In Focus – WordPress and Data Privacy (GDPR)

In Focus – WordPress and Data Privacy (GDPR)

Data privacy and protection is one of the key aspects which all business need to demonstrate on a continuous basis. There are a wide number of complex privacy laws worldwide, and even stricter penalties if those directives are not complied to. Some common privacy regulations are the U.S. Health Insurance Portability and Accountability Act (HIPAA), Canada’s Privacy Law, the U.S. Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS), and Australia’s Privacy Laws. However, the next big suite of regulations in this field is the General Data Protection Regulation (GDPR).

 

What is the GDPR?

GDPR-EU-Europe

The GDPR is the European Commission’s new data privacy and protection guidelines, which will come into effect from May 2018. It aims at giving the European citizens a significant control over their personal data. Not only does it affect the people of the European countries, the GDPR’s scope also extends to all organizations accepting traffic from Europe and processing data of European users.

How does the GDPR affect your WordPress website?

personal-data-gdpr

All terms and conditions of the GDPR regulation can be found in the Official Journal of the European Union. However, the entire buzz around the GDPR revolves around the two key aspects – ‘personal data’ and ‘processing of personal data’. For a WordPress website owner, this can be translated into:

  • Personal data – any data which identifies a particular person – eg: name, address, telephone number, email ID, machine ID, IP address, etc.
  • Processing of personal data – any activity done on the user personal data – eg: storage of the user data, analysis of user data for marketing, server logs for a user, etc.

 

Steps to ensure compliance to the GDPR directive

GDPR has various clauses – the key ones are listed in the discussion below. Failure to comply to the GDPR can result upto a penalty 4% of your business’ annual turnover, upto 20 million Euros, and hence it is utmost improtant that the clauses are adhered to. Mentioned below, are tips for all WordPress owners to ensure that they are a step ahead in the privacy compliance game.

DataPrivacyChecklist_gdpr
  1. Design a Privacy Policy

It is vital that a user is aware of whether any data of his is being collected, and if so, what is being captured and what for. Providing each website user with so much of information would be cumbersome and not all users are interested in knowing the finer details. Hence the best way to deal with the ‘Right to Access’ clause of the GDPR is to present a Data Privacy Policy, in the data collection form itself. The guidelines in the policy will enable the user to have an insight on what data is being procured from him, what the methods of storage of the data and the usage practices for such data. Do note that the privacy policy must be revised and updated atleast on an annual basis, and as and when significant changes occur.

  1. Call for user permission

As a next step to the display of your website’s data privacy policy on the data query form, you must also request for an explicit approval from the user to allow your website to collect his data and process it as per the data requirements. In your WordPress website, it is as easy as providing a checkbox asking for consent. Do not however forget to make this a mandatory field. Having this setup will ensure that no user data is collected without the user’s notice.

  1. Provide all personal data on user request

The ‘Data Portability’ clause of the GDPR allows your website user to request for details on his personal data, download this data and also send the data to another Controller. Further, the ‘Right to be Forgotten’ clause also allows the user to purge all the collected data and stop collected and processing for his data going forward.

To provide all user-related data collected and processed to a user might be an uphill task; however, a system to have this in place is critically needed. Currently, there is no plugin providing a feature of automatic presentation of all the collected data of a particular user. In such a case, the easiest approach to achieve this would be to have all user data organised in a defined format in the database. A primary key for each row (here one row contains all data details of one respective user) should be established. Examples of a primary key for a WordPress website could be the email ID of the user. When the WordPress database is queried with the primary key, all corresponding data should be easily extractable and presented to the user. Also, it is advised that all WordPress website owners re-evaluate the user data points being stored and not collect the unnecessary data fields at all.

  1. Provide a communication channel for users

Since compliance with the GDPR directive requires all website owners to be approachable and responsive with the website users, it is hence a good idea to set up an open channel for this two-way communication. A simple form consisting of all the user options to handle their data – view, download, purge, withdraw – would be an efficient way for the user to reach out with their requests to you. On the backend, you should have a prompt notification system set up which sends these form-based user requests to you (for example, as an email to your Priority Inbox), so that you can deal with them on an urgent basis.

  1. Notify users on data breaches

Data breaches compromise the privacy rights of individuals. Should your WordPress website encounter any data breach, it is your utmost responsibility to report and communicate this to the users of your website. The ‘Breach Notification’ clause of the GDPR requires that the users are notified within 72 hours of having been aware of the breach. For WordPress, the ‘users’ comprise of the regular users of your website, people who query your website with form entries and also the persons commenting on your website.

Maintaining and monitoring the security health of your website is thus a critical requirement for all website owners and administrators, to prevent any kind of data breach. If monitoring and analysing the website traffic and its logs do not seem to be a viable option, then plugins like WordFence can be enabled to perform the same.

  1. Focus on plugin compliance

It may sound difficult to implement, but the plugins configured on your website also need to adhere to the data privacy rules. This is because the plugins also collect and process user data. The responsibility of ensuring that all the plugins being used in the website are GDPR compliant, vests with the website owner. You can demand an addendum (consisting of how the plugins deal with the GDPR) from the plugin development team, and append it to the ‘Terms and Conditions’ section of your website. For plugins, which do not offer such facilities, you can further discontinue using them and opt for similar others which meet the privacy requirements. Also, all plugins are slowly moving into the privacy-compliant space, so the ease of continuing to use them will be increasing gradually.

 

Immediate action points

Act-Now-gdpr

While the onset of the GDPR still have a few months to go, it is critical that the all the requirements are met at the earliest. A quick security audit will identify all the areas of improvement and all WordPress owners should set onto resolving each of the issues. Implementation of the steps mentioned above will not only help you level up in the compliance space, but also provide the right transparency required for any user in the handling of his data.

Anushree Sen

Anushree Sen

Anushree has over 6 years of experience in information security management and risk-based advisory services, working with organizations like Deloitte & Adobe. She is a CISA certified professional, with a management degree in Softwares and Systems from Symbiosis International University. Beyond work, Anushree can be seen practicing various dance forms and dreams of being an established choreographer too.
Anushree Sen