By now, you have heard of the GDPR: the General Data Protection Regulation. It is a European privacy law, approved by the European Commission in 2016. The GDPR is an attempt to bring data protection legislation in line with new, previously unforeseen ways that data is now used.
The goal is to strengthen, harmonize, and modernize EU data protection law to provide more control over the way personal data is used. It serves to enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right.
The GDPR puts the consumer in the driver’s seat, leaving your business with the task of compliance. If you don’t want to be subject to high fines, it’s time to become GDPR compliant.The key principles that you must comply with are:
If your organization offers services or goods to citizens and/or residents within the EU, you are subject to the GDPR compliance, even if your organization is not located in the European Union.
The GDPR touches every data process and forces organizations to know and understand their data from a 360-degree perspective.
There will not be a “grace period.” Organizations impacted by the GDPR must be compliant when it takes effect on May 25, 2018.
There are tough penalties if you fail to comply. Fines of up to €20 million or 4% of global annual turnover, whichever is greater. Enforcement action will extend to countries outside of the European Union, where analysis on EU citizens is performed.
You need to begin with ensuring you have legal authorizations in place, allowing you to process personal information. This includes but is not limited to:
The GDPR dictates strict requirements for personal data processing. The GDPR states that data must be:
The conditions for obtaining consent are stricter under the GDPR, as the individual must have the right to withdraw consent at any time. In addition, there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities. This means you have provide proof that the consumer agreed to a certain action. Keep in mind that:
The GDPR provides your consumers with the right to manage their personal data in your system and delete it at any point of time. It is your obligation to ensure you provide these rights to consumers:
The GDPR requires that you put in place technical and organization measures to ensure an appropriate level of security that protects personal data during processing. While this gives you flexibility, here are some common security safeguards suggested by the GDPR:
In the event of a data breach that poses a significant risk to personal rights or freedoms of your consumers, you are obligated to:
“Privacy by Design” and “Privacy by Default” are not new. The GDPR merely recognizes this right and requires companies to have a mindset that considers data privacy at all stages of the development process for products, processes, or services that involve processing personal data.
Under the GDPR compliance, if your website is experiencing a data breach of any kind, that breach needs to be communicated to your users.
A data breach may result in a risk for the rights and freedoms of individuals, due to which notifying users in a timely manner becomes necessary. Under the GDPR, a notification must be sent within 72 hours of first becoming aware of a breach. Data processors are also required to notify users as well as the data controllers, immediately after first becoming aware of a data breach.
In a WordPress scenario, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.
This clause of the GDPR thus creates a legal requirement to assess and monitor the security of your website. The ideal way is to monitor web traffic and web server logs, but a practical option is to use the Wordfence plugin with notifications turned on. In general, this clause encourages one to use the best security practices available to ensure data breaches do not occur.
Three elements of this: Right to Access, Right to Be Forgotten and Data Portability.
Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to a number of data points.
As a WordPress site owner, you first need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored.
Next, you need to have a setup to provide users with a copy of their data. This is perhaps the most difficult part of the process. However, we can assume that when the time comes, most plugin developers or tool developers – for the tools and plugins that you have on your site – will have already come forward with their own solutions to this.
It is still advised, however, to have a system in place to derive the required data out of your database.
Further, it may be wise to avoid data storage altogether in certain cases. For instance, contact forms could be set up to directly forward all communication to your email address instead of storing them anywhere on the web server.
Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.
This can still mean some tough times for some of the most popular plugins out there. For instance, solutions like Gravity Forms or Coderkube have a lot of modules that collect user data by nature. How are those tools going to comply with the GDPR exactly?
For plugins too, the same rules apply, although they must be approached from the point of view of the WordPress site owner. Each plugin needs to establish a data flow and inform about the processing of personal data. If you are the developer of a plugin, consider providing users of your plugin an addendum that they may add to their website’s terms in order to make them GDPR compliant. Gravity Forms, for instance, needs to let the user know how personal data being filled in a contact form is going to be published, and an option to get it removed, if necessary.
Although there has been no official communication from the popular WordPress plugin developers, Coderkube's Twitter handle has confirmed that they are preparing for the GDPR, and further updates would appear in their new privacy-related features.
No other plugin seems to have released any statements related to this yet.