GDPR Website compliance

//GDPR Website compliance

GDPR Website compliance

For those who haven’t heard – Europe’s GDPR comes into effect on the 25th May 2018. This means that your online shop or site will have to be compliant by then or you could face the risk of having your site suspended.

If you’re unsure about what GDPR is or how it affects you, you’re in the right place. We’ll take you through the basics and help you figure out what you need to do in order to comply.

What is GDPR?

General Data Protection Regulation (GDPR) has been enacted by the EU to ensure stricter data security. The overall aim of GDPR is to give users greater control over their own data and to ensure that everyone across Europe is compliant.

If you have an online store or any kind of WordPress site which uses customer data then you need to be far more upfront about why you’re collecting the data. Some of the basic points that WordPress site owners should be aware of are;

  • Telling the user exactly who you are, why you’re collecting the data, how long you’ll keep it and what your criteria is for deciding that retention period.
  • Telling the user who will receive the data that you’ve collected, particularly if it is transferred outside of the EEA.
  • Collecting explicit consent from the user through some form of confirming activity
  • Allowing users to access their own data and providing them with a copy if they request it.
  • Giving users the ability to delete their data if they wish (although you need to be clear on what you will keep and why e.g. invoice info for tax record purposes).
  • Ensuring users know if any breach of data happens, including how it happened, what the impact may be on them and how you’re fixing the issue. You also need to let them know about their rights to complain to the ICO (Information Commissioner’s Office).

So what do I need to do?

In order to make sure that you’re complying with these new regulations, you should ensure that you’re sticking to the bullet points listed above. This means that you cannot assume that users know or understand what you will do with their information and that if you need their consent to process it for any reason that they have consented to this. Some websites have a cover all which reads something like ‘by commenting here you are agreeing to give WordPress rights to your data’ or similar. But with GDPR you need to make sure that users are actually clear who will see and have access to any personal information that could be used to identify them, and if consent is needed that you get a record of them actively consenting.

How to ensure that your website is compliant with GDPR?


You must have a clear understanding of what is expected and required to be compliant and apply that knowledge to your business and website. We regularly run training workshops listed on our website Alternatively you can keep an eye on the updates that the ICO make to the small and micro business guidance on their website at

Security Audit

Firstly, we recommend you take a security audit to think about:

  • What data are you storing?
  • Where is it being stored?
  • Do you really need the data?

If you are using third party data processors, check if they are GDPR compliant. US-based data processors should be Privacy Shield compliant at the very least, and should be able to publish their awareness and approach to complying with the GDPR for any personal data they process that originates within the EU.

There are a variety of audit plugins available, we don’t make a habit of condoning any in particular, but you could look at The Security Audit Log plugin, which can help you perform a security audit on your website.

Refresh your privacy policy

Evaluate your Privacy Policy and Cookies Policy on your website. These will need to include how and you are collecting and storing data on your website in clear, plain, concise and transparent language. Some businesses are already getting ahead of the curve on producing good online Privacy Policies – have a look at Zendesk, Waitrose, Dyson and Autistica for some inspiration.

Notification of a breach

Under GDPR, if your website has been hacked, you need to communicate this to the ICO within 72 hours of first becoming aware of the breach, and also your users without delay. These include contact form users, entries, commenters etc.


For many WordPress site owners, plugins are a necessary part of the site. Plugins can collect data themselves, but it’s you as the site owner who is ultimately responsible for this and being transparent about it in your Privacy Policy. This means that you need to be auditing all of your plugins and address anything which needs clarification. Luckily, WordPress have given a GDPR compliance plugin which should help you address and amend anything before this regulation comes into effect.

Opt-in / Opt-out

For those who are running online stores where you offer people the option to sign up to receive marketing emails or regular newsletters, you need to make sure that these are ‘opt-in’ rather than assumed or asking people to ‘opt-out’. Many people receive these emails and updates without being aware that they’ve signed up to anything, and have to opt out of these in order to stop receiving them. The new GDPR and ePrivacy rules will mean that you need their active selection of these options, in order to make sure that people aren’t giving over their data unknowingly or being sent promotional marketing material electronically that they haven’t agreed to.

Wrapping Up

While you may think that your site doesn’t ask for, collect or store anyone’s personal data – it’s still worth looking over and making sure. It’s probably still wise to audit your entire site and make sure that everything is GDPR compliant before the new laws come into effect. This is particularly true in the case of plugins, where you may not be aware if they collect data or not – better safe than sorry!

There are many resources out there to help you find out more about GDPR and how it affects your site.

At Sphere Data Protection, we will help you figure out exactly what it is you need to do before 25th May 2018.

2018-05-08T11:21:53+00:00May 8th, 2018|Data Protection|