How to Make Your WordPress Blog GDPR Compliant?

With the aim of preserving the personal information of the EU citizens as well as leveling the playing field for the businesses, the GDPR can be considered to be the biggest change in the field of data privacy law.

After the enactment of this law, the website owners are now required to walk extra miles not only to collect the users’ information but also preserving it.

So if you’re a WordPress website owner then this article is for you as I will discuss the possible impacts of this law on your website and the safeguards you can take to make your WordPress website GDPR compliant.

Having said that, I’d also prefer to make clear that though I will try to paint a detailed picture, however, since the law spans around 200 pages. So it is not possible to discuss all the intricacies in just one article.

Second, the tips in this article should not be considered alternate to the legal advice. So it is recommended that if need be, you don’t hesitate in seeking legal advice from an expert in this domain.


Also Read: How to Add GDPR Fields in your GetResponse Contact Forms?


What is GDPR?

The General Data Protection Regulation (GDPR) is the combination of all the European data privacy laws into one regulation. Enacted on the 25th of May, 2018, the regulation attempts to delegate better control to the European Union citizens over the way their personal data is collected, used and tracked online.

Lately, you must have received emails upon emails from websites such as Google, Facebook explaining their privacy policies and how they store and use your data. Well, that’s because of the said GDPR where the information holder is supposed to convey their users how their information is going to be used and that they need to obtain clear and explicit consent from their users to process their information.

What’s the Purpose of GDPR?

The purpose of GDPR is to provide greater control to the consumers related to their information. How it is collected, stored and used.

Before GDPR, businesses would bury the consent of the users under the voluminous contract documents which majority of people don’t even bother to read.

But not anymore.

After the enactment of GDPR, the attempts to receive consent from the consumers about their data should be more explicit, clear and unambiguous. Clear from any overcomplicated use of legal jargon.


Also Read: How to Make your GetResponse Email Campaigns GDPR Compliant?


Does GDPR Applies to your WordPress Website?

In most of the cases, Yes.

Though the regulation is to protect the information rights of the EU citizens but since a website (be it even a WordPress blog) operating from anywhere can be accessed from the EU and therefore, can collect the private information of their citizens, the regulation equally applies to the websites or blogs operating even from outside the EU.

The only way to ensure that the regulation does not apply to you is by restricting EU users from visiting your website. However, I bet you wouldn’t prefer this option of sacrificing a lucrative traffic stream.

Would you?

Especially when you can make your WordPress website GDPR compliant easily by applying some safeguards.

GetResponse - Grow Your List - 300x250

What if your WordPress Site is not GDPR Compliant?

In the worst case scenario, you will be slapped by a hefty fine. Up to 4% of a company’s annual global revenue OR €20 million (whichever is greater).

Though this penalty has definitely stirred some panic but it’s not like you will be fined straightaway out of a blind corner.

In fact, at first, you will first receive a warning. Then a reprimand. In case you do not act accordingly, your data processing will be suspended. It’s only after all these options are exhausted that the heavy fine will hit on your face.

GDPR - Cost of Non Compliance

Since the repercussions are severe, it’s better to be safe than sorry.

So how can you comply with GDPR?

Well, before seeking an answer to it, it’s important to understand how this law defines the term, Private Information.

What is Private Information according to the GDPR?

Though, the regulation has been pretty elaborate about what they mean by “Private Information” of the individual and have listed some of the categories such as the Name, Address etc. However, to get rid of any ambiguity, the golden rule is that any information about the individual that helps him/her to identify and locate comes under the garb of the Private Information.

Therefore, after the regulation has come out, elements such as Cookies information which the website visitors used to take for granted, now also falls under the precinct.

GDPR - Personal Data Definition
Image Courtesy – IEC e-Tech

What is Required Under GDPR?

To jot down the facets of this law, GDPR mentions 4 main pillars that you need to be wary of:

1.Explicit and Unambiguous Consent: To understand this from an example, lots of websites have pre-ticked boxes of receiving newsletters from them and whenever a visitor posts comments, he unknowingly opts-in for their newsletters.

