Hugues Audouard Freelance web designer and wordpress consultant

Is your website ready for GDPR

Disclaimer: This post is meant as a brief overview of the new GDPR regulation. It does not claim to be comprehensive and nor does it represent legal advice. I am not a lawyer!

What is GDPR

GDPR stands for General Data Protection Regulation. It is a new data protection law in the EU. The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. (source ICO).

The aim of the GDPR is to give citizens of the EU control over their personal data, and change the approach of every organisation towards data privacy.

The penalties for non compliance can be severe. “Under GDPR, organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements” source: http://www.eugdpr.org/key-changes.html

The GDPR provides much stronger rules than existing laws and significantly strengthens consent requirements.

For example, as a website owner you need to:

  • Request the explicit consent of every user before any data collection takes place: consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
  • Have a clear and accessible privacy policy informing users how the data you collect will be stored and used.
  • Have a means for users to request access and view the data you have collected on them.
  • Provide users with a way to withdraw consent and purge personal data collected on them. This is called “Right to Be Forgotten”.

The GDPR law applies to data collected about EU citizens from anywhere in the world. As a consequence, a website with any EU visitors or customers must comply with the GDPR, which means that virtually all websites and businesses must comply.

Steps towards GDPR compliance for a WordPress website

1. Conduct a personal data audit

List all the data you are collecting on your website and ask the following questions:

What data do I collect?
This can be personal data you collect and store through your own website or personal data collected by a 3rd party processor. For example:

  • Do you have a contact form collecting things like name, email address, telephone number… ?
  • Do you collect personal details on a third party email marketing service like Mailchimp ?
  • Do you operate an online store and collect customer data for processing their orders ?

Where is the data being stored ?

For example:

  • Does your contact form store personal details on your website database ?
  • If your website has an ecommerce facility, personal information relating to customer account details and orders are likely being stored on your website database.

The data in the database itself is likely stored unencrypted so if the database was breached then the personal data would be exposed.

Do I really need all this data ?

Limiting the personal information you collect and store also limits your potential for breach and non-compliance with GDPR. So, if you don’t absolutely need to collect some of the personal information you currently collect and / or store on your website,  you can take steps now to either stop collecting it or stop storing it.

NOTE: I don’t process any personal data but my Google, mailchimp etc. system does

The GDPR would call these systems third party data processors. They are processing the data controller’s data on their behalf. Most (but certainly not all) of these systems are run by US-based companies who should be going through the process of becoming GDPR-compliant at this very moment, if they have not already done so. US companies should also be Privacy Shield compliant. The US Privacy Shield  framework has been co-developed by the US Department of Commerce and the European Commission to provide mechanisms to protect the flow of personal data between the EU and the US.

“Data processor” definition
“Data processor” in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. (ICO definition) So, for example, an email marketing service such as Mailchimp would be a 3rd party data processor as it holds and processes personal data on your behalf for the purpose of sending out communication emails.

For each 3rd party data processor you should check their respective privacy policy and make sure they are GDPR compliant.

2. Write a privacy policy

Ensure your website features a privacy policy page, informing users how the data you collect will be stored and used, how they can request access to their data and how they can request to withdraw consent for their data to be stored and used. You can look at my own privacy policy here (please bear in mind that this is merely provided as an example and not as a recommendation. If you are unsure about what your privacy policy should say please seek legal advice)

3. Implement an SSL certificate

Websites that use HTTPS send data over an encrypted connection so if your website has an SSL certificate it is a useful step towards GDPR compliance. Without HTTPS, any data, for example from a contact form, is sent “in clear” and could therefore be read if intercepted. You can read more about SSL certificates and HTTPS in this blog post

4. Understand data breach reporting requirements

The GDPR requires the data controller to have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, the data controller has a legal obligation to report a data breach (of identifiable or un-pseudonimised data) within 72 hours. Further information on the reporting of a data breach can be found on the Information Commissioner’s Office website.


Further reading

Here are 3 useful resources produced by the information commission office (ICO) which you may find useful for a deeper understanding of GDPR:

Overview of the General Data Protection Regulation (GDPR) >

Debunking some of the myths circulating about GDPR >

Preparing for GDPR a 12 step checklist of steps to take now >

Hugues

I'm a freelance web designer & developer, as well as a bit of a digital marketing expert. I love all things WordPress and helping people make the most of their website and digital marketing presence. You'll sometimes find me lurking at various WordPress meet-ups, Facebook groups or the WordPress.org support forum...

SIGNUP FOR THE NEWSLETTER

I don't send out newsletter very often at all, but when I do I hope you'll find them useful

Your details will never be passed on to third parties. You can unsubscribe from emails at any time using a link which will always be provided.
Privacy policy

Something went wrong. Please check your entries and try again.

Share this article