GDPR Compliance & Consultancy

Expert guidance & knowledge on the General Data Protection Regulation

Contact us for free consultation

We are offering to make your website GDPR Compliance for that we can guide you:

What is the GDPR?

By now, you have heard of the GDPR: the General Data Protection Regulation. It is a European privacy law, approved by the European Commission in 2016. The GDPR is an attempt to bring data protection legislation in line with new, previously unforeseen ways that data is now used.

The goal is to strengthen, harmonize, and modernize EU data protection law to provide more control over the way personal data is used. It serves to enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right.

Why is the GDPR Important?

The GDPR puts the consumer in the driver’s seat, leaving your business with the task of compliance. If you don’t want to be subject to high fines, it’s time to become GDPR compliant.

The key principles that you must comply with are:

Location

If your organization offers services or goods to citizens and/or residents within the EU, you are subject to the GDPR compliance, even if your organization is not located in the European Union.

Data Protection

The GDPR touches every data process and forces organizations to know and understand their data from a 360-degree perspective.

Effective Date

There will not be a “grace period.” Organizations impacted by the GDPR must be compliant when it takes effect on May 25, 2018.

Penalties

There are tough penalties if you fail to comply. Fines of up to €20 million or 4% of global annual turnover, whichever is greater. Enforcement action will extend to countries outside of the European Union, where analysis on EU citizens is performed.

7 Principles you Need to Know to Comply

01

Start with Legal Basis

You need to begin with ensuring you have legal authorizations in place, allowing you to process personal information. This includes but is not limited to:

  • Obtaining consent for using personal data;
  • Contractual obligations to your consumers;
  • Compliance with other legal obligations you are subject to, etc.

02

Comply with Processing Requirements

The GDPR dictates strict requirements for personal data processing. The GDPR states that data must be:

  • Processed lawfully, fairly and in a transparent manner for your consumers;
  • Collected for specific legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which the data are processed;
  • Accurate and kept up-to-date;
  • Stored for no longer than is necessary for the purposes for which the personal data are processed;
  • Processed in a manner that ensures appropriate security of the personal data, preventing data loss and breaches.

03

Obtain Consumers’ Consent

The conditions for obtaining consent are stricter under the GDPR, as the individual must have the right to withdraw consent at any time. In addition, there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities. This means you have provide proof that the consumer agreed to a certain action. Keep in mind that:

  • Consent must be specific to each use and/or processing activity, and separate from registration terms and conditions;
  • Silence, pre-ticked boxes, or inactivity does not constitute consent; your consumers must explicitly opt-in to the storage, use, and processing of their personal data;
  • In the event that services are provided to children (below the age of 16 years), personal data processing will be lawful only if consent is given by parents.

04

Provide Data Management Rights to Consumers

The GDPR provides your consumers with the right to manage their personal data in your system and delete it at any point of time. It is your obligation to ensure you provide these rights to consumers:

  • The right to be forgotten: The consumer may request that an organization delete all of his/her personal data without undue delay;
  • The right to object: The consumer may prohibit certain data uses;
  • The right to rectification: The consumer may request that incomplete data on their profile be completed or that incorrect data be corrected;
  • The right of access: The consumer has the right to know what data about him or her is being processed and how;
  • The right of portability: The consumer may download his or her personal data held by one organization and transport it to another.

05

Ensure Security of Personal Data

The GDPR requires that you put in place technical and organization measures to ensure an appropriate level of security that protects personal data during processing. While this gives you flexibility, here are some common security safeguards suggested by the GDPR:

  • The pseudonymization and encryption of personal data;
  • Tracking of all data processing activities;
  • Data transmitting only through secure protocols (HTTPS, TLS);
  • Additional security measures like MFA;
  • Data minimization to ensure personal data that is not required for a specific processing activity is not collected or processed;
  • Data deletion once it is no longer required, etc.

06

Inform of Personal Data Breach

In the event of a data breach that poses a significant risk to personal rights or freedoms of your consumers, you are obligated to:

  • Notify every consumer whose data were breached;
  • Notify the supervisory organization of a data breach within 72 hours of becoming aware of breach.

