GDPR Compliance and Your WordPress Blog
On May 25, 2018, the internet business world as we know it will change.
The European Union’s (EU) General Data Protection Regulation (GDPR) will go into effect and data management on your WordPress Blog will change completely.
I know, the big question you may have is: But this is an EU Law and I live in a country outside of the EU. Why do I have to worry about the GDPR?
The GDPR is wide-ranging and has support from most of the worlds industrial nations due to pre-existing treaties and trade agreements.
This means that anyone who has a website where ANYONE from the EU visits, must be in compliance with the GDPR and its data protection provisions.
So it doesn’t matter if you live in the EU or if you live in the United States (or some other country), you must comply with the regulation.
This post is meant to help you understand the basics of the GDPR and give you the ability to setup your WordPress blog using a few free tools to protect yourself and provide data and privacy protection for your site visitors.
****This post does not constitute legal advice. The content here is merely a recommendation on how to protect yourself and your blog business. If you have a complex WordPress Blog and data collection setup, I highly recommend contacting a lawyer to discuss how the GDPR affects you. That being said, for most Bloggers, the content below should suffice in providing the required protection for your blog business.****
What is the GDPR?
The GDPR is a regulation which provides data protection and data privacy for all citizens of the European Union.
This means that you must receive consent from an EU Site Visitor before collecting and using any of their data.
This can be as simple as collecting a name and an email address for sending a Contact Form message or using cookies on your site to collect data for tracking through WordPress Registrations and Logins or 3rd Party applications like Google Analytics.
The bottom line is this: If you collect data at all from a citizen of the EU, they must provide you with explicit consent before you use it.
This means that you must tell them exactly how their data is going to be used and they must provide you with their consent to take those actions before you use it.
The Main Provisions of the GDPR
There are a few main provisions of the GDPR which affect WordPress blog owners quite a bit.
They are as follows:
Data Collection, Processing, and Storage
There are three main parts to this section of the GDPR. They are:
- The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing, and storage of the data. Users will also have to be provided a copy of their data.
- The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their personal data to be used.
- The data portability clause of the GDPR provides users a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller.
With WordPress, this can affect things like:
- user registrations
- contact form entries
- analytics and traffic log solutions
- any other logging tools and plugins
- security tools and plugins
Data Breach and Notifications
The next provision affects you if you have a data breach or if you have been hacked in any way.
In the event that data has been lost on your site, you must notify all those affected within 72 hours of the event occurring. In a WordPress scenario, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.
With this in mind, having a secure WordPress blog is a critical element in running your business. If you need help getting your site setup for SSL to protect user data and to implement high-level security controls on your blog, I recommend using our Free WordPress Blog Setup Video Tutorial Series to install, setup, and secure your WordPress blog correctly.
Using WordPress Plugins and GDPR Compliance
All of us who use WordPress love using WordPress Plugins, Themes, and other integrations like Google Analytics, Google Adsense, etc.
With this in mind, you must make sure that any plugin or tool you use is also GDPR Compliant. This also includes any email marketing software or service you may use. If it is on your site, you are ultimately responsible for ensuring that you have at least been informed in good faith that the plugin creator is implementing GDPR safeguards into their tool (if it collects user data).
Why Should I Take the GDPR Seriously?
The GDPR is being supported by governments worldwide. If you live in the United States, for example, almost 92% of businesses have prepared for the GDPR.
The penalty for non-compliance can be up to € 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. There are other provisions for smaller fines and actions to be taken for small offenses. I recommend reading the FAQ Section of the regulation to get more insight on the specifics.
Supervisory Authorities (SA) of different member states are being set up with the full support of the law. Each member state may have multiple SAs, depending on the constitutional, administrative, and organizational structures.
There are various authorities that SAs will have:
- carry out audits on websites,
- issue warnings for non-compliance,
- issue corrective measures to be followed by deadlines.
SAs have both investigative and corrective powers to check your compliance with the law and recommend changes for you to be compliant.
How to Make Your WordPress Blog GDPR Compliant
With all f this in mind, you might be saying that you don’t know what do next.
This all might sound overwhelming, but it doesn’t have to be.
There are a few steps you can take to make your WordPress blog compliant with the GDPR.
First, you must have a system which allows you to cover the main provisions we talked about above.
Data Access, Data Portability, and the Right to be Forgotten.
Fortunately, there are a lot of developers who have been preparing for the GDPR, including WordPress itself.
I have done some testing and have put together a video tutorial which will show you how to implement GDPR Compliance into your WordPress blog.
I recommend using this video tutorial below as a way to implement compliance on your WordPress blog now.
Tools used in the video tutorial above:
**I highly recommend following the Starter Academy GDPR and changes we make as we learn about the GDPR, implement the processes, and identify our mistakes in this process.
***Want an All-in-One Solution which covers all 7 of the major areas of the GDPR for your WordPress blog automatically? Check out the GDPR Fix WordPress Plugin here now!
UPDATE: See my Update on GDPR Cookie Consent and Your WordPress Blog Here.
The next thing you should do is implement the GDPR Compliance tips above into your WordPress blog and your business workflow.
Once that is complete, the next step is to make sure all of the tools you use are GDPR Compliant and that you are using them in the way that GDPR compliance requires.
Remember, we only covered the basics in the video above for Google Analytics. Be sure to check to make sure everything you use is compliant.
Once this is incorporated into your everyday workflow, you will largely take it as a matter of routine.
You are not the only one who has to do this and do not assume you can get away without following this regulation. It will only end badly.
If you have any questions or want to discuss this further, please use the comment section below (you will notice that the comments are now GDPR Complaint).
Thanks and Good Luck!