With over 60 million websites, WordPress is undoubtedly the most popular content management system on the internet. You can create any type of website using the platform. With its latest features, WordPress proves to care for its users’ privacy. They have brought in some new features that will help a website towards complying with the EU GDPR.
In this article, I will discuss some ways you can make your WordPress website GDPR compliant. Before that, let us understand what GDPR is.
What is GDPR?
The General Data Protection Regulation (GDPR) is a data protection and privacy regulation that came into effect on 25 May 2018. It was implemented to protect EU individuals’ data and privacy.
It states that any organization (including a website) that supplies services and goods to EU individuals must comply with the GDPR standards. So if your website has traffic or clients from the EU region, you must follow the regulation requirements. For the GDPR, the original location of your website does not matter as long as you collect the personal data of EU individuals.
The GDPR requires your website to be transparent about how it deals with personal data. It has several principles that you must follow. EU individuals have several rights (as explained in the infographic below) under the regulation to have more control over their data.
Failing to comply with the GDPR will result in a financial penalty or other actions, such as site suspension and data or processing transfer restrictions.
How to make your WordPress website GDPR compliant
Here are eight ways you can make your WordPress website compliant with the GDPR.
1. Update WP
WordPress has introduced some privacy features in its latest versions for websites. These are very helpful in your steps towards GDPR compliance.
Update to version 4.9.6 or higher (if you have not done it already) to get settings, ‘Export Personal Data’ and ‘Erase personal Data.’ These settings make sure users can request to export or erase their personal data from the site. They will get an email asking to verify the request.
To activate them, from your WP dashboard, go to Tools > Export Personal Data or Erase Personal Data.
It also has an option to add a privacy policy to your website. From Settings, select Privacy to add a privacy policy page.
2. Personal data audit
Auditing the personal data collected through the website will give you clarity on how to deal with them.
You can understand a lot of things about the website’s personal data practices, such as its source of collection, the purpose of collection and storage, processing methods, transfer, retention period, and protection.
You will also get an idea of what personal data your website requires and what it no longer does not. It will clarify if you have any data stored longer than necessary.
These findings are extremely significant for being GDPR compliant.
3. Third-party services
A WordPress website is not just about creating it on the platform and then running it. You require third-party services like plugins and a suitable theme for running it efficiently. But most often they come with a price (literally and figuratively). These services may collect personal data through your site to provide their services. You must ensure that their processing activities do not violate the GDPR standards.
Popular third-party services have adopted GDPR standards but you still have to make sure from your end.
4. Explicit consent
Your website must get ‘explicit consent’ from the users to collect, use, store, or transfer personal data from them. There are various aspects of the website where this applies. Let’s look at some of them in brief.
Tracking cookies
It is nearly impossible for a website to not use a single cookie. Cookies are helpful for the seamless functioning of the website. However, some of them can be intrusive to yours. Especially those that stay in their device for a longer period and collect personal data. Such cookies are often used for marketing purposes set by third-party services. They have been subject to various privacy scrutinies.
Using such non-essential cookies without the users’ consent is a violation of the GDPR. Per the regulation, you must provide the users with necessary information about the cookies and seek their consent to store them. You cannot store them on the user devices until and unless they give their consent. It also maintains the need for an opt-out system that the users can utilize to deny consent. The website must respect the user’s decision and act on it.
The websites are advised to use cookie consent notice to inform users about cookies on the site and ask for their consent. You can use any free online cookie scanner to check your website for cookies and their details. Then you can add a cookie consent notice on the site.
CookieYes (from the team behind GDPR Cookie Consent WordPress plugin) is a cloud-based application that provides a GDPR solution for cookies. You can install a cookie consent banner in 15 languages spoken worldwide using a simple script. It scans your website for cookies. The banner is fully customizable and supports auto-translation. You can set the solution to automatically block third-party cookie scripts before obtaining consent. It will also help you to maintain a cookie consent log for demonstrating proof of consent, if necessary.
Website forms
Another aspect that one might overlook is website forms. Capturing data through forms is common for a website. Pre-GDPR forms came with pre-checked checkboxes asking user consent for storing personal data for its use. However, the GDPR is strictly against that practice.
All the checkboxes on your website must be unchecked. Data entered in the form field must be encrypted and you can only use them if the user gives their consent.
Email services
If you have email services, then you require the users’ consent to send marketing emails. You cannot send them emails without consent. Using double opt-in to verify the users’ subscription is recommended in this case.
Every email should be accompanied by an unsubscription link for users to opt-out of the services at any time.
5. User rights
GDPR has given the users several rights to have more control over their data. You must ensure that your website has provisions for the users to exercise them.
The users may request to access their data (with a copy), delete their data, or rectify the data. You are responsible for verifying the request and responding to them in due time. You must have a dedicated channel to respond to such requests.
In case you want to refuse any request, you must provide a genuine and legitimate reason for the same.
6. Privacy policy
Adding a privacy policy to your WordPress website should be one of the topmost priorities. A privacy policy is a means for a website to be transparent about its data processing methods and the ways you adhere to privacy standards.
As already mentioned, you can add a privacy policy page using WordPress settings. However, what to include in it must be carefully considered and developed as per the GDPR norms.
You can take help from any free privacy policy generators available online.
7. Secure site
You must secure your website to avoid anything out of the way happening, especially if it is an e-commerce site. You must have users sharing their payment information. Therefore, it requires extra care.
Getting an SSL certificate is one way to do that. It authenticates a website and protects the information shared by the users.
Some other methods are end-to-end encryption, reCaptcha technique, strong passwords, fewer login attempts, and double opt-ins.
Taking backups of the data collected will help if you ever face data loss. However, the users must be aware that they are storing the data backup.
Your system must be ready to deal with any data breach. For that, proper safety measures to secure user data is of paramount importance.
8. Data breach notice
Be always prepared for the beach. It is a no-brainer that you should have a plan for how you deal with a data breach. If a significantly big data breach puts the rights and freedom of the users at risk, you must inform the affected users and the supervisory authority of your GDPR zone. Informing them is equally important as adopting measures to tackle the breach and rectify the shortcomings.
As per GDPR, you must inform the affected users and the authority within 72 hours after becoming aware of the breach. The notice should be accompanied by details of the breach and how you have dealt with it.
Wrapping Up
GDPR compliance is not easy. Nevertheless, you can achieve it by following the GDPR requirements and applying the appropriate measures. I do not guarantee that implementing the above tips will ensure 100% GDPR compliance for your website. However, it will be a good starting point. I recommend that you take maximum advantage of WordPress plugins that will help you in your journey towards compliance.
I look forward to your thoughts on the subject and your valuable suggestions.