07

Adhere to “Privacy by Design” Principle

“Privacy by Design” and “Privacy by Default” are not new. The GDPR merely recognizes this right and requires companies to have a mindset that considers data privacy at all stages of the development process for products, processes, or services that involve processing personal data.

  • Start with GDPR awareness in your organization—everyone who deals with consumer data should know and adhere to all data privacy requirements;
  • Conduct regular risk assessments and implement mitigation responses to identified risks;
  • Hire/train a designated Data Protection Officer to oversee GDPR compliance at your organization;
  • Design new applications and business processes, or update existing ones, with data privacy in mind;
  • Make sure that all your vendors or partners do the same.

The details of your WordPress GDPR compliance

Okay, so with all the official information out of the way, let’s take a moment to talk about how to make sure that your website is compliant and that you won’t experience any WordPress GDPR problems.
Before you move on to each of the aspects and how to comply with them, a security audit on your WordPress site should, in general, reveal how data is being processed and stored on your servers, and steps that are required to comply with the GDPR. The Security Audit Log plugin can help you perform a security audit on your website.
Some usual ways in which a standard WordPress site might collect user data:
  • User registrations,
  • Comments,
  • Contact form entries,
  • Analytics and traffic log solutions,
  • Any other logging tools and plugins,
  • Security tools and plugins.
Here are some key aspects of the WordPress GDPR that users need to take care of:

Under the GDPR compliance, if your website is experiencing a data breach of any kind, that breach needs to be communicated to your users.

A data breach may result in a risk for the rights and freedoms of individuals, due to which notifying users in a timely manner becomes necessary. Under the GDPR, a notification must be sent within 72 hours of first becoming aware of a breach. Data processors are also required to notify users as well as the data controllers, immediately after first becoming aware of a data breach.

In a WordPress scenario, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.

This clause of the GDPR thus creates a legal requirement to assess and monitor the security of your website. The ideal way is to monitor web traffic and web server logs, but a practical option is to use the Wordfence plugin with notifications turned on. In general, this clause encourages one to use the best security practices available to ensure data breaches do not occur.

Three elements of this: Right to Access, Right to Be Forgotten and Data Portability.

  • The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing, and storage of the data. Users will also have to be provided a copy of their data.
  • The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their personal data to be used.
  • The data portability clause of the GDPR provides users a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller.

Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to a number of data points.

As a WordPress site owner, you first need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored.

Next, you need to have a setup to provide users with a copy of their data. This is perhaps the most difficult part of the process. However, we can assume that when the time comes, most plugin developers or tool developers – for the tools and plugins that you have on your site – will have already come forward with their own solutions to this.

It is still advised, however, to have a system in place to derive the required data out of your database.

Further, it may be wise to avoid data storage altogether in certain cases. For instance, contact forms could be set up to directly forward all communication to your email address instead of storing them anywhere on the web server.

Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.

This can still mean some tough times for some of the most popular plugins out there. For instance, solutions like Gravity Forms or Coderkube have a lot of modules that collect user data by nature. How are those tools going to comply with the GDPR exactly?

For plugins too, the same rules apply, although they must be approached from the point of view of the WordPress site owner. Each plugin needs to establish a data flow and inform about the processing of personal data. If you are the developer of a plugin, consider providing users of your plugin an addendum that they may add to their website’s terms in order to make them GDPR compliant. Gravity Forms, for instance, needs to let the user know how personal data being filled in a contact form is going to be published, and an option to get it removed, if necessary.

Although there has been no official communication from the popular WordPress plugin developers, Coderkube's Twitter handle has confirmed that they are preparing for the GDPR, and further updates would appear in their new privacy-related features.

No other plugin seems to have released any statements related to this yet.

We Are having more than 7 Years of experience in field we have professionals who are best in the Industry and are always updated with the latest technologies.

WEB DESIGNING

WEB DEVELOPMENT

ANDROID/IOS APPLICATION DEVELOPMENT

SEARCH ENGINE OPTIMIZATION

Contact us for free consultation