Data privacy and protection is one of the key aspects which all business need to demonstrate on a continuous basis. There are a wide number of complex privacy laws worldwide, and even stricter penalties if those directives are not complied to. Some common privacy regulations are the U.S. Health Insurance Portability and Accountability Act (HIPAA), Canada’s Privacy Law, the U.S. Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS), and Australia’s Privacy Laws. However, the next big suite of regulations in this field is the General Data Protection Regulation (GDPR).
What is the GDPR?
The GDPR is the European Commission’s new data privacy and protection guidelines, which will come into effect from May 2018. It aims at giving the European citizens a significant control over their personal data. Not only does it affect the people of the European countries, the GDPR’s scope also extends to all organizations accepting traffic from Europe and processing data of European users. Our handmade sketch note summarizes all the crucial points of GDPR.
How does the GDPR affect your WordPress website?
All terms and conditions of the GDPR regulation can be found in the Official Journal of the European Union. However, the entire buzz around the GDPR revolves around the two key aspects – ‘personal data’ and ‘processing of personal data’. For a WordPress website owner, this can be translated into:
- Personal data – any data which identifies a particular person – eg: name, address, telephone number, email ID, machine ID, IP address, etc.
- Processing of personal data – any activity done on the user personal data – eg: storage of the user data, analysis of user data for marketing, server logs for a user, etc.
Steps to ensure compliance to the GDPR directive
GDPR has various clauses – the key ones are listed in the discussion below. Failure to comply to the GDPR can result upto a penalty 4% of your business’ annual turnover, upto 20 million Euros, and hence it is utmost improtant that the clauses are adhered to. Mentioned below, are tips for all WordPress owners to ensure that they are a step ahead in the privacy compliance game.
Steps to ensure compliance to the GDPR directive
2. Call for user permission
3. Provide all personal data on user request
The ‘Data Portability’ clause of the GDPR allows your website user to request for details on his personal data, download this data and also send the data to another Controller. Further, the ‘Right to be Forgotten’ clause also allows the user to purge all the collected data and stop collected and processing for his data going forward.
To provide all user-related data collected and processed to a user might be an uphill task; however, a system to have this in place is critically needed. Currently, there is no plugin providing a feature of automatic presentation of all the collected data of a particular user. In such a case, the easiest approach to achieve this would be to have all user data organised in a defined format in the database. A primary key for each row (here one row contains all data details of one respective user) should be established. Examples of a primary key for a WordPress website could be the email ID of the user. When the WordPress database is queried with the primary key, all corresponding data should be easily extractable and presented to the user. Also, it is advised that all WordPress website owners re-evaluate the user data points being stored and not collect the unnecessary data fields at all.
4. Provide a communication channel for users
Since compliance with the GDPR directive requires all website owners to be approachable and responsive with the website users, it is hence a good idea to set up an open channel for this two-way communication. A simple form consisting of all the user options to handle their data – view, download, purge, withdraw – would be an efficient way for the user to reach out with their requests to you. On the backend, you should have a prompt notification system set up which sends these form-based user requests to you (for example, as an email to your Priority Inbox), so that you can deal with them on an urgent basis.
5. Notify users on data breaches
Data breaches compromise the privacy rights of individuals. Should your WordPress website encounter any data breach, it is your utmost responsibility to report and communicate this to the users of your website. The ‘Breach Notification’ clause of the GDPR requires that the users are notified within 72 hours of having been aware of the breach. For WordPress, the ‘users’ comprise of the regular users of your website, people who query your website with form entries and also the persons commenting on your website.
Maintaining and monitoring the security health of your website is thus a critical requirement for all website owners and administrators, to prevent any kind of data breach. If monitoring and analysing the website traffic and its logs do not seem to be a viable option, then plugins like WordFence can be enabled to perform the same.
6. Focus on plugin compliance
It may sound difficult to implement, but the plugins configured on your website also need to adhere to the data privacy rules. This is because the plugins also collect and process user data. The responsibility of ensuring that all the plugins being used in the website are GDPR compliant, vests with the website owner. You can demand an addendum (consisting of how the plugins deal with the GDPR) from the plugin development team, and append it to the ‘Terms and Conditions’ section of your website. For plugins, which do not offer such facilities, you can further discontinue using them and opt for similar others which meet the privacy requirements. Also, all plugins are slowly moving into the privacy-compliant space, so the ease of continuing to use them will be increasing gradually.
Immediate action points
While the onset of the GDPR still have a few months to go, it is critical that the all the requirements are met at the earliest. A quick security audit will identify all the areas of improvement and all WordPress owners should set onto resolving each of the issues. Implementation of the steps mentioned above will not only help you level up in the compliance space, but also provide the right transparency required for any user in the handling of his data.