GDPR WEBSITE COMPLIANCE
A short walk you through GDPR step by step to give you specific, detailed instructions on making your WordPress site compliant.
This article is intended for general information purposes only.
It does not constitute a client-attorney relationship or personalised legal advice.
GDPR Website Compliance
If you have a simple website, it’s entirely possible that you can take care of the compliance process by yourself and might not need to involve a web developer or lawyer.
However, if you have an e-commerce or membership site, then we recommend getting in touch with a legal professional to help you with the nooks and crannies of GDPR. We can help, up to a point but we are not legal advisors.
GDPR stands for General Data Protection Regulation. It is a legislation that aims to protect the privacy of all EU citizens. GDPR forces organisations to make major changes in the way they handle their customers' personal data, affecting their business processes as well as software. It’s a whole system of principles, rights and obligations which you will need to be familiar with. GDPR will apply from 25 May 2018.
GDPR has a very wide definition on personal data (more on that later). As a website owner, it’s very likely that you need to make some changes to it. Also, note that GDPR is retroactive. This means that it applies to all customer data you’re storing and using, even if it was collected before May 25th 2018.
Located outside of the EU?
Technically, GDPR applies to everyone handling the personal data of EU citizens, even if they are not based in the EU. If you’re located outside of the EU and unsure if GDPR affects you, this may help:
It depends so please consult your legal advisor for more information, but our interpretation is:
- Do you sell and ship products to the EU? Yes.
- Do you offer a digital service (free or paid) that are targeted at customers inside the EU? Yes.
- Do you systematically process or process on a large scale the personal data of EU-based customers? Yes.
- Do you offer a digital service that’s also used by EU-based customers, but you don’t actively target them? Maybe not.
- Do you have a simple blog or website with comments that are not aimed at EU-based visitors? Probably not.
How GDPR affects your website
Starting from May 25, your website visitors have certain new rights. To give you a very short overview that omits a million details: they can request a copy of all of their data you are storing, both in human- and machine-readable format. They can request you to delete all of it. You need to have a good legal basis for gathering and using any data. Alternatively, you need to ask for consent for each purpose separately. Your customers must be able to withdraw the consent they’ve given at any time. And you are obliged to inform them of everything you do with their data, everyone you share their data with and all of their rights regarding GDPR. (We’ll go over what ‘data’ in this context means later.)
Basically, a person’s personal data is always owned by that person. This means that they must have control over it (with some exceptions).
An important note is that if your website has comments or a contact form, it means that you are already storing someone’s personal data. Therefore, GDPR requires almost all website owners to take action.
Based on this summary, the situation might not look too bad. But as mentioned before, this is not the full list of rights and requirements. Also, once we go into the details, you’ll see that there’s a million things to take into consideration and lots of technical difficulties that will arise.
But don’t worry – that’s why we partnered with Codelight to take away some of the pressure to make your website compliant.
How GDPR affects your business
GDPR also sets some new rules for your business in general. You need to keep a registry of all data processing activities. You might need to appoint a Data Protection Officer. You need to have contracts with everyone you share customer data with. You cannot transfer customer data to someone who does not comply with GDPR. Should a data breach occur (someone else getting access to customer data, by for example a hacked website or a stolen employee’s laptop), you need to notify your local supervisory authority and possibly your customers. If you store a lot of data or work with sensitive data, you might be obliged to make a Data Protection Impact Assessment. And you are responsible for demonstrating that you’re GDPR-compliant to your supervisory authority.
And again, that’s not even the full list.
We recommend getting started with GDPR compliance on your website as soon as possible. While making your website compliant, there’s a good chance that you’ll realise that you need the help of a website developer or a lawyer. However, as May 25th approaches, other site owners will be doing the same thing and we expect that both website developers and lawyers will have a lot of work in at least the following 6 months. You probably don’t want to be late.
Before we get started with the practical parts of the guide, let’s briefly talk about how Webizzy Limited can help.
First, we can use various tools to help make your website properly compliant.
Second, we will work through the maze of rules, regulations and requirements of GDPR for website owners. We’ve spent a lot of time researching and testing various solutions that provide step by step processes to make your website compliant.
Third, we are working with “The WordPress GDPR Framework” which provides solutions for various complex corner cases regarding data privacy and customer rights. And there are a lot of them! Note that this is a work in progress – we will constantly update features as we become aware of new difficulties related to following the rules properly.
WordPress and GDPR
As you may or may not know, WordPress itself is already working on adding GDPR compliance. However, we don’t know when the updates will be released and exactly which problems they will solve.
Webizzy Limited, like so many other WordPress website developers, uses many different plugins to provide the functionality required by today’s website owners, including you!
A major problem: WordPress ecosystem is not ready for GDPR
The WordPress plugin repository contains over 54 000 plugins. Not all of them process visitor data, but those that do need to be made GDPR-compliant. Even if WordPress publishes their official GDPR update and plugin guidelines within the following weeks, it’s not likely that all plugin authors will be able to make their plugin compliant by May 25th. This means that if your site depends on a lot of plugins, you can either put development hours into making those plugins compliant yourself (which is actually relatively simple if Webizzy is looking after your website) or alternatively, wait and hope.
So what can you do now?
Fortunately, if you have a simple WordPress site and you don’t use many plugins that collect data from visitors, then there’s a good chance that you’ll still be able to achieve GDPR compliance on a reasonable level right now.
