There’s a new law that goes into effect in the European Union on May 25, 2018…  The GDPR (General Data Protection Regulation). That’s a fancy way to say the privacy rights of any individual in the EU accessing a website is protected.  GDPR has been creating some confusion and panic as people scramble to become GDPR compliant. And rightly so. Who can correctly decipher over 5000 pages?! WordPress has come to our rescue by building some functionality in their latest release to help.

Even if you or your business is not based in the EU, you’re more than likely going to reap the benefits of improved data security and personal data protection rights. Chances are the American government and other countries will be writing laws similar to the GDPR before long. As a website owner, you may have your work cut out for you, but it’ll be worth it in the end.

Wait. My business isn’t in the EU. You’re saying the GDPR affects me?

In short, yes. 🙃

If there’s a chance that someone in the EU will access your site and buy products, utilize your services, engage in the comments section of your blog, or even fill out a contact form… GDPR applies to you. A Privacy Policy that outlines how you gather and use personal data is required on your website. If you already have a Privacy Policy, now might be a great time to review it. If you don’t have one already, there’s no time like the present!

What rights does the GDPR grant?

The GDPR stands to protect the rights of individuals in the EU, and yet these rights will be extended to indivudals all over the world by nature of the law. The GDPR grants 8 rights to an individual:

    1. Right to be informed
      • To be informed about how data is processed, stored, and for how long
    2. Right of access
      • The ability for an individual to see what information is in their account
    3. Right of certification
      • The right to go and view, update information
    4. Right to be forgotten
      • If someone wants to terminate their agreement, they can contact the company and ask to exercise this right.
      • Companies are required by regulations to keep some information (related to accounting, invoices, etc.)
    5. Right to restrict processing
      • The ability to restrict extra info connected with one’s social status (Mr. Mrs. etc.) as long as this information is not necessary for the services provided
    6. Right of portability
      • The right for the user to change companies and transfer information to the other one (example: Mobile providers)
    7. Right to object
      • In case someone gives consent for promotional emails and then changes their mind.
    8. Right to control the relation to automatic decision making and profiling
      • The ability for people to control the marketing they’ve been exposed to

How do I get started in being GDPR compliant?

As already mentioned, make sure you have a Privacy Policy. Of course, it’s a good idea to have a legal representative familiar with website liability and the GDPR to review your policy or help you write a new one.

If you’re using WordPress for your site(s), WordPress 4.9.6 was released last week with some functionality to help maintain GDPR compliance. It should go without saying, but these tools don’t replace legal advice and don’t guarantee GDPR compliance, but is a start. If you haven’t upgraded to WordPress 4.9.6, we strongly encourage you to do that now, even if you don’t use the GDPR tools they built in.

In the Settings section of your Dashboard, you will see a Privacy section. There is a WordPress and GDPR Compliance Guide with suggestions on what to include in your Privacy Policy. You also have the opportunity to create a Privacy Policy page if you don’t already have one.

GDPR Privacy Settings in WordPress Dashboard

What Do I Do if Someone Asks To View Their Personal Information?

Some of the rights GDPR gives are the right of access, the right of certification, and the right to be forgotten. Basically, anyone can ask a site owner to show what personal information about them has been collected. They have the right to edit or update this information. They also have the right to have their personal information deleted.

Enter one of the best features of the latest WordPress release… the Export and Erase tools. So when a client/subscriber/user/anyone asks to see what information you have collected on them or they want to delete the information you have on them, you can easily comply with these great tools.

Export and Erase Personal Data Tools in the WordPress Dashboard

The Export Personal Data and Erase Personal Data tools are found under the “Tools” tab in your Dashboard. If someone contacts you to view or erase their personal data, click on the corresponding tool. You will enter the person’s username or email and send the request. An email will be sent to the user asking them to verify the request.

WordPress Data Export Request Tool

Once they verify the request, you will come back to the Export or Erase tool to complete the request. They will be emailed a report of the personal data you have collected or confirmation that the personal information has been deleted. To maintain privacy, the file is time sensitive and will be deleted by WP after the date designated in the email to the client.

WordPress Personal Data Email

What Else Do I Need To Do To Ensure GDPR Compliance?

The GDPR is all about making it easy for an individual to know and restrict what personal information companies collect about them. Make it easy for your users and promote trust and transparency by:

  • Making your Privacy Policy visible
  • Asking for consent to gather additional information or to send newsletters/promotions
  • Consider what kinds of personal information your processing and if you really need it
  • Ensuring third parties are GDPR compliant.
    • If a data breach with a third party occurs (example: Google Analytics), you are responsible for the personal information that you supplied to that company.
  • Having a process to handle data breaches and notify the supervisory authority within 72 hours

In Summary

The GDPR protects the rights of individuals accessing sites in the EU; however, people all over the world will also find themselves with stronger rights and better access to the personal information companies have collected about them. The GDPR law hasn’t really gained much attention in the WordPress community until recently. Thankfully WordPress has provided some resources and tools to make GDPR compliance a little easier for everyone. There is a lot more to the GDPR than Privacy Policies, but it’s a good step in the right direction.

We’ve been trying to gather as much information as we can to prepare ourselves, but we didn’t want you to be left out! We are not claiming to be experts on the GDPR. This post and any comments that follow do not constitute legal advice.

Have any questions or want us to feature a certain topic or issue on our blog? Let us know!

Reader Interactions