The best compilation of advice on how to make your WordPress site compatible with GDPR

Talking about GDPR is no longer sexy. As for May 25 approaches, an increasing amount of information is available about what you should or shouldn’t do after the magic date. Sorry, but we’re also going to talk about this. A lot of companies still haven’t thought about the issues concerning the new regulation yet. So we decided to create a guide in the context of WordPress about what you should pay attention to if you own a webpage.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive. This document is designed to harmonize data privacy laws across Europe, to protect and enforce the data privacy of all EU citizens and to reshape the way organizations across the region approach data privacy. GDPR comes into force on May 25, 2018, and will also affect businesses operating outside the EU.

In this article, we are going to explore the changes that concern user rights as well as the ability of website owners and why this should all be taken seriously. We will also look at some plugins that can guide you through and help with complicated GDPR issues. Finally, we will provide you with a useful checklist so you won’t forget anything important.

Three main rights of the user

According to GDPR, the user is going to have three main rights. At any time he can ask for details of how his data has been obtained – this is the right to access the data. The user has rights to understand which are the data points where the information on him has been collected, where and why it has been collected as well as processed and stored. If he asks, the owner of the data will have to provide the copy of his data.

The user will have the right to be forgotten – he can require that all data that a company possesses about him is erased and for its future collection to stop.

The third and probably the most complicated part is the data portability issue – the user is going to be entitled to download personal data about himself and transmit it further. There are signals that at least some plugin and tool developers might have solutions for this. However, you should think about how to solve this yourself. Your company has to figure out how, if required to do so, it can get all the information out of the database about the relevant user.

Huge penalties – take GDPR seriously!

According to the Official Journal of the European Union, two aspects of GDPR must be taken into account by website owners. The first is personal data – any information that is used to identify the relevant person, e.g. name, e-mail address, IP address, etc. The second term refers to processing personal data – this is an action involving the aforementioned data. For example, this means that storage of IP addresses on a web server logs is considered to be a simple example of processing personal data that is going to be regulated by GDPR.

There are various ways of collecting user personal data and processing it later – via user registration, comments, entries into contact forms, analytics and traffic log solutions, any logging and security tools or plugins. The company that owns this data must be ready at any time to prove that the person has authorized it to use his personal data. A clear policy statement is required on how and why the data is collected, how it is going to be used and where it is stored. Regarding storage, we recommend that you give this matter some careful thought. If it concerns just communication between you and the user, you probably don’t need storage at all. Communication can be easily continued via email, for example. Regarding emails, the data collection should be opt-in. Also, bear in mind that it is your responsibility to use tools and plugins that correspond to the requirements of the GDPR regulation. They might not be WordPress tools, but their policy for users should still be in accordance with GDPR.

The penalty for GDPR issues can reach up to EUR 20 million or 4% of the company’s total annual turnover globally. Click To Tweet

All these changes must be taken seriously. The penalty can be up to EUR 20 million or 4% of the company’s total annual turnover globally. Of course, there are signals that initially local authorities won’t charge the total amount and will just warn companies if non-compliance is discovered. However, they are going to have legal rights to also fully protect EU citizens at any time.

GDPR in WordPress

If you want to test whether your WordPress website corresponds to all requirements mentioned in GDPR, the first thing to do is conduct a security audit. The plugin ‘WP security audit log’ can help.

WP Security Audit Log plugin for WordPress

This plugin keeps an audit log for every action that happens on your WordPress site or multisite. It is easy to detect suspicious behavior because the plugin monitors user activity and logs in real time. If you discover a data breach then according to the GDPR regulation, it should be communicated to users as well as authorities within 72 hours.

However, there is a problem with the term – users. Who are they? Registered clients or those that have just made a comment on the content? There is no clear identification of this so problems may arise due to the wide scope of interpretation options. It is better to avoid getting into these situations by using another plugin, i.e. ‘Wordfence’:

Wordfence WordPress Plugin

This plugin is a firewall and malware scanner that can protect WordPress sites. It has threat defense feed (available only in the premium version) that updates on the newest firewall rules, malware signatures as well as malicious IP addresses. The plugin doesn’t break encryptions, can’t be bypassed and cannot leak data. The scanner checks core files, themes, and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections. Also, you can be sure that your site is checked for security vulnerabilities and alerts.

It is also possible to always check the compatibility of your website and its components (plugins, tools etc.) with GDPR regulation. This is the plugin to use. However it doesn’t guarantee full compatibility, but at least it works as an assistant with GDPR related issues:

WP GDPR Compliance plugin for WordPress

Be creative – additional tools for transparency

As a website owner, you should understand that GDPR is about transparency and for users to be able to control what’s happening behind the scenes. So you can also analyze whole processes of your site and make all data visible and available. For example, if comments are allowed on your site, then apparently the site collects the IP and e-mail address. Create a dialog that allows the commentator to see and download his private data as well as to delete or anonymize it. In addition, you can ask for permission to store cookies – ask the person to check the box if he wants his data to appear next time that he decides to comment.

Regarding registered users, try to make all data visible and editable and also easy to delete on the user profile. Think of a button that makes it easy for the user to download information about himself, as well as to choose to be anonymous.

Checklist to help you step by step

With this list in your hands, you will never forget the main issues you should bear in mind while communicating with your users or collecting data about them:

  • Clearly, indicate in the contact form why are you collecting data and how you will use it;
  • Create a ‘Privacy Policy’ section on the website to explain the process behind users’ data – how they can access and delete data about themselves;
  • Create a ‘My Account’ page where the user can easily access data you possess about him. Make the data easy to modify and delete;
  • Check GDPR compliance before using any form or plugin;
  • Better provide the user with a double ‘opt-in’ than with no ‘opt-in’ at all. This means – double check if the user agrees to communicate via the e-mail address he has provided;
  • If you are going to send sales emails, give the user the option to ‘opt-out’ from receiving them;
  • Remind the user in every e-mail why are you sending this letter, as well as where you got his contacts from. Also, don’t forget the ‘unsubscribe’ and ‘forget me’ options. If the user clicks on the ‘forget me’ button, delete all the data about him immediately;
  • Don’t share the user’s data without his consent;
  • Avoid collecting financial data, use third-party services instead;
  • Don’t use analytical tools that track individual behavior.

If you still need some ideas what you should do, here you can find a lot of discussions on different aspects of GDPR. Also, here is a full collection of different GDPR plugins for WordPress to help you out.