Web Privacy And WordPress GDPR Compliance – The Definitive Guide
Gone are the wild cowboy days of rustling websites. To avoid heavy fines, your website must comply with a dizzying number of web accessibility, data security, and user privacy laws. This guide shows you how to become web compliant in our data-driven digital world to avoid breaking the law and the bank.
Information age. Digital Data. People. Put these together and you can find yourself in a whole world of hurt if your website handles its users’ personal data incorrectly.
Whether you own a website or build websites for clients using WordPress, this guide will help you understand everything you need to know to make your WordPress website compliant with privacy and GDPR laws and regulations using plain and simple language.
Virtually everything we do nowadays involves the digital processing and handling of personal data.
As exemplified in movies like The Great Hack, large businesses and corporations harvest and leverage personal data for a wide range of purposes.
Most small businesses have also been conditioned to collect as much data about their leads and customers as they can to improve their marketing. Most businesses, however, don’t know what to do with the collected data or how to securely store this information.
Personal data, then, has become a key business asset and the right to protect individuals from having their personal data misused or abused poses a serious risk and concern in the digital information age.
What is GDPR?
On April 14, 2016, the European Commission approved a privacy law designed to protect the rights of all EU citizens (28 member states) and give citizens back control of their personal data.
This privacy law is known as the General Data Protection Regulation, or GDPR, and it has major implications on a global scale for anyone doing business online.
“The General Data Protection Regulation (GDPR) is a Regulation of the European Union that protects natural persons (called data subjects) regarding the processing and free movement of their personal data.”
The GDPR was officially published in 2016 as “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016” and became applicable on 25 May 2018.
It replaced the EU’s earlier Data Protection Directive, which was in place since wa-a-a-a-y back in 1995, when very few people used the internet.
The digital landscape has radically transformed since 1995 and so the European Union decided that something more fit for dealing with personal data challenges in a world of big data and increasing digitization was needed and that it was time to reform the existing framework of data protection rules.
“The GDPR is designed for a single digital market in which organizations that are processing personal data know what they can do and what they can’t do with personal data. This way the digital economy, in which data are essential, should blossom in an increasingly data-intensive world.”
In short, the GDPR offers the regulatory framework designed to accommodate the reality of today’s digital world, while protecting the individual’s right to control his or her personal data.
To ensure compliance with its regulations, the GDPR has the right to enforce fines and penalties on companies and businesses that fail to take appropriate steps to be GDPR compliant, which means that none of us has any excuse for not acting upon it (being really bored by data protection legislation doesn’t count as a defence, I’m afraid).
While the GDPR is meant to protect the rights of European Union citizens, the EU General Data Protection Regulation (GDPR) affects millions of businesses all over the world. It even affects individuals, charities, and businesses of all sizes.
If your business has any dealings with European citizens (i.e. they visit your site) and you engage in any kind of personal data processing, including the storage of personal data, gathering and collecting personal data (regardless of means), aggregating, recording, exchanging, analyzing, publicizing, digitizing, enriching, structuring, changing, searching, leveraging, deleting, structuring, destroying, uploading or simply using/keeping personal data, then you will probable be required to comply with GDPR regulations or be liable for non-GDPR compliance.
And that’s just the icing on the cake. GDPR is far more wide-reaching than the above overview. Like all data legislation, it includes a lot of detail, but the main points relevant to website owners and web developers are:
Increased territorial scope. This means that the legislation affects not only businesses and organisations operating in Europe, but also those ‘processing the personal data’ of people living in the European Union. Which is most websites around the world.
Consent. Everyone whose data you collect must freely consent to you doing so (and they must give you explicit consent, not just implied consent). This doesn’t just apply to data gathered via forms but also to data picked up in the background such as IP addresses, if it’s used to identify an individual.
Right to access. Individuals will have the right to access to their data and to information on how it’s being processed and used.
Right to be forgotten. An individual will have the right to have their data erased, and for it to no longer be disseminated.
Privacy by design. This means that instead of bolting on data privacy, it will have to be incorporated into the design of a system from the outset.
GDPR Terminology in a Nutshell
GDPR uses a whole range of jargon and terminology. So, before we go any deeper, it’s important to understand GDPR terms and concepts like the ones listed below:
The first step in achieving data compliance is to understand and designate who in your business owns data.
By legal definition, an individual human being.
Any individual, company, or entity with legal rights.
The individual the personal data is about.
A person’s data (name, ID, number, location data, online identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the natural person.)
Personally Identifiable Information (PII)
Any bit of information (data) that allows you to identify an individual person.
Unambiguous indication, permissions, or clear positive action an individual gives verbally or in writing signifying they agree with the processing of their Personal Data. Note: Users must give explicit consent through affirmative action (i.e. not via pre-ticked forms), after reviewing clearly worded information kept separate from other terms and conditions.
Anything done to personal data is classed as ‘processing’. This includes but is not limited to: recording, structuring, storing, and analysis.
When you process data with the aim of making an informed decision about an individual. Namely, to analyze their preferences, interests, behavior, location, or movements.
An incident where sensitive, protected, or confidential personal information and personal data has been accessed, stolen, or used without authorization, potentially exposing an individual’s Personal Data and/or compromising their security. This is what the GDPR aims to prevent.
Data Protection Authority
A Data Protection Authority handles reports of data breaches, mediates issues like data subject access requests and works to educate their country about best practices in keeping digital data secure.
The independent public Data Protection Authority responsible for monitoring compliance with GDPR, helping organizations become compliant with GDPR, and enforcing compliance and conducting investigations in their jurisdiction (e.g. the Information Commissioner’s Office [ICO-UK], Data Protection Commissioner [DPC-Ireland], etc.)
