In May of 2018, the European Union fully enacted the General Data Protection Regulation, more commonly known as the GDPR. Many people who run their website through the popular WordPress.org CMS could have some issues if they are unclear on GDPR compliance.
If you collect any information or data from your site’s visitors that will be stored in any way, yes, you need to comply with the GDPR on your WordPress site. It is not as difficult as you may think, and likely you can do it quickly and with little to no change to your site’s set-up.
Here we will try and ensure that you know exactly what you need to do to make your WordPress site GDPR compliant.
The Basics of the GDPR
The GDPR is a set of legal guidelines that must be followed for any individual who lives in the European Union. The location of where website is headquartered doesn’t matter – instead it is based on where the individual that is visiting the site is from. For instance, if you own a company in the United States, and host your website with BlueHost, you still need to be GDPR compliant for your EU visitors.
The GDPR governs the collection and the processing of any personal information that those EU residents may enter on your site. The first part of this is the rule that states all EU visitors must be given a couple of additional disclosures on collecting data and exactly how it will be stored and used by sight.
The other big part of the GDPR has a system to contact anyone whose information may be compromised by a breach of your site.
Here are the requirements of the GDPR:
- Cookie Disclosure and Consent – The first disclosure that should be given to site visitors states most sites use cookies that collect PI, like your preferences for the website and any specific settings you want. Not only must you disclose this, but there must also be a way for the visitor to accept, either a check or a simple button click.
- Make PII Anonymous – If your site collects any personally identifiable information on visitors, you have to be compliant with the GDPR to make that info either wholly anonymous or assign random pseudonyms to visitors.
- Security Assessment – According to the GDPR, sites need to assess their security for collected data. If it is not deemed strong enough, you may have to have someone take on the role of Data Protection Officer. If you have a DPO, their contact information needs to be easily accessible for site visitors.
- Erasure – There must be an EU site visitor process to request their information be erased from the site.
- Alert System – Finally, the GDPR states there must be a system in place to contact visitors in the event of a data breach.
The GDPR and WordPress
The biggest question most WordPress users may be asking is if the WordPress software is already GDPR compliant, and the answer to that question is yes. WordPress updated their underlying software to be GDPR compliant with the 4.9.6 version.
However, please do not stop reading there, as no site can be completely compliant with the core software alone. For a basic WordPress site, you will have three automatic tools that will help you be GDPR compliant – those are the comment consent, the data export and erase feature, and a generator for privacy policies.
If you have the most basic of sites, you may be good with just those three fundamental changes – you have given your visitors a policy on the privacy of your page, given them the option to erase any data collected by cookies, and have given them the chance to refuse to store information in the comments tool
Now you have to ensure that if your site has other specific areas governed by the GDPR, you are covered there.
Enhanced WordPress GDPR Features
If you are redirecting traffic off your site with any links, ads, or pixels, you need to use some Cookie Consent plugin or tool. Many sites on WordPress have a way to sign up to receive e-mail communications or other contact forms. Make sure that you have proper opt-in signup.
To be GDPR compliant with your opt-ins, make sure that you either have some double consent or a physical check box that will make it clear their data will be collected and stored for communication.
Monetary GDPR Compliance
If you collect money from your visitors for goods or services, there are a few more regulations and requirements you will need to follow to be GDPR compliant. You will want to refer to a more in-depth guide for ensuring financial GDPR compliance.