[lead]Many of our clients are asking for information about GDPR and how it will affect their websites. In this article, we’ll explain what we know about the changes to the law and the potential changes required to websites built using WordPress.[/lead]
[well size=”sm”]Disclaimer: the information in this article is based on our research, experience and understanding of the GDPR law, however, we are not legal experts or lawyers. If you are unsure about any aspect of the General Data Protection Regulation for your organisation, we recommend you seek independent legal advice.[/well]
What is GDPR?
The General Data Protection Regulation is the new data protection law in the EU. It is the biggest change in data privacy regulation laws in 20 years and it has taken 4 years to prepare and debate. The law was approved by the EU Parliament on 14 April 2016, with enforcement starting on 25th May 2018.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.
Organisations that fail to meet the new criteria may face heavy fines of up to 4% of annual gross turnover or €20 Million (whichever is greater). With fines potentially so large it is absolutely vital that all organisations formulate a plan to comply before 25th May 2018.
What are the changes to the law?
The GDPR applies to personal data; any information, in any format, that can directly or indirectly identify a person. The GDPR places much stronger controls on the processing of personal data and special categories of personal data, including genetic and biometric data.
Types of Personal Data | Special Categories of Personal Data |
---|---|
Name | Race |
Address | Religion |
EmailAddress | Political Opinions |
Photo | Trade Union Membership |
IP Address | Sexual Orientation |
Location Data | Health Information |
Online Behaviour (Cookies) | Biometric Data |
Profiling and Analytics Data | Genetic Data |
The following things have changed:
- People must now give ‘explicit consent’ for you to use their data. Opt-in boxes must be ticked by the individual and not pre-ticked by default.
- People must give their consent separately, for each time their data is used.
- Data Controllers or Data Processors must always record how this consent was given, who from, when, how and what the interested parties were told.
- Consent should be requested using simple, easy-to-understand language. It must be easy for people to understand what they’re giving their permission for, and that it can be withdrawn at a later date.
- Your consent request must be separate from your standard Terms and Conditions.
How does GDPR affect my website?
Most of the clients we work with have WordPress websites. The following points should be used as guidance about how the GDPR may affect the way that you use your customer’s data through a website:
[collapsibles]
[collapse title=”1. Cookies”]
Most of our websites use Cookies to save useful information in the browser, to improve the user’s experience. Simply stating that “by browsing the website the user agrees to the use of Cookies” will no longer be sufficient. Gaining clear and transparent consent to the use of Cookies before they are used will be a requirement across all websites, however, the method in which this is achieved will differ from site to site.
[/collapse]
[collapse title=”2. Plugins”]
Most WordPress websites use plugins that have been developed by third parties. If any of these plugins track users, collect data or share information between parties, it is vital that GDPR compliance is met by the author. If the plugin is found to fail on any aspect of compliance, it will be the website owner’s responsibility, which may lead to penalties. It is for this reason we recommend that all plugins are audited for GDPR compliance across all websites before the deadline. It is also vital that all plugins are kept up-to-date on your website, to ensure that the version running is GDPR compliant.
[/collapse]
[collapse title=”3. Contact Forms”]
Clear consent must be obtained in all instances where data is collected. This includes any form on your website. The consent must be transparent about what data is being held and what it is going to be used for. This consent can not be bundled into a general Terms & Conditions agreement.
[/collapse]
[collapse title=”4. Customer Accounts”]
When users sign up for an account on your website, you must be clear about what information is stored and what it is used for. The same opt-in requirements are needed as mentioned above for contact forms. The user must also have the ability to easily access the data, transfer it and delete their account.
[/collapse]
[collapse title=”5. eCommerce”]
In most cases, our clients use WooCommerce to power their online shops. This system stores personal data to help users easily access their account, details of previous orders and addresses for delivery and billing. All of the information stored by this system will need to meet the new regulations. This will include allowing people to easily access their information, transfer it or delete it if required.
WooCommerce is working on becoming GDPR compliant, you can find out more about this here.
[/collapse]
[collapse title=”6. Tracking”]
If your website uses any method of tracking your user’s interactions, new measures to meet the regulations will almost certainly be required. This includes internal tracking linked to customer accounts, plus tracking from third-party providers (such as Google Analytics).
Find out more about Google Data Protection Compliance.
[/collapse]
[collapse title=”7. Digital Marketing”]
If you process personal data to target advertising, through search engines based on people’s behaviour online, you will be required to be transparent about the process, and most importantly allow users to opt-out. If this applies to your organisation, you may be required to assign a specialist Data Protection Officer (DPO).
[/collapse]
[collapse title=”8. Email Marketing”]
If you collect email addresses or personal data for email marketing purposes, the new regulations will require you to be clear and transparent about what the data is and what it is going to be used for. There will also be implications for the Right of Access, Right to Rectification, Right to Object, Right to be Forgotten, and the Right of Portability – which are all aspects of the new regulation for all personal data.
[/collapse]
[collapse title=”9. Breaches”]
If there is a security breach or any personal data is leaked, the company must have a clear plan for communicating the issue with the affected parties. The breach must be dealt with in a clear and timely manner to prevent serious penalties. We recommend that all companies prepare a Data Protection Breach Plan and familiarise all members of staff with it.
[/collapse]
[collapse title=”10. Privacy Policy”]
One of the primary tasks we believe every website owner will need to complete, is the update or creation of a tailored Privacy Policy that is unique to the organisation. This will need to include a full breakdown of the data collected, how it is stored, how it can be accessed and information for removing data from all systems.
[/collapse]
[/collapsibles]
It is vital to stress that there is not a ‘one-size-fits-all’ solution to making your website GDPR compliant. If you are unsure about any aspect of your website please get in touch with our team of specialists for a full website review.
How does GDPR affect my business elsewhere?
This is dependent on how you store the personal data of your customers and the internal systems that you use within your company. The changes to the GDPR laws are far and wide reaching. We can’t advise how GDPR will affect your company away from your website, however, there are many resources available to help.
[well size=”lg”]
Do you need a Data Protection Officer?
For the first time, GDPR makes assigning a Data Protection Officer (DPO) mandatory for many organisations regardless of their size. Under the GDPR, you must appoint a DPO if:
- You are a public authority (except for courts acting in their judicial capacity);
- Your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
Find out more information about Data Protection Officers.
[/well]
GDPR online resources
- Official website for GDPR resources – www.eugdpr.org
- Find out more about the different components of GDPR through this helpful infographic
- If you need more help, contact the Data Protection Authority in the United Kingdom
- Google Data Protection Compliance
- WooCommerce is working on becoming GDPR compliant
[well size=”sm”]
GDPR Compliance Audit
We Manage Web can complete a full GDPR compliance audit of any WordPress website. Simply get in touch to discuss this in more detail with our team.
[button type=”success” size=”lg” link=”/contact”]Contact us[/button]
Subscription Clients
We are currently completing GDPR compliance audits for all of our website Maintenance/Subscription clients. We will be in touch with tailored recommendations specific to each website.
[/well]