The Data Controller is a person or a group of people that decides the purpose and way in which personal data is processed.
The Data Processor is any person (other than an employee of the Data Controller) that holds and processes data on behalf of a data controller.
Data Protection Officer (DPO)
An appointed individual or legal entity in an organization with the responsibility of ensuring that the organisation meets their obligations under GDPR and processes the personal data of its staff, customers, providers, or any other individuals (data subjects) in compliance with all applicable data protection rules.
Data Protection Impact Assessment (DPIA)
The way to identify any risks in the methods used to process data.
Data Processing Agreement
If your organization is subject to the GDPR, you must have a written data processing agreement in place with all your data processors (e.g. email clients, cloud storage service, website analytics software, etc.).
This is a grey area and refers to the right a company has for contacting an individual based on their judgement that the individual will legitimately want (or need) to receive the information.
Right to be informed
Right to notification
The Data Subject’s right to be notified in writing by a company if they have been hacked and if the security threat exposed their personal user data.
Right to access
The Data Subject’s right to ask a Data Controller for all the Personal Data they hold concerning them – free of charge. Companies will typically request proof of identity before releasing any personal data and have one month to collect and send users this information, although there are exceptions for requests that are unfounded, repetitive or excessive.
Right to rectification
The Data Subject’s right to request that their data be updated if the information is inaccurate or incomplete. As with the right to access, companies have one month to comply with user requests and the same exceptions apply.
Right to withdraw consent
The Data Subject’s right to withdraw their consent to process their data at any time.
Right to erasure (Right to be forgotten)
The Data Subject’s right to request that a company delete all of their personal user data in its entirety from their systems (e.g. database) permanently ‘without undue delay’. Users can request erasure of their data in circumstances such as when the data is no longer necessary, the data was unlawfully processed, or if it no longer meets the lawful ground for which it was collected. Note: This can be somewhat counterintuitive when the database is a suppression file. Currently, there is no clear guidance regarding suppression.
Right to restrict processing
The Data Subject’s right to limit or prevent the processing of personal data. This is an alternative to requesting the erasure of data, and might be used when users contest the accuracy of their personal data or when they no longer need the information but companies are required to keep it to establish, exercise, or defend a legal claim. Note: This does not mean that companies have the right to delete the data, but they cannot do more than store it (and make sure that enough information is kept to ensure the user’s wish to ‘block’ processing is respected in the future).
Right to data portability
Companies must allow users the ability to download their data from their website or digital platform in a machine-readable or structured digital (electronic) format, such as a CSV file. The downloaded data can then be shared with another company should the user choose to do so.
Right to object
Data subjects can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest or exercise of official authority. Once this right is exercised, the company must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual, or if the processing is for the establishment or exercise of defence of legal claims.
Right to complain
Data subjects have the right to contact the organization or make a complaint to the relevant control authority if, for any reason, they are not happy with the way their personal data is being handled.
Rights related to automated decision-making including profiling.
The GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals. There are strict rules about this kind of processing, and individuals are permitted to challenge and request a review of the processing if they believe the rules are not being followed.
Special categories of data
Data concerning the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic data, biometric data, data concerning health or sex life or sexual orientation of an individual.
GDPR Awareness vs GDPR Compliance
Being aware of the GDPR is not the same as being GDPR compliant, but it’s the first step.
“The first stage in any plan to prepare for compliance with the General Data Protection Regulation (GDPR) is GDPR awareness with a special focus on staff awareness as the first step towards personal data protection.”
GDPR awareness involves a whole lot more than just “being aware” that GDPR exists. It means taking steps to understand what GDPR is, what its implications are for your business (and for non-compliance), and how to create a culture in your organization that:
Understands and values the importance of (and consequences of not properly handling) personal and sensitive data
Empowers people to know what they can and can’t do under GDPR
Is able to demonstrate that you did what you could in case there is a data violation or data breach incident
Includes all stakeholders in the creation of a proper strategic plan.
GDPR awareness should lead to a buy-in at the executive level to learn, understand, value, respect, and commit to incorporating GDPR compliant data protection and handling measures into the overall strategic plan of your organization.
This should then filter through to all employees by educating them about GDPR, making them aware of all the areas impacted by the handling of personal data, and ensuring that they too value and respect personal data and commit to observing all the processes involved in protecting and handling it.
Additionally, this awareness must also extend to reviewing and assessing every partner you work with and understanding how they handle personal data.
In short, as far as GDPR compliance goes, protecting personal data in your business is everyone’s business.
How GDPR Impacts Your Business and Website
The next stage after GDPR awareness is GDPR compliance.
This requires assessing, reviewing, planning, strategizing, and implementing a number of processes into your business to ensure compliance including informing, educating, and training everyone in your organization to understand, value, and follow these processes.
This is an area where many businesses struggle, despite being willing to comply with and investing a significant amount of money into GDPR compliance measures.
For example, in the 2019 GDPR.eu Small Business Survey, over 700 small business leaders in Spain, the United Kingdom, France, and Ireland were asked how their businesses were coping with the new GDPR requirements and reported findings like:
Only about half of the businesses surveyed believed their organizations are fully compliant with the GDPR.
Less than half said they describe their data processing activities in clear, plain language to data subjects.
Despite being eager to comply with the GDPR and spending tens of thousands on consultants and IT solutions, many were still confused by the more technical aspects of data security.
A significant number admitted they did not comply with central requirements of the law (such as claiming to use an end-to-end encrypted email provider but being unable to name a service with this kind of encryption built in)
Nearly half said they did not always determine a lawful basis for processing user data before doing so (which is a key provision of the GDPR).
With 23.5 million small and medium-sized businesses in the European Union alone, the above findings indicate there are still a potentially significant number of businesses that are not yet GDPR compliant.
