“...User confidence is crucial for digital economy. Customer as a product and unsafe privacy are not sustainable business models. Digital is sophisticated enough to combine Security, Convenience and Personal Privacy.”
Does GDPR Apply To You?
If you're working in the EU, have a website that is visible, sells or interact in any way with a resident or business in the EU then yes.
It applies to businesses, non-profits, government agencies and anyone doing anything online or offline that collects data.
The safest thing to do is assume it applies to you and then carry out steps you need to do to comply. The less you interact with people, the less you have to do.
The European Union countries are:
- Republic of Cyprus
- Czech Republic
- United Kingdom
It doesn't matter where your website is hosted, if it's still visible in any of these countries, then GDPR applies to you. Even if you don't intend to do business with anyone in the EU, if you check your Google Analytics you will probably find you are getting a few visitors from the EU, even if you didn't target them.
Frankly, by the time you've gone through the machinations of seeing how many EU visitors you have and implementing steps to restrict visibility or action on your site, for most website owners, it's just easier to go through the GDPR compliance motions.
What Does GDPR Mean for Your WordPress Site?
It's effective date is May 25, 2018. As a website owner, there are three basic responsibilities that you are liable for fulfilling: Right to Access, Right to Be Forgotten, and Data Portability - basically the owner of the data, being able to remove it.
If you answer YES to any ONE of these following questions then GDPR applies to you.
- Do you have a contact form, or any other form that collects personal information like name, email address, or phone#?
- Can visitors post a comment anywhere on your website?
- Can people purchase products through your website or eCommerce shop?
- Do you provide a forum or message board?
- Do you have a method where visitors can chat with your company directly?
If you answered 'No' to ALL of these questions, your site is probably in good shape and you may not have to do anything to mitigate the compliance risk. If you don't have any information, you don't have to protect it.
I've Answered Yes - Now What?
If you answered 'Yes' to any of these question, please read on. Here are some general steps you need to consider:
- The information you collect and store from your website visitors. This could include their IP address, name, email, phone number and other data you use directly in your sales and marketing to contact them, as well as cookies, visit duration and tracking, mouse and swipe actions.
- Specify who has access to this personal data and if you make it available to any other third party (e.g. you, MailChimp, Google, CRM, etc.)
- Name a person who is responsible for data monitoring and management in your business. For small businesses, this is probably you.
- Tell people how they can ask you to access their data.
- Tell people how long you keep their information for.
- Remove all automatic opt-ins on your site. All checkboxes must be empty in online forms. An empty box cannot imply acceptance.
- Delete personal information that you no longer use that may be stored on servers, in spreadsheets, or other documentation. This includes emails with file attachments that may contain personal information.
- Keep only one version of the personal information. You may keep copies for backup and restore purposes only. Up to 4 backups are acceptable. If you keep more, you have to justify it. The location of the backups needs to be captured in your data/security audit.
- You cannot keep the information you aren't using straight away, just in case you may need it in the future.
All data breaches need to be recorded and actioned with preventive measures. Examples of data breaches include:
- Personal information being passed or coming into the possession of an unauthorised data processor or subcontractor.
- Passing of personal data into a non-GDPR compliant country.
- Passing of personal data to a third party without the knowledge of the data subject.
- Personal information leaked as a result of a website hack.
- Have a security data breach response plan and process in place. Here's a link to a helpful toolkit that can help you get started developing a plan if you don't already have one:
Have a process to comply with someone asking for a copy of their data.
- Verify their identity
- Make sure you have the data before processing the request, if you don't have the data, respond and say, “I don't have the data”.
- Do not create more personal data while performing the request
- Process the request
- Record it in your data audit log
- Do it within 20 days.
Update your contracts, NDA’s, and Privacy policies on your website.
- All staff need to have signed NDA’s and data protection awareness training. A good rule of thumb is to include all staff even if they do not have direct access to personal information in the normal course of their duties.
- All customer contracts have to be updated with a GDPR clause.
What You Can No Longer Do
- You cannot send unsolicited emails or contact people from purchased lists or use a mailing list gathered from one company or for one particular purpose and sending the contacts on it some information they didn't agree to.
- You cannot auto email from abandoned shopping carts offering discounts unless the shopper has opted in for email at the top of the checkout.
- You cannot send unsolicited text messages via mobile phone numbers.
Web Store Order Forms
Forums and Message Boards
Delete Me—This plugin is helpful in addressing the Right to be Forgotten. It provides a method for data erasure of a user's profile, comments, etc.. It's available to WordPress admins, but goes a step further if you are comfortable allowing users to delete their own data without having to create a request for it.
Security Audit Log—helps you perform a security audit on your website.
WordFence (Pro version)—Satisfies the GDPR legal requirement to assess and monitor the security of your website to ensure data breaches do not occur. If a breach does occur, you will receive a real time notification from the plugin.
I'm Still Not Sure, Now What?
There is no escaping that for some website owners, there is going to be a considerably more complex process involved and if that applies to you then you need think about using a GDPR and Legal specialist to make sure you're complying.
If you're based in the UK the best starting place for that more in depth approach and to find specialist consultants is probably the IT Governance Hub