Well, this practice should be abandoned now.

If you want to send newsletters to your visitors, you should be explicit about it.

No more “Ninja” tricks now.

By explicit, it means that no more pre-ticked checkboxes and the consent should be separate from other terms & conditions. Leave the box unchecked by default.

2. Rights to Data: This include informing the individual how, why and where their data is used. Moreover, the individual has the rights to download and even delete their data. Of course, this does not mean creating a whole interface to provide users the option of deleting their record on your website from their end. In fact, they can request to be forgotten and the website has to comply.

3. Breach Notification: The website/business is supposed to inform the relevant authorities in the event of a data breach within 72-hours. This condition can be overlooked if the breach is not too sensitive and poses no threats to the individual data. However, if the breach is severe, the website is also supposed to inform the individuals who’re affected, right away.

4. Data Protection Officers: If you process a large amount of data considered as personal information then you must appoint a Data Protection Officer (DPO). This, however, does not apply to small businesses.

A DPO is responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.


GDPR - When do you need DPO
Image Courtesy – iScoop

The key term that you have to keep in mind is EXPLICIT CONSENT. In other words, this also means never to use your users’ data for reasons other than they were collected.

The practice was already looked down upon previously and was considered unethical to use your user information for purposes other than it was collected, but now, the laws have become more stringent. and laid down in black and white.

Now, coming to your WordPress blog, let’s see how you can comply with the GDPR’s requirements.


Also Read: How to Create a Double Opt-In Contact Forms in GetResponse?


Is WordPress GDPR Compliant?

That’s an important question.

We need to make sure that the WordPress platform itself abides by the law. Well, the answer is yes. Though we’re way past even the WordPress 5.0 version now, but WordPress had added some features that adhered to this law back when it was in its 4.9.6th version.

Additionally, there are several plugins which offer its users an easier route to compliance. However, one must not consider merely installing the plugins as the solutions of all the problems. Since the web keeps on changing, one needs to be on his heels to meet the needs of the dynamic environment.

WPEngine_speedtestbanner

How does a Normal WordPress Blog Collect Information?

To figure out if you fall under the radar of GDPR, you need to see how your blog collects or user information (from the EU region). Generally, a normal blog would be fetching its visitors’ information through the following sources:

1. Google Analytics

There must be hardly any WordPress blog which does not use Google Analytics to track their website’s information and to be honest, the case if Google Analytics fall under the purview of GDPR has confused a lot of website owners.

After all, it’s the Google and not you who is collecting the information. Right?

Well, the verdict is that if you’re transferring the Personally Identifiable Information (PII) of your users to Google, then you’re the handler of the information and therefore, need to take steps to safeguard it.

If you want to know further about it, here’s a detailed article about Google Analytics and the GDPR law. I hope you’ll find it useful.

2. Cookies Information

A Cookie is a small file downloaded on your device, sent by the website that you visit. I won’t dive deeper in the technical details about the cookies to explain how cookies are helpful in faster downloading of the websites and whatnot because that would sway us from our original discussion. So I will keep the conversation restricted to the GDPR only.

Since the cookies can be used to identify and track a person, they are to be considered as private information and therefore, require a clear and unambiguous disclosure not only that your website collects cookie information but also that how you intend to use this information.

What this means is that the previous simple and one-liner notifications like these are no longer valid:

GDPR Cookies Consent 2

And In order to comply with GDPR, now you have to seek consent of your visitors through a notification that should look more like this:

GDPR Cookies Consent 1

3. Comments

This is quite obvious. If you have enabled comments on your blog then surely you’re also collecting some basic information such as the name, email address etc. If that’s indeed the case then following the above examples, you now have to seek clear and explicit consent to store the commentators’ information and using it the next time (auto-fill fields) they comment.

4. Email Opt-in and Other Contact Forms

If you’re collecting email addresses (or any other information) through the opt-in forms and/or the contact forms on your website especially of the visitors from the EU regions then the GDPR law applies to you.