Does My Website Need to Comply with GDPR?
There are six main ways in which GDPR affects website owners:
How you collect data via forms (contact forms, newsletter signups etc.)
How you collect analytics data
What you do with that data
Where the data is stored
How you communicate with your customers and contacts
The code you use – plugins and themes.
If any of the above areas affect citizens of the European Union, then your website most likely will need to comply with GDPR.
There are instances where GDPR may not apply to your business/website, (Remember, we are not lawyers and neither are most of the article writers referred to here, so make sure to consult a proper lawyer if you think GDPR doesn’t apply to you!)
For example, if you don’t operate in the EU and you don’t offer goods and services in the EU and you don’t monitor the behavior of people in the EU and you don’t process personal data of people in the EU and you are not processing unstructured paper records of people in the EU using either automated or manual methods, or you have been granted an exemption, then GDPR might not apply to you.
This, however, is not as clear cut as it may sound.
For example, GDPR does apply to you in the following situations:
You have no office or employees in the EU, but EU citizens can obtain goods and services (paid or free) online from you.
Your website offers payments in a currency used in a EU country (e.g. Euros), or uses a language spoken in a EU country (e.g. Polish), or mentions EU customers or users.
Your website uses tracking cookies on its website to run Facebook retargeting ads and a EU citizen visits your site (so you are inadvertently monitoring their behavior).
Your website records IP addresses, pseudonymized, or encrypted data (all these can be considered to be personal data).
You’re using a computer (or other electronic device) to send an email to a EU citizen (automated processing of personal data).
The filing cabinet in your office or a drawer in your desk contains a sign-in sheet, an employee record, a customer invoice, a contact detail, or a contract from an EU citizen as part of your business record-keeping (manual processing of personal data).
There are specific legal reasons why businesses can continue to store certain types of personal data even if an individual has requested that all data be deleted. More on that here.
GDPR exemptions don’t apply to private companies. These are generally granted to law enforcement agencies, journalists, universities, etc. to allow them to perform their required activities.
Even if your business has no intention of selling to citizens of the E.U., the moment they land on your WordPress site from an area where the GDPR is in effect, you have to be able to comply. Server location is irrelevant. User location is everything. So, if a user from somewhere in the E.U. accesses your website from their own soil, you are required by law to comply with the GDPR. If the user is visiting the USA, and they visit your site, then the E.U. has no authority. Sovereignty is all.
Note: Nothing in the GDPR requires that visitors or customers in the EU not be hosted outside of or have data leave the EU. Hosting EU customer’s data in other countries, including the US, is perfectly fine, as long as the GDPR is followed.
The above suggests it’s probably best to err on the side of caution. If you think your site needs to comply with GDPR, it probably does (and if you don’t think it does, consult a GDPR-savvy lawyer to be sure).
What about Brexit and 2020… is GDPR still a requirement?
After the UK left the EU on 1 January 2019, there was a transition period, during which EU law applied in the UK. When this transition period ended on 31 December 2020, EU law ceased to apply directly.
The DPPEC (Data Protection, Privacy and Electronic Communications) then amended the EU GDPR to create a domestic data protection law: the UK General Data Protection Regulation (UK GDPR).
The UK GDPR is the UK’s post-Brexit version of the EU GDPR. It is very similar to the EU GDPR, so organisations that comply with the latter are likely to be in compliance with the former.
From this, we can expect to see more GDPR-like regulations emerging around the world that will extend to every country and affect how we do business online in the global digital economy.
In other words, if you process personal data of residents of the EU, UK, Brazil, etc. your business (and your website) will have to comply with various regulations like the EU GDPR, UK GDPR, LGPD, etc.
Consequences of not complying with GDPR
In order to enforce GDPR compliance, GDPR regulators in EU member states can issue stiff fines, ensuring that non-compliance with GDPR will be more costly than complying.
The official site then goes on to say that “Any organization that is not GDPR compliant, regardless of its size, faces a significant liability.”
As GDPR applies to all types of businesses from multinationals down to micro-enterprises, the GDPR can impose flexible administrative fines for infringements that scale with the type of firm, and factors like the nature, gravity, duration, intention, and number of instances the organization is found to be in breach of the regulations.
Article 83 for instance, states that companies at the higher end of the scale can be fined for non-compliance with GDPR regulations up to €20 million, or up to 4 % of their total worldwide annual turnover of the preceding financial year, whichever is higher.
Regulators aren’t just going for the big fish either. Smaller fines and penalties ranging from wrist-slaps and warnings to hundreds or thousands of euros are being meted out to businesses of all sizes. Although currently only businesses within the EU are being fined, under the GDPR, businesses outside the EU can also be fined.
What Is A GDPR Audit?
As we have just seen, if your business falls within the scope of the GDPR, there’s a lot of work you must do to become GDPR compliant.
A lot of this work takes place within your business, such as becoming GDPR-aware, appointing a Data Protection Officer (DPO), etc. This can be assessed by carrying out a GDPR Audit.
GDPR regulations require transparency and a lawful basis for all data processing activities.
Organizations that have at least 250 employees or conduct higher-risk data processing are required to keep an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request. The best way to demonstrate GDPR compliance is using a data protection impact assessment,
Businesses with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR’s other requirements easier.
To comply with GDPR regulations, businesses should conduct an information audit of their data processing activities to determine things like:
The purposes of the processing.
Legal justifications for collecting, using, and storing personal data.
What information and kind of data is/will be processed in the organization.
Who has/will have access to the data in the organization.
How the data will be protected (e.g. encryption).
How the data is being/will be stored securely to protect data subject rights (and all the locations where data is/will be stored).
When and how data will be erased (if possible).
How information about data processing activities will be communicated to users and regulators.
