GDPR Compliance and assistance
GDPR: The really important bits.
You fall in scope if you do business in Europe, target EU citizens, monitor EU citizens (including website visitors) or process certain categories of personal data.
A very wide reaching set of data control and personal data rights processes must be in place as part of compliance.
The GDPR is retro-active; it applies to personal data you’ve already collected.
GDPR penalties and fines. The GDPR (General Data Protection Regulation) sets a maximum fine of €20 million (about £17.5 million) or 4% of annual global turnover – whichever is greater – for infringements.
However, not all GDPR infringements lead to data protection fines.
Who monitors my website?
EU member states have a group of Supervisory Authorities (SA) who are tasked to run audits on websites, issue warnings for non-compliance, and provide corrective measures organisations should follow.
How do I make sure my WordPress website is compliant?
Here are some important things you need to take care of:
First, we advise you to run a security audit on your WordPress website and check how personal information is processed from your site. Take note of the following usual ways a WordPress website can collect data:
User registration forms
Security tools and plugins
Other logging tools and plugins
Data collection, storage and processing
GDPR cites three important elements:
Right to access – This requires website owners to be transparent about how data is being collected, processed and stored, and why these are necessary. Users will also be provided a copy of their data.
Right to erasure – This gives users the option to remove personal information and deny consent on using their data.
Data portability – Users should be able to download their personal data
they are being processed and stored. Data includes not only names, address and contact information but also pictures and avatars visitors upload on your site.
Then, you must have a way to provide users with a copy of their personal data from your database. This can either be a plugin, an online tool or a manual encoding system.
Forms with consent
GDPR requires explicit permission before collecting or storing user data, at the same time allowing the user to request access to that data and ask for their data to be deleted. GDPR-compliant website forms should:
Remove pre-checked boxes or any type of default consent
Provide the name of your organisation and any third-party controllers who will be relying on your consent
Provide option to request for data or to have user’s data deleted
Inform what you intend to do with their information. If you won’t share or sell their data, indicate so in your form.
If possible, provide a yes or no choice
Have age-verification measures (or parental consent measures) if you’re collecting data from children – UK Design Group will NOT build websites specifically aimed at children.
Third party providers
Any tool or third party service that is part of your website should be compliant to GDPR. This includes payment gateways lik
e PayPal and Stripe, as well as email marketing tools you use to send promotional messages and newsletters. The same goes with your mailing list provider. You have to make sure the emails are not collected illegally and that these people explicitly asked to receive emails from you.
Notification of breach
According to GDPR, you need to inform your users about any kind of data breach you are experiencing within 72 hours of finding out about the incident. Your responsibility as a website owner is to monitor web traffic and server logs, and make use of available tools to make sure that data breaches do not happen.
GDPR Compliance Checklist for WordPress Websites
If you have a form on your website, include why you’re collecting data and how you intend to use it
Enable double opt-in option to make sure you have informed consent
If you’re sharing information, inform your users and ALWAYS ask for their consent
Make sure your plugins (including ecommerce plugins) are GDPR compliant
Make sure payment gateways, email tools and mailing list providers are GDPR compliant
When sending out emails, inform them why you’re emailing them and how you sourced their data.
Provide an ‘Unsubscribe’ option in your emails
Also provide a ‘Forget Me’ option. If someone selects this option, immediately DELETE their data
Avoid using analytics software to track individual data and IP addresses