If you’ve been following my blog for a while, you’ll have seen me talk about GDPR a few times, but let’s go over what it is once more before delving into how to make your WordPress website compliant.
General Data Protection Regulation is the new EU data protection law that will be enforced from the 25 May 2018. Its purpose is to give citizens of the EU control over their personal data and to change the approach of organisations across the world towards data privacy.
GDPR applies to everyone that collects and processes personal data from the EU
So even if you’re a blogger based in the USA, if you have EU visitors using your website and subscribing to your mailing list, GDPR applies to you. Let’s take a moment to consider the kind of personal information that you’ll collect through your website, the definition of which is “any information relating to an identified or identifiable natural person”.
Name – contact form, checkout, comments, mailing list sign-up, members area
Email – contact form, checkout page, mailing list sign-up
Address – contact form, checkout page,
Phone – contact form
IP address – comments, google analytics
Those are just a few examples of how and where we collect personal data on our websites (perhaps without really realising it – security tools and plugins will collect personal data too).
What are your obligations under GDPR for personal data collected on your website?
Before data collection takes place, i.e. before that comment is made or the contact form is completed, the individual must be aware that their personal data is being collected, processed and stored and give their explicit consent for this to happen. You must also inform the user of how and where their data will be stored, and for what purpose.
An important concept of GDPR is ‘privacy by design’. As a business owner and data controller, you should have policies in place that ensure that you’re only collecting, processing and storing the data that is necessary to complete your work – i.e. process payment and dispatch an order to a customer.
GDPR also introduces the right to be forgotten. This gives your website users the option to have all the personal data you’ve collected and processed on them deleted. They also have the right to download the personal data that has been collected – you have 40 days to provide this to them free of charge.
You’ll also have to inform the ICO of any breaches to data that may occur within 72 hours.
How can I make my WordPress website compliant?
Make sure that your web host is GDPR compliant.
Where are their servers located? If they’re in the USA, they should be EU-Privacy Shield certified. Make sure you ask your web host directly (if the information isn’t freely available on their website) if they are compliant and the steps they’ve taken to ensure that they are.
Ensure that your website is secure
Security of personal data is the key issue here, and so you need to make your website is as safe as it can be. An SSL certificate is essential for that ‘green padlock’ status denoting that the website is safe through an encrypted connection.
Make sure you’re using a good security plugin that’s regularly updated – like WordFence, which acts as a firewall against hackers and provides all-round protection to your website.
You’ll also need to make sure that the PHP is up to date. Most plugins use PHP 7 now, so if you’re still using 5 or 6 not only is that going to cause compatibility issues but you’re also at risk of loopholes that hackers can use to access your website.
Keep your website updated
Are your themes, plugins and your version of WordPress up to date?
Updating these is important as the developer’s spot issues and improve the security all the time, neglecting to update could put your website at risk of a potential data breach.
For more information on how to update your WordPress website, you can read my advice here.
Have a compliant privacy policy on your website
This should be easily accessible on your website and linked to wherever personal data is collected (contact form, mailing list sign-up, etc.)
Your policy must include what personal data you collect, what it’s used for, whether any third parties are involved, how you’ll store the data and for how long, and how your website users can contact you to exercise their right to be forgotten.
Completing a data audit and using that to create your privacy policy is the best way to go about this, don’t just copy and paste something you’ve found elsewhere.
Have a cookies policy and pop-up
Cookies can identify an individual using your website via their device and therefore collect personal data. As cookies are in place as soon as they visit your website, it’s vital that you have a pop-up notice alerting users to their presence. This should link to your cookie policy explaining how and why the cookies are used, and that they can be turned off via the browser.
Get explicit consent when personal data is collected
Having a clear and specific statement about why the information is being collected and how it will be used with a checkbox for consent is important next to any contact form, or mailing list opt-in, particularly if you want to use that information for marketing purposes.
Having a link to your privacy policy with this statement is good practice to ensure that the consent is fully informed and explicit.
Understand your plugins
Are they essential for your website to function?
If they’re not, do they collect data and can that information be anonymised? Is there an alternative plugin where data can be collected more securely?
Are there any vulnerabilities in your plugins? This is often the case with older plugins that are no longer updated. You can find out here https://wordpress.org/plugins/plugin-security-scanner/#description
Get help if you need it!
If you’re still unsure and feeling a little lost in making your website ready for GDPR, we offer a website check service for £50.00. We’ll go through all of the points we’ve talked about, check for any issues and give you advice on the steps you need to take to make your website compliant. If that sounds good to you, give us a call on 07736 938 480 now.