What Is GDPR?
The General Data Protection Regulation is the latest piece of European data protection legislation that affects EVERY business, whether it has 1 or 1000 employees.
The directive came into effect on 25th May 2018, and strengthens the rights individuals have regarding personal data held about them, and is being rolled out in 2 parts.
The first part is a re-working of the 1995 Data Protection Directive. The original principles of that directive will remain, however this revision reflects the changes in technology that simply didn’t exist when the DPD was written.
The second part which is seen as an overhaul of the more recent ePrivacy Directive of 2002, relates to the transit of data including cookies, telemetry, metadata, and consent for marketing. Requirements for consent will closely mirror those of the initial GDPR roll-out.
While there is no firm date for the roll-out of part 2, due to continuing negotiations on its contents, it’s rumoured it could be released by the end of 2018.
Why Is GDPR Being Introduced?
In basic terms, to date, countries in the EU have each self governed their data protection policies, effectively resulting in a mess of mismatched & contradicting rules.
The new GDPR legislation aims to pull all countries together with a common set of European guidelines that they must adhere to.
It’s hoped this will enable EU citizens to better control personal data held about them online.
We are not lawyers, this article is provided for reference only. Please carry out your own enquiries with relevant agencies to ensure full compliance.
What Is Personal Data?
Many companies are surprised when they learn what can be considered as personal data.
Under the current EU Directive on Data Protection, personal data can generally be defined as:
Any information relating to a living, identified or identifiable natural person.
This can apply to information including (but not limited to):
- ID Numbers
- Health History
- Biometric Information
- Sexual Orientation
- Religious and/or Political Beliefs
- Genetic Information
Your GDPR Obligations
GDPR relates to any data your company handles, whether it’s digital data or physical files. But for this article, we are dealing with data collected and processed by WordPress & WooCommerce websites.
Your obligations include (and are not limited to):
- Telling the user who you are, why you collect the data, for how long, and who receives it.
- Obtaining explicit consent (where necessary) when requesting/collecting any data.
- Allowing users to access their data, and take it with them.
- Allowing users to delete their data.
- Informing users of any breaches occuring that represent a risk to data held on the website.
Collecting, Processing & Storing Data
There are three main elements to this;
Right to access
This provides users with total transparency in data processing and storage – what data is being collected, where is this data being processed and stored, and why the data is collected, processed and stored. You are also obliged to provide users with a copy of their data free of charge within 40 days.
Right to be forgotten
This gives users the ability to erase any personal data held on them, and stop further collection and processing of that data. This constitutes the user effectively withdrawing consent for their personal data to be used.
This clause of the GDPR provides users the ability to download their personal data, which they previously consented to, and further transmit that data to a different controller.
What Does This Mean for My WordPress Website?
Automattic, the company behind WordPress & WooCommerce has stated in a blog post that work is underway to provide the necessary compliance for the core of both applications, which they claim will be ready for the May 25th deadline.
Meanwhile, you should consider carrying out a security audit of your website to help identify any plugins that do not comply with GDPR requirements. At the time of writing this article, few plug-in developers have published details of any intentions to provide compliance for their software.
The WP Security Audit Log plugin can provide a full audit trail of everything that happens on your WordPress website, and will help you to identify risk areas.
If you are in any doubt, do contact the developers of any plugins your website particularly relies on to ask what they are doing for GDPR and when they intend to implement it.
Your WordPress website might collect user data in one of the following ways:
- User registrations
- User comments
- Contact form submissions
- Analytics logs
- Security plugins
You’ll need to ensure that any plugin on your website has the facility to export/provide/erase user data it collects in compliance with the GDPR regulations.
Under the new regulation, in the event of a data breach you will be required by law to notify your users within 72 hours of that breach.
In WordPress terms, this naturally suggests a review of your hosting environment should be a serious consideration, as reducing the potential for breaches suddenly becomes more of a serious issue.
WordFence offers a really useful plugin providing monitoring and alerts of suspicious activity on your website, as well as a firewall and brute force attack protection, but you should discuss additional security options with your host.
But Brexit Means EU Directives Won’t Apply to UK Businesses Right?
Wrong! Every UK business is obliged to adhere to the new rules and will continue to be required to after Brexit.
Any business or organisation that does business with individuals in the EU is obliged to comply with GDPR.
What Are The Consequences of Non-Compliance?
Any company found to be in breach of the regulations will be notified and given the opportunity to put them right, however those companies who simply refuse or continue to operate outside of the regulations could face fines of up to £20 million or 4% of global revenue.