GDPR compliance and your website
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at helping to strengthen data protection for EU citizens and residents both within the EU and the wider world.
The regulation becomes effective from the 25th of May 2018
Anyone who collects and processes personal data will be required to comply with the new regulations to a certain degree. As well as organisations who run websites or apps, this also includes any organisations who use internal databases, CRM or even plain old email.
It is quite an important regulation that has been highlighted by the enormous privacy breach by Facebook, under the GDPR this would not have been allowed.
The main thing a website owner needs to be aware of is that consent must be explicitly given to the data processor by the data subject before their data can be processed. Any data that you store/collect that can be used to identify an individual would fall under the GDPR, this includes:
- Email address
- Location data
- IP address
There is also a sensitive personal data class that has more rules, and that includes race, health, sexual orientation, religion and political beliefs. These should not apply to our clients.
If you have a WordPress website, the common areas where you collect data include:
- user registrations
- contact form entries
- analytics and traffic log solutions
- any other logging tools and plugins
- security tools and plugins.
That means any user to your site must be warned if you are storing data about them. This applies to cookies and Google Analytics.
As part of the GDPR an individual need to be able to request any data stored on them and be able to ask for you to delete it.
Depending on what data you collect, you don’t technically have to have warn users about cookies, and it isn’t technically covered by the GDPR instead the ePrivacy regulation which isn’t in force yet. For the sake of long-term compliance, we are recommending a opt-in cookie plugin be applied.
Opt-in is important as certain parts of these regulations explicitly state that a user much opt-in rather than have the option to opt-out.
Form Data Collection
This is the main area that affects all our clients, especially eCommerce stores. If you site stores data on a user, it must comply. We recommend only storing what is absolutely essential, and because of this we are recommending that any contact form plugins don’t store submissions within WordPress, but email them. Google Mail conforms to GDPR, so they handle that side.
If your website collects any user data, it needs to be encrypted using SSL. Chrome started issuing warnings about insecure connections last year, and we have rolled out SSL for any client storing data, so this should not cause an issue.
Websites get hacked frequently, and WordPress powers the most websites in the world, so it is a frequent target. In the event you website is breached, under the new laws you will be required to notify users within 72 hours of the breach being identified. This is why it is extremely important to keep your website up to date.
Everything on the site needs to comply with the GDPR, so while WordPress itself may be compliant, you are also responsible for all the plugins on the site. Our general rule of thumb is keep all plugins down to a minimum as it reduces maintenance, improves performance, and now it will help reduce compliance maintenance.
This is something that affects all of our clients, and thankfully most of the work has been done by Google. Depending on how much you use Google Analytics, there could be changes within the app that affect you.
Analytics now has retention policies which sets a time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers.
- You can choose how long Analytics retains data before automatically deleting it:
- 14 months
- 26 months
- 38 months
- 50 months
- Do not automatically expire
When data reaches the end of the retention period, it is deleted automatically on a monthly basis.
If you would like us to review your website and help become GDPR compliant get in touch via our contact form.