Which third parties (and where they are located) have/will have access to the data
Performing a GDPR audit, however, is not enough. The business must also be able to answer questions like:
Have we located every digital store of personal data in our organisation?
Are we regularly checking our data for personal or sensitive information?
Are we collecting personal data in a way that supports ongoing data quality management?
Are there any opportunities to minimise our data?
Can we handle simultaneous requests from multiple users for access to information about their data within a reasonable timeframe?
Is there a plan in place in the event of a data breach? Has this plan been tested?
We recommend going through this GDPR checklist to begin the auditing process. If you need additional help with your GDPR audit, you may also want to engage the services of a qualified consultant and a lawyer.
As you can see, making sure your business GDPR compliant requires a lot of work.
Let’s turn our attention now to what you can do to make your website comply with GDPR’s rules and regulations.
Making Your Website GDPR Compliant
Businesses have been conditioned to collect as much data about their leads and customers as they can to improve their marketing.
Most businesses, however, don’t know what to do with the collected data or how to securely store this information.
Additionally, the introduction of GDPR laws with harsh penalties to protect personal user data and privacy rights implies that what was previously considered “best practice” in areas like website design were potentially fraught with opportunities to misuse and abuse user data.
Even though most web developers and web designers don’t work directly with user data collected from a website or digital property they are the ones responsible for creating the website that will handle the data.
New, GDPR-compliant best practices for website planning, design, and development, then, need to be created and implemented.
How GDPR Impacts Website Planning and Functionality
GDPR impacts web design and web development significantly. Websites are now incorporating something called privacy by design to ensure compliance.
“The GDPR has given birth to a new design concept simply referred to as privacy by design. The design principle states that any digital product collecting or using private data must implement strict privacy measures as part of the website design and development process.”
Businesses have been conditioned to collect as much data about their leads and customers as they can to improve their marketing.
Most businesses, however, don’t know what to do with the collected data or how to securely store this information.
Even though most web developers and web designers don’t work directly with user data collected from a website or digital property they are responsible for creating the website that will handle this data.
Designing an accessible and GDPR compliant website that respects the privacy and data rights of all web users, therefore, starts at the website planning stage.
Creating an interface design that is accessible, understandable, and usable.
Taking an active role in understanding and implementing data security and privacy in the website and database designs.
Creating a plan to “bake in” data privacy and data security measures into every aspect of the design and development process.
GDPR regulations require controllers to implement appropriate technical and organizational measures to ensure that only personal data which is necessary for each specific purpose of the processing is processed.
As this obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility, website designers and web developers should ask questions like the ones below when formulating a plan for data privacy:
Zero party data – this is data that customers give to businesses freely and willingly with full consent in order to create a more personalized and rewarding online experience.
First party data – this is unique and identifiable data that businesses collect directly from users using their own online (e.g. website) or offline channels. This type of data includes transactional data, demographic data, behavioral data, information obtained from customer service, etc.
Second party data – this is another company’s first party data that’s packaged and sold to other businesses with no third-party involved. Businesses use this data to build a better picture of their own customer base.
Third party data – this data is typically collected from many sources, aggregated into one dataset, and packaged and sold through a data exchange marketplace.
Keep in mind also that if someone were to collect multiple sets of data from various sources, and piece them together, then if that information is able to be tied back to a living individual, then you are not in compliance with the law. It’s that strict. In fact, if you go to a nation subject to the law, and you write down someone’s email address on a napkin at a coffee shop under the context of your business, then GDPR applies to you. Seriously. Read the law.
How will this data be collected?
Typical methods for collecting data include customers entering payment details upon check out or signing up for a newsletter. However, data can also be collected via web analytics tools (e.g. Google Analytics) tracking pixels in emails and newsletters, website cookies and mouse-tracking heatmaps on landing pages, surveys, polls, quizzes, social media events, integrations with CRMs, etc.
With GDPR and other privacy laws, it’s important that data be collected with the user’s full knowledge and consent. For example, the ePrivacy Directive requires that companies obtain consent before dropping a tracker or a cookie on a visitor’s device and tracking online.
How will the site’s data be processed?
How will the site’s data be stored?
For example, in the screenshot below, this company is clearly informing its users how and where their data is stored and the security measures being used to safeguard their personal data.
How long will the data be stored for?
Article 5 section of the GDPR defines limitation principles for the storage of all data collected from users. Compliance requires businesses to ensure they implement data storage processes like:
Not keeping personal data for longer than needed.
Performing periodic reviews to identify and address data stored beyond its intended use (note: businesses can store personal data beyond the initially stated purpose for things like public interest archiving, scientific or historical research, or statistical purposes)
Implementing measures such as anonymization or pseudonymization to safeguard data subject rights if storing personal data beyond its initial purpose and retention period.
How will personal data be handled when it’s no longer needed?
After personal data has exceeded its initial purpose and retention period, businesses can either erase, anonymize, or pseudonymize the data.
Data anonymization protects private or sensitive information by erasing or encrypting identifiers that connect an individual to stored data. Although strict, GDPR allows companies to collect anonymized data without consent, use it for any purpose, and store it for an indefinite time—as long as all identifiers are removed from the data. The law states that pretty much everything can be personally identifiable unless the anonymization is irreversible.
Pseudonymization allows business to perform data analysis and data processing but makes data records less identifiable.
What data security measures will the site implement?
One of the key principles of GDPR is to safeguard the personal data of your website users. Data security measures used to ensure the safeguarding of personal data include using secure web hosting servers, firewalls, data encryption, single sign-on (SSO), and two-factor authentication.
What are the risks associated with obtaining the client’s proposed data?
There are a number of issues related to security, privacy, and compliance that businesses need to take into account when obtaining data.
