What is GDPR?

GDPR stands for the EU's General Data Protection Regulation on data protection and privacy for all individuals within the European Union. GDPR will replace an old privacy law known as Directive 95/46/EC (“Directive”), which has been a privacy law since 1995.

The main purpose of GDPR is to give individuals more control over their personal data. Applies to businesses located in the EU and businesses outside the EU if it collects and processes data of EU residents.

The GDPR was ratified in 2016 and the enforcement date is May 25, 2018. Especially commercial company websites should be harmonized before this date.

GDPR affects all businesses that collect personal data, and the definition of personal data is very broad.

GDPR is also retroactive. This means it applies to all customer data you store or use, even if it was collected before May 25, 2018.

Why Should We Comply with GDPR?

If you operate a website and visit any website from the EU, you are affected by GDPR. If you don't have an email list, don't sell any products, or even advertise, you should follow these rules. Because GDPR deals with whether you provide business or service in any field that collects personal data of people living in the EU. According to the European Commission, “personal data is any information about an individual, whether or not related to his private, professional or public life. It can be a name, home address, photo, email address, bank information, posts on social media sites, medical information, or the IP address of the computer.

Even registering an IP address as a website owner requires you to comply with GDPR rules. Since most CMS, including WordPress, collect IP addresses by default, websites must be GDPR compliant.

GDPR Sanctions and Penalties

If your business is found not to comply with GDPR,  20 million euros  or  4% of your global annual income,  whichever is higher  You can be penalized for that number. High costs have been put in place to proactively promote compliance. Therefore, it is very important that your site is GDPR compliant.

Step by Step GDPR

According to GDPR, your readers/users/customers have 8 rights regarding their data. If you receive any request regarding these rights, you must respond to the request within 30 days.

 

1. Right to Information

Users have the right to know what data you collect and how it is used. This means you need to provide clear information on why personal data is collected, how it will be saved, how long it will be kept, and who else can access it.

2. Right of Access

Users have access to data recorded by the data controller upon request. The data controller is the entity that holds its data.

3. Right of Rectification

Users have the right to update or correct their incorrect or incomplete data. If the data controller receives a request for correction, he must take steps to check the accuracy of the data and, if necessary, update it.

4. Right to Delete (or Forget)

Users have the right to completely delete their personal data and also to prevent further data collection. If the data controller receives this request, the user effectively withdraws their consent to save the data.

5. Right of Restriction

Under certain conditions, users may impose restrictions on their use and processing of their data. In this case, the user's data can be saved but not used for any purpose.

6. Right to Portability

Users have the right to request their data in machine-readable and human-readable formats. They can use this data in any way they see fit and even transfer it to another data controller.

7. Right to Object

Users have the right to object to the use of personal data containing personal interests. They may also object to a particular use of data, and the data controller must ensure that users are aware of how the data will be processed.

8. The Right Not to Be Subject to Automatic Decision Making

Users have the right to opt out of automated decision-making if there is an adverse legal effect or something similar.

Webmaster Responsibilities According to GDPR Rules

According to the contract, the website owner responsibilities under GDPR are:

  • Inform users about your identity, the data you collect, why you collect it, what you store and with whom you share it

  • Get clear and unambiguous consent from the user when collecting any data

  • Allow users to access and download the data you collect

  • Let users delete their data if they want

  • Notify users of any data breach within 72 hours

Understanding each of these rules is important, so let's clear them up one by one.

Inform users about your identity, the data you collect, why you collect it, what you store and with whom you share it

This rule aims to provide information about the person / institution that stores the data and how it is used. According to GDPR, you must be specific about the data you collect and obtain explicit consent when you collect data (discussed in clause 2).

Let's take an example to understand this rule. Let's say you run an eCommerce store. The basics needed to implement this rule to comply with.

  • Include business details and contact information in your privacy policy.

  • Explain to users what data you are collecting and on which pages.

  • If you are collecting email addresses, indicate why you are collecting them and getting consent

  • If you are going to send e-mails to users, specify this and get approval.

  • If you are collecting physical addresses for shipping, indicate this and get confirmation.

  • If you allow customers to review the product, mention how and where the review can be shared and approved.

  • If users can share product images, they can talk about how you can use these images and get approval.

  • If you share your personal information with third parties (for example, a courier company), indicate this and get consent.

  • If you retain information for any period (accounting, retargeting, etc.), specify it and get approval.

The most important thing to remember is that visitors must be informed in any way that data may be used. They also need to be aware of any 3rd parties accessing the data.

Get clear and unambiguous consent from the user when collecting any data

The definition of “open” means that you must use everyday language to ensure that the visitor understands the data collected. You must clarify specific definitions and must be explained in basic language rather than legal terminology such as the Terms and Conditions.

