Just when you thought it was safe to conduct business with the European Union (EU) after the Cookie Law situation, along came the General Data Protection Regulation (GDPR) initiative. However, unlike the Cookie Law, the impact of this change on WordPress website owners could be significant – so it pays to comply.
In short, the GDPR provides a method for users to control the way their data is collected and used, so it’s crucial for anyone who regularly deals with clients in the EU to understand. There are some important aspects for you to consider (such as how you currently store user data), but you’ll also want to see what the WordPress bigwigs have up their sleeves.
With that in mind, we’ll look at what the EU GDPR initiative is, why it’s been developed, and what WordPress and other platforms are doing to help users keep on the right side of the law. Finally, we’ll discuss how you can stay one step ahead before the GDPR is fully implemented. Let’s get started!
What the EU General Data Protection Regulation (GDPR) Initiative Is
As we briefly discussed above, the GDPR is a European Union initiative to give internet users the right to be forgotten. Of course, it’s a little more complex than that, as the initiative will seek to control the way data is collected and managed online. It’s applicable for all website owners with EU visitors, regardless of your own location, and the due date is projected for the 25th of May 2018. This means getting ready should be a priority now.
Of course, visitor security has been a hot topic for a number of years now. Back in 2011, for example, the EU Cookie Law came into force. This was an initial attempt to offer transparency to visitors about the data collected from site cookies, but many people were concerned that it didn’t go far enough. What’s more, the Cookie Law isn’t currently enforced that heavily, with many in the US apparently not complying (based on anecdotal evidence). This is mainly due to the penalties not being very severe for a lot of businesses.
However, the GDPR is upping the stakes in order to obtain greater compliance. There will be a tiered approach to penalties, although there’s no official record of this yet. The only penalties we currently have knowledge of are:
- A fine of 4 percent of your annual turnover
- Or up to $25 million.
Naturally, there will still be many who believe they can sidestep the law, just as they currently do with cookies or EU VAT registration. However, unlike those laws, each EU member state will have a relevant authority that will manage GDPR compliance through web audits, with the ability to issue warnings and penalties appropriately. Given this, many companies have begun a compliance process, since they realize that ignoring this initiative could cost them dearly.
What the WordPress Community Is Doing to Prepare Its Users For the GDPR
Given its current dominant position, WordPress will also need to comply with the GDPR. What’s more, elements within the platform that collect data, such as most of the theme and plugins you use, will need to become fully compliant.
Automattic has so far been slow to update users on the compliance process for its products, including WordPress.org, WordPress.com, and the Jetpack plugin. They’ve responded to various social media comments, stating that they’re currently implementing features to be rolled out as soon as possible. However, the discussions on how this will be implemented haven’t been made public yet. The only advice offered by Automattic at this stage is to keep an eye on the constantly updated post on WordPress.com for more details.
While a Trac was opened requesting that a privacy policy be added to WordPress, it was closed nearly two months ago with no real resolution. The new GDPR for WordPress initiative, however, has been much more proactive, and is currently the go-to hub for everything related to the new directive:
This project is geared solely towards plugin developers, but it’s working hard to provide an industry standard for compliance that could trickle into other development areas. At the moment, there’s been a steady cycle of consultation and learning, and the hope is that this will create a standard to help all WordPress developers keep on the right side of the law.
How to Begin Implementing the GDPR on Your WordPress Website
At this point, you’re probably trying to nail down a plan for complying with the GDPR, and the resources we’ve already outlined should help. First, you’ll want to ascertain how data is stored on your server. This is also a great time to carry out a dedicated security audit of your website, and using a plugin like WP Security Audit Log will help immensely with both tasks:
WP Security Audit Log keeps track of essentially everything that happens on your website relating to user activity. Digging into the log will show you exactly where and how data is collected. In a nutshell, any element of your site that lets users interact with it could potentially collect data in some form, so it’s important to find them all.
There are three elements to consider when it comes to user privacy and data collection:
- Right to Access. You’ll need to be transparent when it comes to how you collect and use personal data, and why. Users should also be able to request their data freely, with a 40-day turnaround on your end.
- Right to Be Forgotten. This is essentially a withdrawal of consent from the user and means you’ll need to completely erase the data you’ve stored.
- Data Portability. Finally, this gives the user an option to download their data and transfer it elsewhere.
Next, you’ll need to have a procedure in place to notify users of any data breaches. How you do this will obviously depend on your user base, and you’re practically free to do as you please here. However, getting that message out as quickly as possible is key. In our opinion, a plugin such as Wordfence, which offers instant notifications, will be invaluable.
Finally, although we’ve already touched on third-party extensions such as plugins, it’s important to restate their importance. They will also need to comply with the GDPR, and the implications for developers who fail to do this aren’t good. Remember that you’ll also need to be able to show how each plugin collects data. Providing your users with a snippet to add to their privacy policies is likely going to be your best option moving forward.
Conclusion
We won’t beat around the bush – it’s going to take up a lot of your time and resources to comply fully with the GDPR. However, it’s absolutely necessary to do so, because losing up to $20 million or 4 percent of your annual turnover is not something you want to risk.
Becoming compliant is vital, but figuring out the details might be tricky. Let’s recap what we know so far:
- The GDPR will be coming into force in May 2018, and every site dealing with EU visitors must comply.
- Failure to do so will result in a hefty fine if caught.
- WordPress’ development community is making slow inroads, but the GDPR for WordPress project aims to help plugin developers become compliant.
- You’ll need to consider every ‘entry point’ for user data, and make sure your users have the right to access their data and request deletion.
Do you have any questions about the GDPR and how it will affect your site? Let us know in the comments section below!
Featured image: Pixabay.
1 Comment