With second party data, for example, businesses need to trust the vendors providing the data and be sure that they have permission to collect and share that data with others.
With third party data, it’s even more difficult to know if the data has been collected with proper consent.
When planning your website, make sure to consider other questions related to compliance, such as:
If pulling personal data from an API, do all fields proposed by the client need to be filled?
If planning to use geo-location services (e.g. a store locator), does the site really need to use the users’ location?
They are legally required. Global privacy laws require Privacy Policies if you collect or use personal information.
Organization name and contact details
What types of personal information will be collected and stored
How personal information is collected and where it is stored
Reasons for collecting personal information
How personal information will be used and disclosed
How users can access their personal information, or ask for a correction
How users can lodge a complaint if they think their information has been mishandled, and how complaints will be handled
If the information will or is likely to be disclosed to third-party data processing partners (and if so, which)
Other information. For example, how long personal information is kept and if it must be scanned.
As stated in the GDPR,
In addition to ensuring that your website complies functionally with GDPR regulations, website developers must also work with compliance experts to ensure that the site’s design complies legally.
Let’s take a look at what this means.
How to make it easy for users to request or delete their info
As we’ll see later, various WordPress plugins can auto-generate GDPR-compliant data request pages. This makes it easier for website owners (no custom development required–just install a plugin) and for users to request access or deletion of their information. Even WordPress core software now includes built-in data export and erasure tools.
How to deal with policy updates
Web compliance laws and regulations governing an individual’s rights to privacy and data security are constantly changing.
How is your business keeping up with changes to global, federal, state, and local regulations like GDPR, CalOPPA, CCPA, PIPEDA, UK DPA, LGPD, and more?
This is something that your business not only has to seriously consider, but also implement effectively.
Cyber attacks – Malware, phishing, skimming (capturing and stealing a cardholder’s personal payment information), social engineering (identity theft), etc.
Employee data theft – While some breaches are caused by mistakes, others may involve deliberate misuse for various reasons, like committing identity theft or transferring data to a new employer.
Human error – Most data breaches are caused by potentially avoidable human errors (e.g. attaching wrong files, choosing weak passwords, clicking on dodgy links, cc’ing the wrong person in emails, etc).
Theft/loss of property – Stealing digital devices containing sensitive information (e.g. user credentials)
Although there is no fool proof method to avoid data breaches like the ones listed above, some of the minimum basic security protocols you should be employing include strong passwords, comprehensive security suites and antivirus software across computer devices, secure servers and firewalls, data encryption, SSO and multi-factor authentication, and regularly training employees on best security practices.
Good monitoring and incident response plans involve:
Keeping an updated email list of your customers that you keep any personal data on.
Being prepared to write and send an email within 72 hours of any breach with details of what may have been taken, when and how it was taken, and what you have done to mitigate it.
Contacting governmental agencies or authorities you need to notify of any breach. If you are in the E.U., you will have a local DPA for your country.
How to easily withdraw permissions or opt-out
The GDPR requires making sure that individuals always know they have the right to withdraw their consent and opt out of their permissions, so your site has to make it just as easy to remove consent as it was to grant it.
Would you want your doctor to retain your data for the next fifteen or twenty years? What about tinder? What about that weird newsletter you signed up for once upon a time that just kind of disappeared? GDPR promotes your security by saying to that entity, “you need to get rid of this data.” If you leave room for people to collect data, and you don’t explicitly tell them they have to get rid of it, then many won’t.
Here’s what a data retention policy addresses:
Deletion of all inactive users completely after a set amount of time (ex. 3-6 months).
Deletion of all backups after 3 months.
Deletion of all financial records/transactions after X years (many countries may require keeping financial records for auditing for around 7 years)
WordPress and internal communications with workers in the E.U.
WordPress opens up a lot of possibilities for remote workers and collaboration, and it’s commonly paired with systems like Slack, etc. In these circumstances, data retention applies even to communication tools with workers, during and after employment. This includes all employee and contractor data, payments and invoices, HR records, and any personal contact information that was obtained from your workers in the E.U.
Using Cookies On Your Website
Cookies are an important tool to help your business gain insight into your users’ online activity and improve their experience on your website.
For example, using cookies from advertising solutions can deliver better targeted ads to your users. Your users are served ads that better match what they are looking for and this helps to improve your conversion rates.
What are cookies?
Cookies are small text files that a website stores on a visitor’s web browser as they browse your site. When a visitor returns to your site, their browser provides the string of information stored in that cookie to your website so certain functions can be performed, such as remembering your previous usage details.
Cookies can generally be easily viewed and deleted by users in their browser’s settings.
Types of Cookie
“In general, there are three different ways to classify cookies: what purpose they serve, how long they endure, and their provenance.”
Refer to the tables below to learn more about each of these types of cookies:
These cookies are temporary and expire once you close your browser (or once your session ends).
This category encompasses all cookies that remain on your hard drive until you erase them or your browser does, depending on the cookie’s expiration date. All persistent cookies have an expiration date written into their code, but their duration can vary. According to the ePrivacy Directive, they should not last longer than 12 months, but in practice, they could remain on your device much longer if you do not take action.
Cookies put on your device directly by the website you are visiting.
Cookies placed on your device, not by the website you are visiting, but by a third party like an advertiser or an analytic system.
Strictly necessary cookies
These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. This includes cookies from third-party analytics services as long as the cookies are for the exclusive use of the owner of the website visited.
These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers. These are persistent cookies and almost always of third-party provenance.
The above are the main ways of classifying cookies, although some types of cookies will not fit into these categories or may qualify for multiple categories.
Generally, when people complain about privacy risks regarding cookies, they are referring to third-party, persistent, marketing cookies. These cookies can store significant amounts of information about a user’s online activity, preferences, and location.
