Even though the GDPR is a European Union law, your website should be compliant with the regulation. Why? Because the internet doesn’t observe political or national boundaries. It’s global. As we read on a WordPress Forum: “The target group is ‘everyone’ since GDPR applies everywhere and to anyone that interacts with EU citizens.”
This post will help you, as a website owner/user, to navigate the changes you should make so that you can be compliant with new privacy regulations.
The content in this post does not replace legal advice. If you are unsure about your obligations under GDPR, talk to a lawyer.
An Overview of the GDPR
The General Data Protection Regulation – known as GDPR – is a European Union Law which came into effect on May 25, 2018. The aim of the GDPR is to protect the privacy and data of EU citizens.
- The GDPR provides privacy protection to EU individuals by regulating the processing, transfer, and storage of data [information] that is deemed private or personally identifiable.
- The GDPR applies to anyone who sells services or products to EU citizens or whoever monitors their behavior.
- GDPR imposes obligations on any organization that stores, processes information from individuals. Businesses are subject to the GDRP’s compliance regulations.
- Activities such as “marketing to” or “monitoring behavior” may be deemed as subject to GDRP guidelines – even if the processing and collection of information is outside of the EU.
How GDPR Applies to Your WordPress Site
Any website visited or used by EU residents should comply with the regulation. Your website can collect a good deal of information—for example—the WordPress database, its commenting system, user registrations and third-party plugins you’ve installed. You need to create a privacy policy that lets site visitors know where and how you’re collecting and storing data. That’s where your privacy policy comes in.
User Registrations and Comments
When a visitor leaves a comment on your site, they fill out their email address, along with their IP address, this personal information is stored in the WordPress database.
Plugins
Some WordPress plugins collect and store visitor information, others link to third-party servers for data storage. What this means is that you need to think about how the plugins you’ve installed on your site will impact data privacy. Examples of commonly used plugins that store visitor information are:
- Contact forms (Formidable, Fast Secure, Contact Form 7)
- Email Marketing Service (Mailchimp, AWeber, Constant Contact)
- E-commerce (WooCommerce, Event Espresso)
- Google Analytics (Monster Insights)
So That Your Website Complies with GDPR
- You must state what data your site collects and why. Disclose this on your website Privacy Policy page.
- You must allow visitors to opt out /control their information – including exporting or erasing it (WordPress has provided tools for this in their newest version).
- Notify visitors of data breaches.
WordPress GDPR Support for Website Owners
In order to help all website owners comply with GDPR, WordPress now provides
- A draft privacy policy and a guide of recommendations to create a privacy policy page
- Tools to erase or export personal data
- Plugins for GDPR compliance
The WordPress Privacy Policy
WordPress delivers Privacy Policy draft content to help you update or create your privacy policy depending on your specific site needs/situation. The 3 cases are:
- You have an existing privacy policy on your site
- You don’t have a privacy policy page
- You have a new WordPress installation
Case #1: A Site with a Privacy Policy Page
- Go to Settings Privacy
- Select your existing page
- Click “Use this page”
Case #2: No Privacy Policy Page
The process is pretty similar to a live site with a privacy policy. You’ll find a link to a draft privacy policy under Settings.
- Under Settings Go to → Privacy
- Click create a new page
- The page will be populated with the suggested draft content
- Add the page to your footer menu
- Go to Customize→ menus
- Select footer menu
- Add Privacy Policy
- Save menu changes
Case #3: You have a fresh installation of WordPress
In the case of a new WordPress installation, you will find a Privacy Policy Page set to Draft under the All Pages screen.
Edit the Privacy Policy Page
- Click edit on the Privacy Policy page
- At the top you will see this message “Need help putting together your new Privacy Policy page? Check out our guide for recommendations on what content to include, along with policies suggested by your plugins and theme.”
- Click the link to get to the guide
If you scroll to the bottom of the guide, you will notice that WordPress gives some language for some plugins. Click to copy the text and you can paste it into your Privacy Policy Page.
However, you still need to look at all your other installed plugins and figure out how they collect and store personal data. You will need to add this to your privacy policy.
Tools to Erase or Export Personal Data
If someone emails you and requests that you remove [export] or erase their personal information, go to Tools and select either Export Personal Data or Erase Personal Data. In this screen, you will send an email verification to the person making the request.
Once you send the request from the WordPress Dashboard, the email owner will have to confirm that they requested to have their personal data erased or exported. Once the person requesting the action clicks the link in the email, they will receive this message:
“Thanks for confirming your erasure request. The site administrator has been notified. You will receive an email confirmation when they erase your data.”
WordPress closes the loop on the action. You will be notified when the data is erased. We like that!
GDPR Compliance Plugins
WordPress plugin developers have added another level of support by providing plugins for GDPR compliance. Websites requiring a greater degree of GDPR compliance will find GDPR tools in the WordPress Repository.
What’s Next?
Review your current privacy policy page and your plugins. Use the privacy guide WordPress provides to create a privacy policy. Familiarize yourself with the Personal Data management tools.
And remember, this information is not meant to replace the legal advice you would receive from a lawyer.