If you live outside the EU, you may not have felt effects of the impending GDPR ruling yet, but you will. The ruling goes into effect on May 25 (this Friday!!) and everyone who has a website that MAY EVER be visited by someone living or residing within the European Union will potentially be affected by this law. It’s important to familiarize yourself with GDPR now if you haven’t already. This post will help you figure out how to address and implement new privacy and security practices in your business or organization.
Policy Changes Potentially Affect Everyone!
A Quick Overview of the GDPR Law
GDPR stands for General Data Protection Regulation. It provides protection and laws regarding the storage and use of personal data of all EU residents. This is not a NEW law; it’s been in place since 1995, but previously only applied to websites operating within the EU. On May 25 this expands to include all websites in the world. So if your site could potentially be visited by anyone living or residing in the entire European Union, and you are collecting ANY KIND of information about them or their visit — it now applies to you. Yes, even if you just use Google Analytics to measure your website traffic.
The concept is simple (and reasonable, when you think about it):
The GDPR states that a user should be able to specifically opt-in to having their personal data recorded, understand what information is being collected and what it is being used for, and have the ability to request that information be deleted at any time.
Simple, right? Except, not so simple when you start thinking about this in greater detail: many websites don’t even have a system in place for visitors to opt-in to sharing their data. Many more websites don’t have an easy way to delete visitor data. And MOST websites do not have their processes for information gathering, sharing and storage documented in a public place that anyone can access.
Check out this interactive infographic on the European Commission site! It explains the different components of the GDPR law in an easy-to-understand way.
What You Can (and Should) Do RIGHT NOW to Prepare for the GDPR
The key is to first identify whether or not you are collecting personal data of any users in the EU. Personal data, as described somewhat ambiguously in Article 4 of the law, basically refers to any information can potentially identify an individual (ex: name, location, ID numbers, etc). Nowadays, most websites have visitors from the EU in some form, so it’s likely to apply to you if you are collecting any kind of personal data at all.
In order to discover exactly HOW MUCH you have to prepare, you need to understand the nature of any information you are gathering. I’ve broken this process down into 3 steps regarding customer data gathering and storage: audit and document all the ways you are collecting personal data (including any third party solutions that you are using!); implement data consent and removal features on your website; and find and remove any non-essential data and non-compliant processes that are currently on your site. Following these steps and educating yourself on the GDPR rules will get you on the right path to implementing a compliant GDPR policy of your own.
1. Discovery and Documentation: Understand What Information You Are Collecting
The first step to compliance is to understand how data is being processed and stored on your servers, on your own website, and to ensure it is all secure. It’s not uncommon for a WordPress site to have multiple unused plugins, or plugins that you don’t quite understand what they’re doing. This can be especially true if you had someone else build the site for you. But here’s the part where I say that maintaining security on your website is now a legal requirement, and the time has come for you to understand everything that’s running on your site.
In order to get our heads around this type of audit, just think of some of the ways a typical website might collect and use visitor data:
- User registrations (email, name)
- Contact forms, Newsletter signups (phone number, physical address, email)
- Comments (name, date, photo, remarks)
- Third party plugins and tools (payment processing?? CRM? A social media feed?)
- Security tools and plugins (are you using a CDN? User photos might be stored in multiple places across the world!)
- Analytics and traffic logs (IP address, sites they visit)
A good place to start is to make an inventory (this can be a simple list or spreadsheet) of every plugin and third party service being used on your site. Understand what it is for, discover what personal information it is potentially collecting, what it is being used for, and where it is being stored. Then move onto any custom information collection you are gathering about your users (via site registrations or embedded analytics). For example, the WP Security Audit Log plugin can help you find the security touchpoints on your site.
Once you have this list, you are well on your way, and can now perform an audit!
2. Audit: Remove Any Non-Essential or Non-Compliant Data Collection
One of the facets of the GDPR includes only collecting information that you can prove you have a relevant use for, and that it is being stored securely and used honestly. A website audit will help you identify and understand everything on your site.
In order to perform a website audit, look at each plugin and tool you are using and ask yourself:
- Am I using the information that is being gathered? If not, get rid of it, don’t collect it. Document the type and purpose of all relevant information being collected.
- Is it being stored securely? Verify this. If it is not secure, get rid of it and find a secure solution.
- How can I delete this information at the user’s request? Being GDPR compliant means that a user can request their data be permanently deleted from all digital storage associated with your site, and you must be able to comply. Discovering and documenting the data deletion processes for all of your tools will prepare you for one of these requests.
3. Implement Data Consent and Removal Features on Your Website
Implement data collection consent opt-ins at every collection point. Ask the user to confirm that you are authorized to use the information they are submitting (or the information you are gathering in the background). This can look like a checkbox near the submit button or a popup that the user must agree to in order to browser your site.
It isn’t always practical to have an automated data-removal system in place, and you aren’t explicitly required to build one. Manually removing all user data could be more work, but as long as the user can request you remove their data, and you can do this permanently and thoroughly, you will be in compliance. Your Audit information comes in real handy here: if you’ve properly inventoried and audited your site, this information should already be easily available to you on how to proceed.
Website Security Isn’t Just an Option Anymore
With very specific laws in place for personal data collection, handling, use and storage, website security isn’t just an option anymore – it’s a requirement of running a website. If you know what private information you are collecting, can prove that it is being used appropriately, have explicit permission to use it, and are able to delete it if necessary, then you will be in a really good position once the GDPR drops on the 25th. As this is an unprecedented law in the history of the internet, there are still kinks to be worked out. Enforcement procedures and penalties are still being put into place. There isn’t yet a precedent case ruling for this situation, so much of this remains to be seen. But being informed and in control of the information you are gathering on your website will empower you and your business.
As a small business owner, GDPR may not be your top priority. But anyone could be susceptible to having their data lost, stolen, or shared without proper consent. If you can demonstrate you are doing everything you can to protect your users’ data, you can increase your level of trust with users and even boost the value of your business and services.
WordPress 4.9.6 is out!
WordPress 4.9.6 was released on Wednesday, May 17 as an automatic update — so you may already be running it on your site. This version introduces some important new features for GDPR compliance. Tomorrow we will be taking a look at all these features and reviewing what you can do out of the box with WordPress to help with your GDPR compliance (and good privacy practices in general). Stay tuned!
GDPR Further Reading:
The EU General Data Protection Regulation Website
The EU GDPR website is a central space for GDPR education. They have a comprehensive FAQ and links to key regulation changes, and include a full regulation timeline. Warning: as you can imagine, this website is preettty popular right now so you may have occasional connectivity issues as everyone floods the site for last minute questions.
Video: GDPR Simply Explained in 3 Minutes
Some of us are more visual. This short video on YouTube can help you to understand the GDPR in a simple and helpful way.
More Information on GDPR for Small Businesses
This article from Compliance Junction specifically addresses GDPR implications for small businesses. While Article 30 of the GDPR states that many requirements do not apply to small businesses with under 250 employees, some very important ones do still apply depending on the information you gather and how you use it.
Official GDPR Regulation Document
Feel like tucking in to some light evening reading? Here’s the full, unabridged, 100% legalese GDPR Regulation in its entirety!
Note: This article is in no way exhaustive for guaranteed GDPR compliance but it will help you get started. If you process sensitive, personal data about your users (information health, children, legal records) then you should absolutely seek out specialist advice, no seriously you really should, and find a lawyer or GDPR representative to help guide you through the process. Aaaand, disclaimer! This post is not legal advice. We’re not lawyers. Exact measures for GDPR compliance are different for every company and you should talk to a legal representative familiar with GDPR law in order to establish the necessary compliance for your organization.