Since GDPR laws came into effect, the use of third-party cookies is declining, as accessing data for third-party cookies can get complicated and increase the potential for abuse.
Cookies and The GDPR
For example, the ePrivacy Directive (EPD), also known as the “cookie law”, states that no cookies and trackers must be placed before prior consent from the user, besides those strictly necessary for the basic function of a website, i.e. that a website has to hold back all cookies, regardless of whether they contain personal data or not, until a user consents.
Although the GDPR is the most comprehensive data protection legislation passed by any governing body up to this point, it only refers to cookies once to state that they qualify as personal data as they are used to identify users, and are therefore subject to GDPR regulations.
As a result, regulations governing cookies are split between the GDPR and the ePrivacy Directive.
The EPD supplements (and in some cases, overrides) the GDPR, addressing crucial aspects about the confidentiality of electronic communications and the tracking of Internet users more broadly.
Note: The EPD will soon be replaced by the ePrivacy Regulation (EPR), which will expand on and encompass data privacy from additional areas like browser fingerprinting, metadata, and new methods of communication.
Under the GDPR, companies have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
The law also states that sites can store cookies on a user’s device if they are strictly necessary for that site’s operation. For all other types of cookies, sites need to obtain the user’s permission.
To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
Receive users’ consent before using any cookies except strictly necessary cookies.
Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
Document and store consent received from users.
Allow users to access your service even if they refuse to allow the use of certain cookies.
Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
The above screenshot provides a good example of the various things you must do to comply with GDPR and privacy laws:
If you log into your WordPress site and head over to the Settings menu, you will see the Privacy section…
Otherwise, follow the suggested guide and use the template to add your contact details and additional information like how you process and protect user data, data breach procedures, third party services, automated decision-making, user data profiling, and any required industry regulatory disclosures.
Comments Privacy Checkbox
When users leave comments on your site, WordPress stores personal information like their name, email address, and website URL in a browser cookie. This allows WordPress to fill in the user’s information automatically in the comment fields next time they visit.
From version 4.9.6, WordPress displays a comment privacy opt-in checkbox on themes that use the default WordPress comment form.
If you can’t see the opt-in checkbox on your site, make sure that:
You have updated WordPress to the latest version (must be higher than 4.9.6)
You are not logged-in when browsing the comments section
You have enabled the ‘Show comments cookies opt-in checkbox, allowing comment author cookies to be set’ option in Discussion Settings > Other comment settings.
If you still can’t see this privacy feature, then your current theme is probably overriding the default WordPress comment form. Contact your theme developer’s support.
Export And Erase Personal Data
In version 4.9.6, WordPress also introduced two handy compliance features that allow you to process users’ data requests and export or delete their personal data.
Both tools can be accessed from the WordPress Tools menu.
Use the Export Personal Data feature to send users their requested data in a .zip file via email.
Simply enter their Username or email address, tick the checkbox to send a personal data export confirmation email, and click the Send Request button.
The table section lets you view, process, search, and sort user requests. It displays the status and date of the request and a ‘Next Steps’ workflow column.
The Erase Personal Data feature lets you delete a user’s personal data upon request. It also anonymizes data that needs to remain stored in the WordPress database (e.g. plugin data). This is useful because WordPress allows plugin developers to hook their plugins into the personal data erasure feature.
The Erase Personal Data tool works just like the Export Data tool.
According to WordPress, using these built-in tool is the best way to make sure that users who request access to data really are who they say they are.
As stated on their site…
“We strongly encourage you use the email validation feature built into the export tools. This confirmation process will help safeguard against abuse, such as malicious users pretending to be someone they are not.”
“As this tool ONLY gathers data from WordPress and participating plugins, you may need to go beyond to comply with export requests.”
In other words, these built-in features will help make your site more GDPR compliant, but they are not enough to guarantee 100% GDPR compliance.
Let’s look at what else you can do in WordPress to improve GDPR compliance.
Making WordPress sites fully GDPR-compliant
The GDPR impacts other areas of your WordPress site.
These areas include but are not limited to the following:
Fortunately, most of the above functionalities can be added to WordPress using plugins, and many of these plugins now include GDPR-compliant enhancements.
Let’s look at some of these:
If you use analytics tools to gather website stats (e.g. Google Analytics), then it’s highly probable that you’re collecting or tracking personal data like IP addresses, user IDs, cookies, and other data to profile behavior.
If so, you may need to disclose to your site visitors that your analytics plugin may add cookies to the user’s browser, store personal information in your database, or integrate with 3rd-party applications.
Don’t use analytics software to track individual data. Keep your reporting and analytics to the level of anonymous group data.
Don’t use analytics software to track IP addresses.
Most websites use contact forms. Users must be informed if your website stores form entries or uses any of their collected data for marketing purposes (e.g. adding their details to an email list).
The very nature and purpose of a contact form makes it a potentially complex minefield of GDPR compliance issues.
For example, some of the aspects you need to consider when using a contact form in WordPress include:
Informing users what you will do with their data and how you will store it, and getting their explicit consent to use and store their information.
Disabling cookies, user-agent, and IP tracking.
Having data-processing agreements with form providers (if using an SaaS form solution) and any third-party providers.
Complying with users’ rights (e.g. right to withdraw consent).
Complying with users’ data-access and data-deletion requests.
In many cases, you can make your WordPress forms GDPR compliant by simply adding a required consent checkbox with a clear explanation.
For example, with our forms plugin Forminator, you can easily add and customize a GDPR-compliant notice when creating your forms.
The GDPR section will then display on your contact form automatically to visitors.
With a form, say why you’re collecting the data and how you will use it.
Provide a double opt-in to ensure you have informed consent.
When sending out emails, include information on why you’re emailing them and how you got their data.
