The details of your WordPress GDPR checklist

With all the official information out of the way, let’s take a moment to talk about how to make sure that your website is compliant and that you won’t experience any WordPress GDPR problems.

Before you move on to each of the aspects and how to comply with them, a security audit on your WordPress site should, in general, reveal how data is being processed and stored on your servers, and steps that are required to comply with the GDPR.

Ensuring compliance with the General Data Protection Regulation (GDPR) is essential for any business that collects, processes, or stores personal data of individuals located in the European Union (EU). Here are key steps to check and ensure compliance with GDPR:

1. Understand GDPR Requirements:
– Familiarize yourself with the key principles, requirements, and obligations outlined in the GDPR, including the rights of data subjects, lawful bases for processing personal data, and obligations for data controllers and processors.

2. Conduct Data Inventory and Mapping:
– Identify and document all personal data that your business collects, processes, and stores, including the types of data, sources, purposes of processing, and data flows.
– Map the lifecycle of personal data within your organization to understand how it is collected, stored, transferred, and deleted.

3. Review and Update Privacy Policies and Notices:
– Ensure that your privacy policies and notices are transparent, easily accessible, and provide clear information about how you collect, use, and protect personal data.
– Include details about the legal basis for processing personal data, data retention periods, data subject rights, and contact information for data protection inquiries.

4. Implement Legal Bases for Processing:
– Identify the lawful bases for processing personal data under the GDPR, such as consent, contract performance, legal obligation, legitimate interests, or public interest.
– Obtain valid consent from data subjects when required, ensuring that consent is freely given, specific, informed, and unambiguous.

5. Enhance Data Security Measures:
– Implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data, including encryption, access controls, data minimization, and regular security assessments.
– Implement procedures for incident response, breach notification, and mitigation in the event of a security incident or data breach.

6. Manage Data Subject Rights:
– Establish processes and mechanisms to facilitate data subject rights under the GDPR, including the rights to access, rectification, erasure, restriction of processing, data portability, and objection.
– Provide data subjects with means to exercise their rights, respond to requests promptly, and maintain records of data subject requests and responses.

7. Implement Data Protection Impact Assessments (DPIAs):
– Conduct DPIAs for high-risk processing activities that are likely to result in a high risk to the rights and freedoms of data subjects.
– Assess the potential impact of data processing activities on data protection and implement measures to mitigate risks.

8. Establish Data Processing Agreements:
– Ensure that contracts or agreements with third-party service providers (data processors) include specific provisions required by the GDPR, such as data processing obligations, security measures, and data protection standards.
– Conduct due diligence on third-party vendors to ensure they meet GDPR requirements and maintain adequate data protection standards.

9. Provide Employee Training and Awareness:
– Train employees and raise awareness about GDPR compliance requirements, data protection principles, and best practices for handling personal data.
– Establish policies and procedures for handling personal data, data security, and incident response, and ensure that employees understand their responsibilities.

10. Monitor Compliance and Maintain Documentation:
– Regularly review and monitor compliance with GDPR requirements, conduct internal audits, and update policies and procedures as needed.
– Maintain detailed documentation of GDPR compliance efforts, including data processing activities, risk assessments, data protection impact assessments, and records of data subject requests and responses.

By following these steps and implementing robust data protection measures, businesses can demonstrate compliance with the GDPR, protect the privacy rights of individuals, and mitigate the risk of regulatory penalties and fines.

The security audit for WordPress website

There are a few GDPR checklist points:

1. The Security Audit Log plugin can help you perform a security audit on your website.
2. your privacy policy analysis by your lawyer
3. your internal analysis what tools/plugins you use and what data they collect. Please check your plugins in WordPress and check their privacy policies, especially SEO, social share plugins, contact forms.
4. your CRM and marketing automation tools – sometimes you put some scripts and you forgot about them. Yes, they still collect data
5. check your WordPress version – the newest version has some GDPR tools that help to remove user data, if requested
6. your theme – if you bought it on ThemeForest, it is really important to check if any update is there. Some themes’ developers prepared new versions with GDPR compliance, cookies notices, and simple tools for users.

Key aspects of the WordPress GDPR

(a) Breach notification

Under the GDPR compliance, if your website is experiencing a data breach of any kind, that breach needs to be communicated to your users.

A data breach may result in a risk for the rights and freedoms of individuals, due to which notifying users in a timely manner become necessary. Under the GDPR, a notification must be sent within 72 hours of first becoming aware of a breach. Data processors are also required to notify users as well as the data controllers, immediately after first becoming aware of a data breach.

In a WordPress scenario, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.

This clause of the GDPR thus creates a legal requirement to assess and monitor the security of your website. The ideal way is to monitor web traffic and web server logs, but a practical option is to use the Wordfence plugin with notifications turned on.

(b) Data collection, processing, and storage

Three elements of this: Right to Access, Right to Be Forgotten and Data Portability.

• The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing, and storage of the data. Users will also have to be provided a copy of their data.
• The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their personal data to be used.
• The data portability clause of the GDPR provides users a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller.

Privacy Policy is a must-to-have legal document

Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to a number of data points.

You first need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored.

Next, you need to have a setup to provide users with a copy of their data. This is perhaps the most difficult part of the process. However, we can assume that when the time comes, most plugin developers or tool developers – for the tools and plugins that you have on your site – will have already come forward with their own solutions to this.

It is still advised, however, to have a system in place to derive the required data out of your database.

Further, it may be wise to avoid data storage altogether in certain cases. For instance, contact forms could be set up to directly forward all communication to your email address instead of storing them anywhere on the web server.

(c) Use of plugins – implications of WordPress GDPR checklist compliance

Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.

This can still mean some tough times for some of the most popular plugins out there. For instance, solutions like Gravity Forms or Jetpack have a lot of modules that collect user data by nature. How are those tools going to comply with the GDPR exactly?

For plugins, the same rules apply, although they must be approached from the point of view of the WordPress site owner. Each plugin needs to establish a data flow and inform about the processing of personal data. If you are the developer of a plugin, consider providing users of your plugin an addendum that they may add to their website’s terms in order to make them GDPR compliant.

A good plugin for your GDPR start

GDPR Cookie Compliance is a good cookies management tool. It allows to switch on/off some scripts on your website, even switch off Google Fonts…

Privacy Shield Framework for US businesses

is the European Commission-approved mechanism that enables the transfer of personal data from the European Union and Switzerland to the United States. You can register your website or online shop there to check if you qualify.

Magento, an eCommerce leading platform, is self-certified by using this service – here

I hope my GDPR checklist was useful but overall we will see soon what is behind this GDPR fever. I hope it will be good for both companies and customers/users.