause.

What You Can No Longer Do

  1. You cannot send unsolicited emails or contact people from purchased lists or use a mailing list gathered from one company or for one particular purpose and sending the contacts on it some information they didn't agree to.
  2. You cannot auto email from abandoned shopping carts offering discounts unless the shopper has opted in for email at the top of the checkout.
  3. You cannot send unsolicited text messages via mobile phone numbers.

WordPress Specifics

Online Forms1

Make sure you add a checkbox specifically asking the form user if they consent to you storing and using their personal information to communicate with them. The checkbox must be unchecked by default. Also, mention if you will send or share the data with any 3rd-parties and why. The consent statement must include a link to your privacy policy.

Visitor Comments

Make sure you add a checkbox specifically asking commenters if they consent to storing their message attached to the e-mail address they've used to comment. The checkbox must be unchecked by default. Also, mention if you will send or share the data with any 3rd-parties and why. The consent statement must include a link to your privacy policy.

Web Store Order Forms

Make sure you add a checkbox specifically asking the customer if they consent to you storing and using their personal information to ship the order. This cannot be the same checkbox as the Privacy Policy checkbox you should already have in place. The checkbox must be unchecked by default. Also mention if you will send or share the data with any 3rd-parties and why.

Forums and Message Boards

Make sure you add a checkbox specifically asking forum / board users if they consent to you storing and using their personal information and messages. The checkbox must be unchecked by default. Also mention if you will send or share the data with any 3rd-parties and why. The consent statement must include a link to your privacy policy.

Chat Bots

Make sure you add a checkbox specifically asking chat users if they consent to you storing and using their personal information and messages. The checkbox must be unchecked by default. It's also mentioning how long you will store chat messages or delete them all within 24 hours. Also mention if you will send or share the data with any 3rd-parties and why. The consent statement must include a link to your privacy policy.

Useful Plugins

Delete Me—This plugin is helpful in addressing the Right to be Forgotten. It provides a method for data erasure of a user's profile, comments, etc.. It's available to WordPress admins, but goes a step further if you are comfortable allowing users to delete their own data without having to create a request for it.

Security Audit Log—helps you perform a security audit on your website.

WordFence (Pro version)—Satisfies the GDPR legal requirement to assess and monitor the security of your website to ensure data breaches do not occur. If a breach does occur, you will receive a real time notification from the plugin.

As the website owner, you must also ensure that plugins you use on your site comply with data privacy regulations, even though you are not the plugin developer and have nothing to do with the plugin's internal mechanisms.
Keep Calm
This may seem like a lot, but unless you've been very naughty, your doorbell is not going to ring on 25th May.  The first stage of enforcement is likely to be asking you to comply.
It is also a very good idea to check out how any tools you are using are complying with GDPR. Many service providers have published information already, such as Google, Hubspot, Mailchimp.
Dealing with plugins on your website may be a little trickier although many of them have already sent out information about what you do, such as Woo-Commerce.

I'm Still Not Sure, Now What?

There is no escaping that for some website owners, there is going to be a considerably more complex process involved and if that applies to you then you need think about using a GDPR and Legal specialist to make sure you're complying.

If you're based in the UK the best starting place for that more in depth approach and to find specialist consultants is probably the IT Governance Hub 

 

Enjoy!