When sending out emails, provide an unsubscribe option and a ‘forget me’ option. If someone asks to be forgotten, delete their data – don’t just stop sending them emails.
If you share data, tell the owners of the data and ask for their consent. Don’t share without consent.
Use forms plugins and mailing list providers that are GDPR-compliant.
Email Marketing Opt-in Forms
Just like contact forms, email marketing opt-in forms require obtaining user consent before adding their details to your list.
You can do this by adding a required checkbox that users must agree to before they opt in or by using an email list with a required double opt-in (this involves collecting an email address through a signup form and sending a confirmation email to the user’s address that they must click on to validate their contact information before they can be added to your list).
With our opt-in plugin Hustle, for example, you can create opt-in forms like popups, slide-ins and inline forms and insert a configurable GDPR approval field into your form with the click of a button.
This will then automatically display a GDPR-compliant notice with a required checkbox that users must agree to and click on.
eCommerce and Membership Sites
If you run an eCommerce store or a membership site on WordPress, then it’s definitely important to make sure that your site is in compliance with GDPR.
If you run a WordPress-based membership site, check for GDPR-compliant settings in your membership plugin or software.
For example, one of the most popular membership site plugins for WordPress, Wishlist Member, provides a range of configurable GDPR-compliant settings in its Members > Data Privacy section.
Follow all the points in the checklist above for contact forms.
If you will be using data you obtain in the sales process for other purposes, such as emailing recommendations or special offers, state this when collecting the data and give people the option to opt out.
If possible, avoid collecting financial data yourself and use a third party service to take payments such as Stripe or PayPal.
Add an easily accessed ‘My Account’ page on your website where people can access and delete their data.
If a data breach occurs on your website (e.g. data is stolen or lost), tell users as soon as possible and give them the option to delete their data.
Use an e-commerce plugin that is GDPR-compliant.
Using Gravatars, images, and embedded content on your site can potentially trip you up in terms of GDPR compliance.
For example, Gravatars are PII (Personally Identifiable Information).
Uploading images with EXIF GPS location data included allows site visitors to download and extract location data and correlate uploaded media to a particular user.
Embedded content can allow third-party services to collect your user’s IP Address, User Agent, store and retrieve cookies on their browser, embed additional third-party tracking, and monitor user interaction with that embedded content, including correlating their interaction with the content with their account with that service (if users are logged in to that service).
If your site uses retargeting pixels or retargeting ads, you will need to inform users about it and get their consent. See the section below for plugins that can help make this process easier.
How GDPR Applies to Web Developers
GDPR doesn’t just apply to website owners who are processing data. Developers also have a responsibility to ensure that their code is compliant.
This will apply to developers building sites for clients and to developers writing code in the form of plugins and themes for wider distribution. The main ways in which GDPR will affect developers are:
In the use of third party themes and plugins when creating sites for clients.
When creating plugins or themes which include a form where users will input personal data.
When linking to third party APIs to access or process data.
When coding analytics functionality or anything which can identify a user via their IP address, location or other means.
Using Third Party Themes and Plugins
The guidance for using third party themes and plugins for developers doing client work is very similar as for website owners: ensure that the themes and/or plugins you use are GDPR-compliant, and that you configure them in a way that is compliant. In addition you should ensure that your client is aware of the legislation and tell them if their site includes functionality that is affected. This doesn’t remove the obligation of the site owner to manage the data in a way that is compliant, however: they are the holder of the data, not you.
Follow the guidelines for website owners above when installing and configuring plugins or third party themes.
Tell your client if their site includes functionality affected by the legislation and point them in the direction of relevant information.
If in the course of development and testing you collect personal data, delete all of it at the end of this period.
When you hand the site over to the client, ensure that any data collected is going to the client and not to you (it can be easy to forget to edit an email address in a contact form’s settings).
Developing Themes and Plugins
Whether you’re developing a theme or a plugin for a specific client project or for wider distribution, the regulations will apply if your code includes the facility to collect personal data.
You must ensure that your code makes it possible for your client or users of your code to comply with the legislation. This will include any data capture, either overt via forms or e-commerce, or covert via cookies or APIs.
If your code includes any kind of input for personal data (including names, addresses, email addresses, social media account details, photos and more), make sure that this includes the option for the site owner to add information on how the data will be used and that where relevant you include a double opt-in.
If your code tracks data via cookies, ensure that this can’t be used to directly identify individuals.
If your code links with a third party API, ensure that API is GDPR-compliant.
If your code sends data to a third party API, include the option for website users to opt out.
If your code is affected by the regulations, add details of this to your documentation. Include guidance on how website owners can use your theme or plugin in a way that is GDPR-compliant.
If in doubt and the gathering of a specific piece of data isn’t absolutely necessary for your code to work, don’t gather the data.
Best WordPress Plugins for Improving GDPR Compliance
You can automate certain aspects of GDPR compliance using WordPress plugins.
As should be clear from this article, however, no solution can guarantee 100% compliance and that includes plugins. So, be wary of and avoid using any WordPress plugin claiming to make your site fully GDPR compliant.
Here are the best free and paid WordPress plugins we recommend checking out to improve your site’s compliance with GDPR requirements in no particular order of preference:
Complianz offers a fully-featured Privacy Suite that will help your WordPress site meet compliance requirements in the European Union, the United States, and/or the United Kingdom (GDPR, ePrivacy, CCPA, PECR, and more!)
You can use the plugin’s wizard to configure your site for privacy legislation compliance.
The premium version adds a whole range of advanced features, integrations, agreements, and support for many additional consent, privacy, and compliance requirements for worldwide coverage and protection, as well as premium support.
iubenda provides an all-in-one legal document management service to help make your website (or app) compliant with the law on multiple languages and legislations and a free WordPress plugin to interface two services that will help make your website more GDPR and ePrivacy compliant: Cookie Solution and Consent Solution.
