The General Data Protection Regulation (GDPR) is a new regulation from the EU that impacts the way every WordPress site collects and manages user data. Because these new laws are wide-reaching, even non-EU sites and businesses are swept up in these changes. If you are in business and deal with EU citizens whether they are currently residing in an EU country or not, then you need to make your WordPress website GDPR compliant. Non-compliant businesses risk fines of up to 20 million euros or up to 4% of your business revenues.
GDPR enforcement comes into effect on 25 May 2018. This document explores the legislation, the steps you should take, and what may happen if you neglect this. Please be aware that making your business GDPR compliant is more than just your website. Here’s the disclaimer. We are not legal experts, and you should consult legal counsel on how to best structure your business and website to be compliant.
So what is GDPR?
General Data Protection Regulation is a data protection law in the EU, giving EU citizens better control over their data by changing the way organizations across the world manage privacy and user data. The new laws are stronger than those currently in place like the EU cookie law and include measures like users needing to confirm that their data can be collected and easily understood privacy statements that show what data will be stored, how it will be used and offer the ability for website visitors to withdraw their consent to use personal data.
GDPR applies to non-EU businesses too!
GDPR is not just for EU businesses. It applies to the data of any EU citizen regardless of where the citizen is residing or where their data is captured. Every interaction with an EU citizen requires compliance (so just because your business does not operate in the EU, does not give you a free pass!) Any interaction with an EU citizen on your website, where you collect personal data (like collecting information on a contact form) then GDPR applies to you and will be enforceable from 25 May 2018.
What constitutes personal data?
Article 4(1) defines “personal data” as follows (all emphasis added unless otherwise stated):
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This definition is broad and fairly all-encompassing. It includes a) any information relating to an identified individual (i.e. which makes such info personal to that individual), or b) any information relating to someone who could be identified based on a variety of identifiers.
Here are some tangible examples of personal data. You should be aware that personal data is not limited to these.
|Linked personal data examples (directly linked to a person)||Linkable personal types (combine to identify a person)||Sensitive (special personal data types)|
|Full name||First name only||Biometric data|
|Date of birth||Last name only||Racial data|
|Residential Address||A portion of the address (country, street, postcode etc.)||Health data|
|Telephone number||Age Category not specific (20-30 years or 40-60 years)||Ethnic origin|
|Email Address||Place of work||Political opinions|
|Passport number||Position at work||Religious or philosophical belief|
|Identification number||IP address||Trade union details|
|Drivers License number||Device ID||Genetic data|
|Social security number||Sexual preference|
What ways is WordPress collecting data applicable to GDPR legislation?
WordPress could collect that are user data in the following ways:
- During user registration
- When a user leaves a comment
- As users send you a message via a comment form
- When a customer pays for a product or service via your website using a plugin like WooCommerce
- When a member subscribes to your website to get updates or access to premium information
- When a customer takes a course on your website
- Site measurements like Google Analytics and Traffic logs
- Tools that track and log things like security breaches including things like an IP address of a particular user.
- When a customer provides information to you via your website for you to provide a particular service
A security audit on your website data will tell you how data is being processed and stored on your servers.
What things should you do to make your GDPR compliance easier?
1. Perform a Data Audit
A data audit is a good place to start (to know the extent) and end (to know you’ve completed). It will identify all the different types of data you collect so it can be evaluated along with your systems and processes. For WordPress owners, it could identify data collected by disused plugins, and data that are being collected that you’re no longer using that can be removed. This is best done by someone who can examine the data, and data models within your WordPress installation.
2. Classify the data you discover
You need to know all the data sources so that personal data can be extracted, categorized and classified. All personal data must be audited so that it can be managed correctly.
You need eta know exactly where the data is stored at any time. This helps you manage risk to avoid breaches, but under GDPR legislation you need to be able to prove the location where the data is held.
You need to understand the reason you are processing and storing that data and understand how you’re going to use that data. You need this so you can obtain explicit consent to use this data in your privacy statement.
Finally, to be compliant, you need to understand the rules. You need correctly documented privacy policies for managing the data, and the data you hold must be anonymization, according to a data governance model you set out. This gives you the level of control you need to be able to manage your GDPR responsibilities properly.
3. Who is your ‘data controller’?
If you are in control of the data, determining how and why it is being processed then is highly likely that you will hold the role of ‘data controller’ under the GDPR legislation. This means you have a broad knowledge of your business and the data you process and store, as well as the systems used to process it. You have a broad understanding of your business, the data you process, and the systems that you use.
4. Do you need to appoint a ‘data protection officer’?
Some organizations will need to appoint a DPO. A knowledgeable DPO (with a technical and legal background) is beneficial to the organization as they will be able to offer guidance with respect to the regulation, legal obligations, and business application. You will need to decide whether you need this.
5. Protect your website’s personal data
Once you have a clear handle on your data you process and how it needs to be protected, you need to think about whether you are securing personal data properly – and then what changes are required to do this.
Your priority should be to protect the privacy of personal data. To do this, you could choose to do a Privacy Impact Assessment, with an emphasis on GDPR specific requirements including data portability, the right to be informed, forgotten and the right way to destroy data. You will need to consider every location of the data you stored, from that on your services as well as that in the cloud and stored in offsite backups.
Where practical you can use encryption, anonymisation and pseudonymization. What you choose will depend on user rights and how you are using that data. Keep data that you need, and remove any unnecessary data. The less data you hold, the less you have to protect.
6. Demonstrate accountability
You need to be able to show how you are transparent in all your data processing activities. You need to document how you are capturing your consent to use the data you are storing and processing.
It is also good practice to demonstrate those steps you have taken towards compliance. This demonstrates your accountability and shows that you have taken steps, even if your journey is not yet complete. Showing that effort has been made and that your compliance has commenced is useful, so keep your emails, records, and documents about your compliance journey.
7. Conduct another audit
Once you feel you have put all your compliance controls into play, then you should take another audit. You should keep documentation to show this has taken place because it is demonstrating that you’ve tested the robust processes you have set up.
Your audit should now provide what personal data you hold, how it is used, why it is used, where it is stored, who can access it, and where it can be found. Your audit should demonstrate your governance processes and that you can properly protect the data you collect at all times.
Of course, if you find any gaps or your systems change, you need to continue to test and remediate your processes.
Where to from here?
The first step should be to engage legal counsel on the impact of GDPR on your personal situation. Once you know the extent to which you are affected then speak to us about establishing the technical site requirements to manage your compliance obligations. Contact us for additional information on how we can help your WordPress installations become compliant.
GDPR Information Portal – https://www.gdpreu.org/
What Personal Information is and isn’t – http://techgenix.com/personal-information-under-gdpr/