A safeguard that you can take is to add an additional checkbox confirming the consent of the visitor before he submits his information (again, make sure it’s unchecked). Same can be followed for the other contact forms on your WordPress website.

5. WordPress Membership Websites

If yours is a membership website then every information of your members that you collect come under the precinct of the GDPR law.

So your notifications should be clear, explicit and unambiguous clearly stating for what purpose you’re collecting the information. Moreover, the members should be able to download and request to delete their information.

Built-in WordPress Enhancements Addressing GDPR Requirements

WordPress has also added some enhancements address the GDPR requirements. These are the basic enhancements present by default in WordPress 4.9.6 and onward so you don’t need to add any fancy plugins.

Some of these changes are:

1. Privacy Policy

Now you can create your privacy policy right from within WordPress. For beginners, Privacy Policy is a statement of how and what information you collect on your website and how do you intend to use it.

Since WordPress now provides you with a default template of Privacy Policy, you can now create your private policy page with ease. Just follow the below steps:

How to Create a Privacy Policy in WordPress
  1. From the Pages tab on the left, click Add New
    WordPress Create New Page
  2. Create a new page. You may give it any title you want, however, just to keep things simple, name it Privacy Policy
  3. Enter the details of the Privacy Policy page and Publish it (just like other WordPress pages). If you’re not sure what details to enter, here’s a quick and helpful guide: WordPress Privacy Policy Guide
  4. Now, from the Settings tab, click Privacy.
    Wordpress Settings Privacy
  5. In this window, you can let WordPress know about your Privacy Policy page. Select the page that you’ve created as in Change your Privacy Policy page field and then click, Use This Page. WordPress will now use this page as a statement to your Privacy Policy.
    WordPress Privacy Policy Page
2. Add or Remove User Data

Remember, I mentioned that now the user has the right to request to download and delete information?

Well, WordPress now provides you the option of doing so quite easily. From the Tools section on the left menu bar, you can send confirmation requests to your users from the Export Personal Data option and delete the users’ data on from the Erase Personal Data option.

Wordpress Export Import Personal Data

3. Comments Consent

Now, you don’t have to go at great lengths to add a checkbox seeking consent from your visitors within your comments section in WordPress. The latest versions have this built-in feature. All you have to do is to go to the Discussion window from the Settings tab on the left.

Wordpress Comments Settings - Discussion

Once in the Discussion window, search for the option which says, “Show comments cookies opt-in checkbox, allowing comment author cookies to be set.” and check mark it.

Wordpress Comments Discussion Settings - Comments Opt-in Checkbox

WordPress Plugins to Address GDPR Law

If you start applying changes on your WordPress website to comply with GDPR, it’s going to take a good amount of man-hours just to make sure that you haven’t left any stone unturned.

This becomes even more daunting if you’re not tech savvy and have no experience of HTML and other designing aspects of the web.

If that’s the case then you should be using plugins which will take care of the requirements of the law to make sure that you’re not legally exposed. However, at the same time, as mentioned above, it’s not necessary that the plugins address all the concerns. So the responsibility of being vigilant rests on your shoulders.

To help you out further, I’ve written another post that will surely help you in finding the right plugin for your WordPress website. Here’s the article:

6 Free WordPress Plugins to Make your Website GDPR Compliant

Final Thoughts

Lastly, what I’d suggest is that you should not be freaking out with this new GDPR law. They’ve not been enacted to put you out of business. In fact, all their purpose is to preserve the rights of their citizens which ultimately should be the objective of every Government. So as long as you’re being truthful, discreet and professional in handling your user information, while at the same time, taking measures to providing control to the users over their information and using proper disclosures, you’ve got yourself covered.

Yes, it does put the bloggers and the website owners in a little bit of unease but I guess that’s the price one should willingly pay in order to make this world a better place.

One thought on “How to Make Your WordPress Blog GDPR Compliant?

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter!

This site uses Akismet to reduce spam. Learn how your comment data is processed.