These services include a fully customizable cookie banner, blocking scripts, cookie consent management, and comprehensive record-keeping for GDPR purposes.
The plugin also detects and identifies all supported forms embedded in the website and maintains valid and detailed records of consent using its Content Solution service.
CookieYes adds customizable GDPR compliant features to your website and supports cookie compliance with the LGPD (Brazil), CNIL (France), and California Consumer Privacy Act (CCPA).
This plugin includes many features including selecting the type of law, displaying the cookie banner in the header or footer, auto-hiding the cookie bar after delay or scrolling, revisit consent widget, customizable cookie bar options, and cookie button shortcodes.
The premium version offers additional enhancements like single click automatic scanning and categorization of cookies, script autoblocking, location based exclusion of cookie notice for EU countries, user consent audit logs, cookie bar preview, cache plugin support, additional layouts and templates, and more.
Cookiebot is a freemium plugin that delivers a cloud-driven solution to automatically control cookies and trackers, and ensure GDPR, ePrivacy and CCPA compliance.
Note: The amount of subpages on your website will determine whether your site runs on the free plan or a premium plan.
The plugin integrates with the native WordPress comments and registration forms and automatically adds a GDPR checkbox to those forms with customizable messages. It also allows users to control consent permissions and creates special pages allowing users to exercise privacy rights requests such as ‘Right to access’ and ‘Right to be forgotten’.
GDPR Cookie Compliance can help your site meet some of the following data protection and privacy regulations: GDPR, PIPEDA, CCPA, AAP, LGPD and others.
Users have full control over cookies stored on their computer, including the ability to revoke their consent.
The premium add-on includes additional options like full-screen layout, geo location, ability to hide cookie notice banner on selected pages and block users from viewing 3rd party resources until they accept cookies, export & import settings, WordPress Multisite extension, accept cookies on scroll, cookie declaration, consent log and analytics, language specific scripts and local data storage of user data.
The plugin is optimised for WCAG/ADA compliance and supports all major caching servers and plugins.
Cookie Notice & Compliance combines a plugin that displays a cookie notice on your website to comply with EU GDPR and CCPA cookie laws and consent requirements and a free web application that provides automated compliance features using an intentional consent framework that incorporates the latest guidelines to data protection and consent laws from over 100+ countries.
Enabling the Cookie Compliance module gives you access to the full suite of compliance features. This includes customizable GDPR & CCPA notice templates, consent analytics dashboard, cookie autoblocking, cookie categories, and proof-of-consent storage.
GDPR Cookie Consent Banner helps your WordPress site comply with a number of privacy laws like the GDPR, UK GDPR, CCPA, the ePrivacy Directive (EU Cookie Law), and the UK’s Privacy and Electronic Communications Regulations (PECR).
You will need to sign up for a free account and obtain an API key to unlock the plugin’s features, which include automatic cookie scans, a customizable GDPR, CCPA, and ePrivacy-compliant cookie consent banner, automatic cookie consent & preference tracking, legal policy generator, automatic cookie configuration, auto-generated cookie descriptions and cookie categories, autoblocking of scripts, multilingual support, and access to additional policy, disclaimer, and terms and conditions generators.
As stated on their website, Termageddon is “a generator of policies for websites and applications.”
The service allows you to stay compliant for different privacy laws and regulations (e.g. US state privacy laws like CalOPPA, CCPA, DOPPA, VCDPA, Canada’s PIPEDA, and, of course GDPR) even when these laws change, by automatically keeping your Privacy Policies updated through code placed on your website.
TermsFeed provides customized legal agreements and policies for online businesses.
You can access agreements and policies for free using the site’s generators and templates and purchase optional premium agreements with additional clauses for a one-time fee, so you only pay for what you need.
TermsFeed monitors changes in laws, acts, and regulations across various jurisdictions (countries and states) and notifies you if any updates are required for your generated policies.
With the exception of Snapshot, none of our plugins store private user data. Defender can store IP addresses in the audit logs, but you can choose to disable that in the settings. You might also wish to disable exif data for images compressed using Smush.
With Snapshot, it depends on where you are actually storing the backups (with us or elsewhere). You’ll just want to disclose that it is stored, as it will be a copy of your site’s database and therefore include any personal data that you store as part of your site, and should be treated the same as your web host.
GDPR laws and regulations were introduced to protect and safeguard personal user data from being misused and abused in an increasingly digital-driven and internet-connected world.
The implications of privacy laws and the GDPR for businesses are wide-ranging. It requires a radical change of thinking in how you do business online, from planning your website to marketing and promoting your products and services in a global economy.
The above information can help make your WordPress site more GDPR compliant. It’s important to note, however, that although we cover many areas in this comprehensive guide, it’s still not enough to guarantee 100% GDPR compliance for your business or your website.
Ultimately, making your website compliant is not just a requirement by law, it’s also a good thing for all online users. After all, we are all each others’ online consumers and we all deserve to have our personal data valued, protected, and respected.
One final reminder: As stated throughout this article, we encourage you to seek the legal advice of web compliance experts. Don’t assume that GDPR does not apply to your business or website, or that all the measures you have implemented so far are enough to make you 100% compliant.
Privacy & GDPR – Useful References
For additional information check out the links below:
Martin Aranovitch Martin Aranovitch is a blog writer and editor at WPMU DEV. He is a self-taught WP user who has been teaching businesses how to use WordPress effectively almost since the platform began. When he is not writing articles and tutorials, he’s probably off bushwalking in the mountains. Connect with Martin on LinkedIn, Facebook, and his WordPress client training website.