GDPR Website compliance
For those who haven’t heard – Europe’s GDPR comes into effect on the 25th May 2018. This means that your online shop or site will have to be compliant by then or you could face the risk of having your site suspended.
If you’re unsure about what GDPR is or how it affects you, you’re in the right place. We’ll take you through the basics and help you figure out what you need to do in order to comply.
What is GDPR?
General Data Protection Regulation (GDPR) has been enacted by the EU to ensure stricter data security. The overall aim of GDPR is to give users greater control over their own data and to ensure that everyone across Europe is compliant.
If you have an online store or any kind of WordPress site which uses customer data then you need to be far more upfront about why you’re collecting the data. Some of the basic points that WordPress site owners should be aware of are;
- Telling the user exactly who you are, why you’re collecting the data, how long you’ll keep it and what your criteria is for deciding that retention period.
- Telling the user who will receive the data that you’ve collected, particularly if it is transferred outside of the EEA.
- Collecting explicit consent from the user through some form of confirming activity
- Allowing users to access their own data and providing them with a copy if they request it.
- Giving users the ability to delete their data if they wish (although you need to be clear on what you will keep and why e.g. invoice info for tax record purposes).
- Ensuring users know if any breach of data happens, including how it happened, what the impact may be on them and how you’re fixing the issue. You also need to let them know about their rights to complain to the ICO (Information Commissioner’s Office).
So what do I need to do?
In order to make sure that you’re complying with these new regulations, you should ensure that you’re sticking to the bullet points listed above. This means that you cannot assume that users know or understand what you will do with their information and that if you need their consent to process it for any reason that they have consented to this. Some websites have a cover all which reads something like ‘by commenting here you are agreeing to give WordPress rights to your data’ or similar. But with GDPR you need to make sure that users are actually clear who will see and have access to any personal information that could be used to identify them, and if consent is needed that you get a record of them actively consenting.
How to ensure that your website is compliant with GDPR?
You must have a clear understanding of what is expected and required to be compliant and apply that knowledge to your business and website. We regularly run training workshops listed on our website https://spheredataprotection.com/events-list/. Alternatively you can keep an eye on the updates that the ICO make to the small and micro business guidance on their website at https://ico.org.uk/for-organisations/making-data-protection-your-business/.
Firstly, we recommend you take a security audit to think about:
- What data are you storing?
- Where is it being stored?
- Do you really need the data?
If you are using third party data processors, check if they are GDPR compliant. US-based data processors should be Privacy Shield compliant at the very least, and should be able to publish their awareness and approach to complying with the GDPR for any personal data they process that originates within the EU.
There are a variety of audit plugins available, we don’t make a habit of condoning any in particular, but you could look at The Security Audit Log plugin, which can help you perform a security audit on your website.
Notification of a breach
Under GDPR, if your website has been hacked, you need to communicate this to the ICO within 72 hours of first becoming aware of the breach, and also your users without delay. These include contact form users, entries, commenters etc.
Opt-in / Opt-out
For those who are running online stores where you offer people the option to sign up to receive marketing emails or regular newsletters, you need to make sure that these are ‘opt-in’ rather than assumed or asking people to ‘opt-out’. Many people receive these emails and updates without being aware that they’ve signed up to anything, and have to opt out of these in order to stop receiving them. The new GDPR and ePrivacy rules will mean that you need their active selection of these options, in order to make sure that people aren’t giving over their data unknowingly or being sent promotional marketing material electronically that they haven’t agreed to.
While you may think that your site doesn’t ask for, collect or store anyone’s personal data – it’s still worth looking over and making sure. It’s probably still wise to audit your entire site and make sure that everything is GDPR compliant before the new laws come into effect. This is particularly true in the case of plugins, where you may not be aware if they collect data or not – better safe than sorry!
There are many resources out there to help you find out more about GDPR and how it affects your site.