If you have a more complex site that relies on a lot of plugins, things are not that simple. You’ll need to put some extra effort into getting compliant before May 25th. Alternatively, you can take a business risk and wait until the WordPress ecosystem catches up. But either way, there are plenty of things you can do right now (and we really recommend getting started as soon as possible – this process is probably more time-consuming than you expect).
For this reason, we’ve divided the practical sections of the guide into two parts: what you should do now and what you should do in May. We’ll explain the things that are optimal to do right now and show you how to do them using the WordPress GDPR Framework. And we’ll also explain which parts you’ll need to revisit in May.
If you sign up to our GDPR compliance support service, we’ll ensure that your website is kept up to date and properly compliant. We’ll also keep you up to date with other important developments regarding GDPR and let you know if we add awesome new features or extensions to the plugin.
Definitions You Need To Know
In order to properly understand GDPR, there are some definitions that you need to know:
- Data subject
- Personal data
- Sensitive data
We’ve tried to explain them as clear and simple as possible. Take the time to read and understand, otherwise, you’ll just be very confused later on.
Who is a data subject?
A data subject is a natural person (i.e. a human being) whose personal information (more on that below) you are processing. For example, a data subject is a website visitor, a customer or an employee.
What is processing?
Processing can be any activity or set of activities performed on personal data, e.g. viewing, collecting, storing, transferring, modifying, erasing.
Simply put, pretty much anything you do with your customers’ data on purpose is “processing.”
GDPR Art. 4 (2): processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
What is personal data?
Personal data is almost any data about a person. For example:
- personal identification number
- location info
- appearance description
- information about hobbies
- cultural preferences
GDPR Art. 4 (1): Personal data is any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive data: a special category
Sensitive data is data about a person’s:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- sex life or sexual orientation
- genetic data
- biometric data
(Technically, all this is called “special categories of data” by GDPR, but for the sake of brevity, we’ll continue referring to it as sensitive data.)
The important part: you are not allowed to process sensitive data without an explicit consent from the data subject (unless exceptions listed under GDPR Art. 9 (2) apply). Sensitive data also requires more strict safety and security measures. If you’re dealing with sensitive data, we recommend getting legal advice to ensure compliance.
Personal data is personal as long as you have a way to tie it to an actual person. This means that if the data contains someone’s name, address, email, IP address etc, it’s personal data. However, if you remove everything that ties to a person, the data is effectively anonymized and no longer counts as personal data.
Who is a controller?
The short version: You are the controller.
A controller is someone who determines the purpose (the why) and means (the how) of processing personal data. If you own a website that does anything with its visitors’ personal data, you are the controller. You control your customers’ data and you are ultimately responsible for it.
GDPR Art. 4 (7): A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Who is a processor?
A processor processes personal data on behalf of someone else. For example, your web hosting provider is a data processor. They own the servers where your customers data is stored, so they also have access to your customers personal data. It’s also likely that they will occasionally need to process it, whether manually (fixing a bug somewhere) or automatically (making backups). Another example would be MailChimp (or any other similar service), which also has access to your customers personal data. Your web developer is also a data processor.
The important part: there has to be a written contract between you and your data controller (GDPR Art. 28). This is something that most bigger service providers will handle by themselves. However, note that you’ll also need a contract with your web developer and any other third party who you share the data with, otherwise there might be trouble.
GDPR Art. 4(8): A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Privacy Tools page: accessing, exporting and deleting personal data
GDPR grants individuals many new rights regarding their personal data. From the perspective of your WordPress website, the three most important rights are:
- Your visitors can request to access any personal data you’ve gathered about them
- Your visitors can request to export their personal data in machine-readable format
- Your visitors can request to delete their personal data
Unless you have a good, legally backed reason, you are obliged to comply in 30 days.
Note that even if your website does not have user accounts, you might still be collecting visitors’ personal data. For example, analytics, comments, reviews and any kinds of form submissions may contain personal data.
Granting access (GDPR Art. 15)
The data subject has the right to know whether their personal data is being gathered and/or processed. If this is the case, they have the right to access the data. The right to access includes the right for the copy of their personal data that is being processed. An electronic copy is sufficient in most cases.
Obviously, you have to identify the data subject before giving out any information.
Note that this doesn’t include data about a person that you have created. For example, if you have stored a customer’s shopping history on your site, you’ll need to provide access to it. However, if you’ve made notes about which products you should recommend to them based on their shopping history, then you don’t need to share these notes.
Erasure of personal data – right to be forgotten (GDPR Art. 17)
The data subject has the right to demand erasure of their personal data if:
- basis for processing was consent and he/she withdraws it;
- data is not needed for the purpose it was gathered;
- processing was not lawful;
- there is a legal obligation for erasure.
Note that if you have shared a data subject’s personal data with a third party, you are obliged to inform them that this data has to be erased.
Most of the time, if a data subject requests erasure and the above-mentioned conditions are met, you are obliged to comply. However, there are some exceptions. The most relevant exception is probably invoice data, which you are probably legally obliged to keep.
Obligation to provide data portability option (GDPR Art. 20)
The data subject may decide to take all their personal data from you and go somewhere else with it. This means that you have to be able to provide the data to them in a machine-readable format or alternatively, transfer it directly to another company or service. The obligation to provide data portability is valid only if:
- processing is based on data subject’s consent, and
- processing is carried out by automated means
Webizzy GDPR Compliance Support
For more information on how Webizzy Limited can make your website GDPR compliant, click here.