Note: WowThemesNet is now fully GDPR compliant. Read this GDPR practical guide on how we did it.
What is GDPR?
GDPR stands for General Data Protection Regulation, a regulation in European Union legislation on data protection and privacy that will be fully applicable from 25 May 2018. If you’re located outside EU, you may be tempted to believe that this regulation does not affect you, but, please keep reading, because GDPR not only applies to organizations located within the EU but it will also apply to companies, businesses, organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. For example, a US merchant which sells products to consumers in Europe will be bound by the GDPR to protect the personal data of each European customer.
What is personal data?
Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
As the regulation defines it, personal data includes name, e-mail address, IP addresses, photo etc. If you store one of these data, you fall under the jurisdiction of the GDPR.
The rights GDPR stands for
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
How to make your website GDPR compliant - practical advice
If you own a website, you must take measures to make your website GDPR compliant before 25 May 2018. It is a lot of work, but you have no choice because the fines are substantial:
- on the lower level up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher
- on the upper level up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
So, here is how you prepare your website for GDPR compliance:
1. User Consent
Requirement: Under GDPR, never collect data without consent. Under GDPR, all website forms (contact forms, support request forms, payment forms, newsletter forms, sign up forms, comments forms etc.) must have user’s explicit consent for collecting or storing user data.
Solution: The easiest way to do this is by adding a checkbox to your form. In example you can add a checkbox option: “I consent to Example.com collecting and storing my data from this form“. No sneaky checkbox, make sure it is unchecked by default.
If you are using WordPress, WP GDPR Compliance plugin automatically adds GDPR checkboxes to some of your existing plugins, such as Contact Form 7, Gravity Forms, WooCommerce or WordPress Comments.
2. Entry Data Requests
Requirement: Under GDPR, users can request access to their entry data at any time. ("right of access by the data subject") and information about how this data is processed. You must provide upon their request an overview of the categories of data that are being processed as well as a copy of the actual data. The users also have the “right to be forgotten”.
Requirement: Articles 12, 13 and 14 of the GDPR outline the requirements on giving privacy information to data subjects.
You must be fully transparent and clear with:
- who is collecting the data
- what rights does the data subject have
- how is the data collected
- what is the legal basis for processing it
- why is the data needed
- is it shared with 3rd parties
- what is being done with the data
- how long is the data retained
The amount of work is huge, so we recommend you to use an automatic solution such as the EU General Data Protection Regulation (GDPR) Documentation Toolkit which offers a complete set of easy-to-use and customizable documentation templates, worksheets and policies required to comply with documented aspects of the Regulation.
If you are using a third party payment processor, this should also follow GDPR and it is your responsibility to check its compliancy. In example, FastSpring payment processor clearly states that they’re committed to being fully GDPR compliant by the May 25, 2018 deadline. Shopify has also been preparing in explicit ways.
If you are using WordPress’ WooCommerce, here is a great article on how to make an WooCommerce website GDPR compliant.
If you are using WordPress with Easy Digital Downloads, there’s currently an add-on WP GDPR EDD Addon which can be implemented together with the WP GDPR Core plugin to receive, besides comment data, also the data from Easy Digital Downloads entries.
If a user can checkout as a guest and your own website is collecting personal data before passing the details onto the payment gateway, you must remove any personal information after a reasonable period.
5. Google Analytics
We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR). Keeping users’ information safe and secure is among our highest priorities at Google. Over the years, we have spent a lot of time working closely with Data Protection Authorities in Europe, and we have already implemented strong privacy protections that reflect their guidance. We are committed to complying with the new legislation and will collaborate with partners throughout this process.
6. Breach Notifications
Requirement: Under the GDPR, if your website experiences a data breach you must immediately communicate this to those users affected by the breach. A notification must be sent within 72 hours to all affected users.
Conclusion - To Do
- Start by analyzing what kind of personal data you collect through your website. Be aware of every personal data you collect.
- Remove any personal data request that you don’t really need to make your life easier.
- Add explicit user consent for each data you collect on any website form and leave them unchecked by default.
- Add a separate GDPR request form on your website where the user can make any GDPR related requests such as deleting their account.
- Check third parties GDPR compliance.
- Make sure all necessary notification forms are in place in case of a data breach.
- Use SSL. Cloudways, the cloud hosting platform we also use, provides it for free.
- Access the free resources below, especially the first two.
GDPR Useful Resources:
*Disclaimer: This article is not intended for use as legal advice for your company in complying with GDPR. Please contact a lawyer for legal advice regarding your business.