NOTE: this is not legal advice and should never be treated as such. This is simply a guide to aid understanding. Proper legal advice will need to be obtained from a lawyer.
Computers and the internet have created a world where information sharing and communication has become easier than ever, but this power has come with a price. Over time it has become clear that the staggering amount of personal data being collected online, given with or without our knowledge, is becoming a major issue.
The EU, hearing the call to arms, released a set of new General Data Protection Regulations. This set of regulations applies to organisations located both inside and outside of the EU. It applies as long as your organisation either offers goods or services to, or monitors the behaviour of, any EU citizens.
Protecting Personal Data
The GDPR is put into place to protect personal data, but what does this mean exactly? The GDPR defines Personal Data as…
“…any information relating to an identified or identifiable natural person.”
This personal information could identify someone by name, location or some identification number. You can find the full definition here.
Even if you don’t own or operate a business targeted in the EU it’s still very good practice to cover these. Most of these laws operate under strong ethical and commonsense principles. These principles are…
When obtaining or processing any personal data from an EU resident consent must be given in a way that is explicit, specific and unambiguous. No positive opt-ins (boxes pre-marked [x] to begin receiving marketing emails) and use of very clear wording.
Data: Rights to Access and being Forgotten
You have to clearly inform users where, how and why their data is being stored and processed. A user must also have the means to delete their personal data from the system if it is requested. There is also a responsibility for the website administrator to ensure this data is deleted upon request.
Organizations must report data breaches to all websites users and relevant authorities within 72 hours of the breach first being noticed.
Data Protection Officers
Some organisations will require a specific ‘Data Protection Officer’ whose responsibility it is to ensure proper security protocols are put into place. This is dependant on the size of your organisation and the extent to which data is being collected and processed.
What does this mean for me?
WordPress has already taken steps and implemented tools to ensure any basic WordPress website is GDPR compliant. These updates took place in version 4.9.6. So for starters, if you’re not up to date with this version get that done asap!
From there, begin by taking these steps for your website:
- Ensure all email subscriber opt-in forms default to no,
- Provide a clear, simple way for users to opt-out of any email lists they are subscribed to through your site,
- Ensure any terms and conditions agreements on your website are clearly separate from any email opt-in forms (such as during checkout flows),
- Ensure there is a clear, simple way for the user to understand, request and delete all personal data being collected by your website.
From there you need to consider the type of functionality your website offers based on the theme, plugins and other custom functionality that has been implemented. Every platform, plugin and software solution has the potential to breach GDPR compliance. Be sure when adding any sort of functionality to your site to consider the core principles. Remember when in doubt, consult a lawyer!
If you need to discuss GDPR compliance any further, contact us!