How to make your WordPress site GDPR compliant (detailed guidelines)

4 Min Read

The rampant growth of web technologies over the last few decades has led to unprecedented data breach and massive abuse of personal data. Apprehending the outcome of such misuse of data, European Union came forward to strengthen its data protection policy by imposing GDPR (General Data Protection Regulation). Any web platforms having activities/interactions with EU nationals will have to comply with this policy.

WordPress, being the single most used web technology (powering 41% of all websites), has a lot to do to address all GDPR issues. Making WordPress-based sites GDPR compliant is indeed a tough job. The GDPR Compliance Team is focusing on creating a comprehensive policy, plugin guidelines, privacy tools as well as documentation.

What is GDPR?

GDPR (General Data Protection Regulation) is a regulation on data protection and privacy for all people within the European Union. The GDPR applies to both organisations located within and outside of the European Union upon offering goods or services to, or monitoring the behavior of, EU data subjects. The policy was approved and adopted by the European Union Parliament in April 2016 and will come into effect from May 25, 2018.

How WordPress is addressing GDPR issues?

WordPress wants all WordPress-based sites to be GDPR compliant, ASAP. The dedicated WordPress GDPR Compliance Team is now working on the following task to make the process easier for both developers and site owners.

  1. Helping site owners by adding functionality in creating comprehensive core privacy policies for their WordPress-based websites.
  2. Giving detailed guidelines for WordPress plugins to be GDPR ready.
  3. Adding tools to facilitate GDPR compliance and encourage user privacy in general.

Adding documentation to help site owners learn more about privacy, main GDPR compliance requirements, and on how they can use the new privacy tools.

How to make your WordPress site GDPR compliant?

Making WordPress-based website GDPR compliant is not something that can only be done by the WordPress authority. The efforts WordPress GDPR Compliance Team is making intend to help make these processes easier for you. The actions that are to be taken are all from the site owners end. Let’s see what you need to do to make your WordPress site GDPR compliant.

GDPR’s Right to Access wants a complete transparency in data processing and storage such as what data are being collected, where these are being processed and stored, and how you are collecting, processing and storing their data. You will have to provide a copy of the respective user’s data within 40 days, completely free of cost.

Give the right to be forgotten

Integrate a system that gives users the option to entirely delete their personal data, and stop further collection of it. The process indicates that users can withdraw their consent at any time.

Data portability

It is their data and they should have the right to do anything they want with it. Provide users the right to download their personal data, for which they have previously consented to. Allow them to further transmit that data to any other controller of their choice.

Breach notification

If in any case your website is experiencing a data breach, you need to notify your users immediately. Data breach may make user data vulnerable and pose a threat to his/her security. Under the GDPR compliance, data breach notification must be sent to the users within 72 hours of being aware of a breach.

Detailed data policy

A WordPress site owner needs to publish a detailed policy on how they are using users data, at which point they are being collected and how the data are being processed and stored in site owner’s system. Site owners can make GDPR compliant privacy policy in three steps:

  1. By adding a dedicated policy page.
  2. By adding privacy information from all installed plugins.
  3. By reviewing and publishing the policy.

Any changes the site owner makes to the policy will have to be notified when the plugin is installed, activated or updated. Plugin developers will provide an addendum for the site owners to add their website’s terms in order to make them GDPR compliant.

Update: WordPress has brought an update (WordPress 4.9.6) to make you prepared for GDPR. The update lets you create or select your site’s privacy policy page under Settings > Privacy to keep your users informed and aware. Personal Data Export and Erasure tools have been added to help you with data export and erasure requests. Click here to know details.

Making your website GDPR compliant is indeed crucial. In case of a data breach, one will be charged a fine up to 4% annual turnover or 20 million euros, if his/her platform is not made GDPR compliant. This is something you can not afford to ignore. With that in mind, you can start working on making your WordPress site GDPR compliant today. Cheers.