“Clear consent” means that in each data collection, the visitor must approve. This can be in the form of a checkbox, but it is important that the checkbox is not checked by default.

Allow users to access and download the data you collect

In a user request, you must grant access to all data you collect about them. This should include data collected by plugins and themes. The latest version of WordPress has provided a solution and more details are covered later in the article.

Under this rule, you must give your readers access to the data they create. For example, if you record what articles the visitor reads on your website, you must share this data. However, if you've used some analytics to predict the type of content they want to read, you can skip this information.

Allow users to delete their data if they wish.

This rule is similar to the rule above, but instead of just viewing their data, visitors can also request that their data be deleted. The latest version of WordPress has this feature built in and we'll cover it in detail in the section below.

There are a few exceptions to this rule. If you have a legitimate reason to keep the data (such as billing data), you can refuse to delete the data.

Notify users within 72 hours of any data breach

If your visitor's data has been leaked in any way (hacked website, stolen computers, accidental password sharing), your visitors, readers or customers should be notified of the leak within 72 hours. You also need to notify your local GDPR authorities about the leak.

What Should WordPress Websites Do?

It is clear that all WordPress websites will be affected by GDPR. fully compatible  To have a website, you have to start by designing your website thinking from the customer data window.

Start by making a list of all the places where data was captured and create a checklist of the rules outlined below.

  • Do I report that users are collecting data?

  • Am I clear in specifying what the data will be used for?

  • Is there a way for visitors to give clear and unambiguous consent?

  • Can I make this data available to visitors at their request?

  • Can I delete this data at their request?

  • Can I anonymize this data on request?

  • Does my privacy policy provide all necessary information regarding data usage?

You should ask yourself these questions for all the places where you collect user information. Apart from that, you also need to know what type of data your theme and plugins are capturing. Every theme and plugin you use must also be GDPR compliant.

WordPress websites usually collect data through the following methods.

  • Registered users

  • Comments

  • Contact forms

  • Traffic and analytics elements

  • Email subscriptions

  • Advertising elements

  • Security plugins

At all these points, you have to comply with the GDPR rules. We'll cover the steps you need to take in the next section.

Steps to Be GDPR Compliant

No matter what type of website you own, it is important that you become GDPR compliant as soon as possible.

Based on the key guidelines highlighted above, you should make changes to the following areas:

  • Your Terms and Conditions page

  • Your Privacy Policy

  • Comment Fields

  • Interaction forms (newsletter, rss and notification subscriptions, email subscription form, contact forms)

  • Analysis plugins

  • Other points where you collect user information

  1. Step 2: Terms and Conditions

Terms and conditions are the basic rules that connect your visitors to your website; the privacy policy deals with the data you collect. Include on this page information about GDPR compliance, as well as how users can fulfill their data requests.

  1. Step 2: Privacy Policy

Since GDPR is primarily about consumer data, the most important changes you need to make will be in your privacy policy.

Specifically, you must provide the following information:

  • Who are you – Your name or your organization's name, address, contact information, etc. add.

  • What data is collected – Be sure to record the IP Address, name, email and other information you collect. This information will differ from website to site.

  • Why you collect the data – Be specific about why you are collecting data.

  • How long data is retained – Mention how long you will keep data

  • How is data shared? – Who else do you share data with? If you are sending an e-mail newsletter, you are sharing your data with your e-mail service provider. Mention all the services with which you share data.

  • How can customers download their data? – Define the process for how customers can access their information. The latest version of WordPress will help you achieve this and we cover it in the final section.

  • How to delete data? – Explain how customers can delete or request deletion of their data. The latest version of WordPress, which we will explain in the last section, also has this feature.

  • Data Protection Officer Contact Information – In most cases, this will be your email address.

The other important thing you need to know is that WordPress 4.9.6 (released May 17) has many features that will allow you to do many of the tasks mentioned above. There is also a privacy policy generator that guides you through what information should be included in your privacy policy. We explained the details in the last section.

  1. Step 2: Comment Fields

Since comments will be stored on your website and would qualify as personal data, this means you must obtain the user's explicit consent before capturing the information. The latest version of WordPress has this feature.

  1. Step 2: Interaction Forms

The contact form and other places where a user can provide any information should be harmonized by adding information about what data is captured and how it will be used. You will also need to add a checkbox for users to allow this data to be used.

  1. Step 2: Analysis Plugins

You should review all analytics plugins you use on your website and specify the data collected in your privacy policy.

  1. Step 2: Other points of information gathering

Review any pages that may collect user information (content upgrades, etc.) and follow the GDPR guidelines on those pages.

  1. Step 1: Plugins, themes and 3rd party services

Review your themes, plugins and other 3rd party services (email service etc.) and make sure they are all GDPR compliant. Make sure a theme or plugin is compatible. If a theme or plugin is not compliant, it indicates that you are not compliant with GDPR.