New Data Privacy Laws
How to prepare your site for GDPR
A new set of data privacy laws called the General Data Protection Regulation, or GDPR will go into effect on May 25, 2018.
If you are collecting data on your website and there is any chance that a citizen of the EU may use your site, GDPR applies to you.
Disclaimer: I am not an attorney. This information is based on my own research of the General Data Protection Regulation (GDPR). GDPR is complex and interpretations vary. You are advised to seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your organization conforms to these regulations.
Prepare your site for General Data Protection Regulation (GDPR)
To make sure your site is ready for the enforcement of these new laws, you’ll want to take the following steps:
Security Audit:
How is your site collecting and storing user data? What data are being collected? Is data collected necessary to the business? What is the process for deleting old data?
WordPress may collect user data thru:
- User registrations
- Comments
- Contact form entries
- Analytics and site traffic logs
- Security or logging tools or plugins
The Security Audit Log plugin can assist you in performing a security audit on your website.
Keeping User Data Secure:
At a minimum, all WordPress website should be using a security plugin like Wordfence, to help you monitor site activity and limit access to your site. As well, all sites should be using HTTPS (install an SSL certificate), such that all data entered into the site are encrypted.
Explicit Consent:
Users must give explicit consent that their data can be collected. (Note: A ‘join our email newsletter’ with the checkbox selected by default violates this rule. )
Data Collection, Processing & Storage:
- Right to Access –Users have the right to be provided a copy of their data, free of cost, within 40 days of request. This includes a published Privacy Policy stating what data are being collected, where are they being processed & stored and the reason behind collection.
- Data Portability – Users have a right to download their personal data and transmit that data to a different controller.
- Right to be Forgotten – Users must have the option to erase personal data and stop further collection and processing of their personal data.
Breach Notification:
Must notify all users affected by a breach within 72 hours of becoming aware of the breach. Breach Notification creates a legal requirement to assess and monitor the security of your website.
Use of Plugins & 3rd Party Platforms:
- Plugins – Site owner is responsible for plugins used on their site. Every plugin must be able to export/provide/erase any user data collected.
- 3rd Party Platforms – Site owners are ultimately responsible for data collection & storage methods of any plugin or 3rd party software used on their site. Be sure to check to make sure any 3rd party software you are using is GDPR compliant.
Recommendations
Data Officer: Specifically assign someone on your staff who is responsible for all data protection activities.
Site Security: Install the Wordfence plugin and using an SSL (Secure Sockets Layer) certificate on all WordPress sites.
Google Analytics: It is against Google Analytics policy to collect personally identifiable data. Check your settings to make sure all data is anonymized.
Learn More
What is GDPR?: https://premium.wpmudev.org/blog/gdpr-compliance/
Google Analytics & GDPR: http://www.blastam.com/blog/5-actionable-steps-gdpr-compliance-google-analytics
Making WordPress forms GDPR compliant: https://ninjaforms.com/gdpr-compliance-wordpress-forms/