The details of your WordPress GDPR checklist
With all the official information out of the way, let’s take a moment to talk about how to make sure that your website is compliant and that you won’t experience any WordPress GDPR problems.
Before you move on to each of the aspects and how to comply with them, a security audit on your WordPress site should, in general, reveal how data is being processed and stored on your servers, and steps that are required to comply with the GDPR.
The security audit
There are a few GDPR checklist points:
- The Security Audit Log plugin can help you perform a security audit on your website.
- your internal analysis what tools/plugins you use and what data they collect. Please check your plugins in WordPress and check their privacy policies, especially SEO, social share plugins, contact forms.
- your CRM and marketing automation tools – sometimes you put some scripts and you forgot about them. Yes, they still collect data
- check your WordPress version – the newest version has some GDPR tools that help to remove user data, if requested
- your theme – if you bought it on ThemeForest, it is really important to check if any update is there. Some themes’ developers prepared new versions with GDPR compliance, cookies notices, and simple tools for users.
Key aspects of the WordPress GDPR
(a) Breach notification
Under the GDPR compliance, if your website is experiencing a data breach of any kind, that breach needs to be communicated to your users.
A data breach may result in a risk for the rights and freedoms of individuals, due to which notifying users in a timely manner become necessary. Under the GDPR, a notification must be sent within 72 hours of first becoming aware of a breach. Data processors are also required to notify users as well as the data controllers, immediately after first becoming aware of a data breach.
In a WordPress scenario, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.
This clause of the GDPR thus creates a legal requirement to assess and monitor the security of your website. The ideal way is to monitor web traffic and web server logs, but a practical option is to use the Wordfence plugin with notifications turned on.
(b) Data collection, processing, and storage
Three elements of this: Right to Access, Right to Be Forgotten and Data Portability.
- The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing, and storage of the data. Users will also have to be provided a copy of their data.
- The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their personal data to be used.
- The data portability clause of the GDPR provides users a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller.
Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to a number of data points.
You first need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored.
Next, you need to have a setup to provide users with a copy of their data. This is perhaps the most difficult part of the process. However, we can assume that when the time comes, most plugin developers or tool developers – for the tools and plugins that you have on your site – will have already come forward with their own solutions to this.
It is still advised, however, to have a system in place to derive the required data out of your database.
Further, it may be wise to avoid data storage altogether in certain cases. For instance, contact forms could be set up to directly forward all communication to your email address instead of storing them anywhere on the web server.
(c) Use of plugins – implications of WordPress GDPR compliance
Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.
This can still mean some tough times for some of the most popular plugins out there. For instance, solutions like Gravity Forms or Jetpack have a lot of modules that collect user data by nature. How are those tools going to comply with the GDPR exactly?
For plugins, the same rules apply, although they must be approached from the point of view of the WordPress site owner. Each plugin needs to establish a data flow and inform about the processing of personal data. If you are the developer of a plugin, consider providing users of your plugin an addendum that they may add to their website’s terms in order to make them GDPR compliant.
A good plugin for your GDPR start
GDPR Cookie Compliance is a good cookies management tool. It allows to switch on/off some scripts on your website, even switch off Google Fonts…
Privacy Shield Framework for US businesses
is the European Commission-approved mechanism that enables the transfer of personal data from the European Union and Switzerland to the United States. You can register your website or online shop there to check if you qualify.
Magento, an eCommerce leading platform, is self-certified by using this service – here
I hope my GDPR checklist was useful but overall we will see soon what is behind this GDPR fever. I hope it will be good for both companies and customers/users.