Is your website ready for GDPR
Disclaimer: This post is meant as a brief overview of the new GDPR regulation. It does not claim to be comprehensive and nor does it represent legal advice. I am not a lawyer!
What is GDPR
GDPR stands for General Data Protection Regulation. It is a new data protection law in the EU. The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. (source ICO).
The aim of the GDPR is to give citizens of the EU control over their personal data, and change the approach of every organisation towards data privacy.
The penalties for non compliance can be severe. “Under GDPR, organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements” source: http://www.eugdpr.org/key-changes.html
The GDPR provides much stronger rules than existing laws and significantly strengthens consent requirements.
For example, as a website owner you need to:
- Request the explicit consent of every user before any data collection takes place: consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
- Have a means for users to request access and view the data you have collected on them.
- Provide users with a way to withdraw consent and purge personal data collected on them. This is called “Right to Be Forgotten”.
The GDPR law applies to data collected about EU citizens from anywhere in the world. As a consequence, a website with any EU visitors or customers must comply with the GDPR, which means that virtually all websites and businesses must comply.
Steps towards GDPR compliance for a WordPress website
1. Conduct a personal data audit
List all the data you are collecting on your website and ask the following questions:
What data do I collect?
This can be personal data you collect and store through your own website or personal data collected by a 3rd party processor. For example:
- Do you have a contact form collecting things like name, email address, telephone number… ?
- Do you collect personal details on a third party email marketing service like Mailchimp ?
- Do you operate an online store and collect customer data for processing their orders ?
Where is the data being stored ?
- Does your contact form store personal details on your website database ?
- If your website has an ecommerce facility, personal information relating to customer account details and orders are likely being stored on your website database.
The data in the database itself is likely stored unencrypted so if the database was breached then the personal data would be exposed.
Do I really need all this data ?
Limiting the personal information you collect and store also limits your potential for breach and non-compliance with GDPR. So, if you don’t absolutely need to collect some of the personal information you currently collect and / or store on your website, you can take steps now to either stop collecting it or stop storing it.
NOTE: I don’t process any personal data but my Google, mailchimp etc. system does
The GDPR would call these systems third party data processors. They are processing the data controller’s data on their behalf. Most (but certainly not all) of these systems are run by US-based companies who should be going through the process of becoming GDPR-compliant at this very moment, if they have not already done so. US companies should also be Privacy Shield compliant. The US Privacy Shield framework has been co-developed by the US Department of Commerce and the European Commission to provide mechanisms to protect the flow of personal data between the EU and the US.
“Data processor” definition
“Data processor” in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. (ICO definition) So, for example, an email marketing service such as Mailchimp would be a 3rd party data processor as it holds and processes personal data on your behalf for the purpose of sending out communication emails.
3. Implement an SSL certificate
Websites that use HTTPS send data over an encrypted connection so if your website has an SSL certificate it is a useful step towards GDPR compliance. Without HTTPS, any data, for example from a contact form, is sent “in clear” and could therefore be read if intercepted. You can read more about SSL certificates and HTTPS in this blog post
4. Understand data breach reporting requirements
The GDPR requires the data controller to have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, the data controller has a legal obligation to report a data breach (of identifiable or un-pseudonimised data) within 72 hours. Further information on the reporting of a data breach can be found on the Information Commissioner’s Office website.
Here are 3 useful resources produced by the information commission office (ICO) which you may find useful for a deeper understanding of GDPR: