GDPR and WordPress: Why You Need to be Concerned

The web is abuzz about GDPR and it’s something that website owners cannot ignore. While GDPR is focused on websites servicing the EU, in reality, virtually any website, anywhere in the world needs to be concerned about this ruling because so many of us cater to people worldwide.

The struggle with WordPress is not the implementation, but WordPress’ user base. While WordPress provides superior CMS support for users from solopreneurs to enterprise organizations, the vast majority of WordPress’ core user base is individuals and small businesses. I’m pretty sure I can speak for all of us “little guys” when I say GDPR feels overwhelming!

What is GDPR?

The General Data Protection Regulation, aka “GDPR” is an EU regulation focusing on data protection and privacy for all individuals within the European Union. Not only that, it addresses the export of personal data outside the EU.

This means GDPR isn’t just an EU issue. It applies everywhere.

The GDPR aims primarily to give control to residents over their personal data and to simplify the regulatory environment for international business.

It was adopted on April 14, 2016, and becomes enforceable on May 25, 2018. There was a two-year transition period.

The GDPR replaces the 1995 Data Protection Directive. Because GDPR is a regulation it does not require national governments to pass any enabling legislation and is directly binding and applicable.

Who Does GDPR Govern?

Everyone who collects any type of personal data. This regulation has a far-reaching geographic scope.

Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.

First, the law only applies if the data subjects, aka consumers, are in the EU when the data is collected. This makes sense. EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.

Second, a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects “personal data”, or “personally identifiable information”, as part of a marketing survey or blog subscription for example, then the data would have to be protected as noted in the GDPR.

When Does the Law Take Effect?

Very soon. The regulation goes into effect May 25, 2018.

The reality is that the regulation has yet to be tested in the courts, so it will be some time before the interpretations of its applicability outside the EU are tested.

What WordPress Websites are Affected by GDPR?

Speaking specifically about US companies, namely those in the hospitality, travel, software services, and e-commerce industries, companies will certainly have to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized Web content should review their Web operations.

The regulation does not limit its scope to the physical location of the data being stored, only that the data is concerning EU citizens. If your Amazon S3 data center is on the East Coast of the US, but the database contains personal information about EU citizens, GDPR applies to you.

Think about all the ways your WordPress website may store personal data:

A blog subscription may request a name or only email address. Anyone can sign up, wherever they are from. If you pass that information directly to a mailing service, such as MailChimp, you as the controller of the data transfer, are responsible to ensure that your data processor, MailChimp in this case, is compliant.
An exit intent pop-up form asking for your email address in exchange for your latest ebook.
An e-commerce site selling elevator parts, or children’s books, or puzzles. Even if you don’t require customers to register to make a purchase, ie a guest purchase, you still require them to provide a name, shipping address, an email address for communication. You may pass through the billing information to your gateway but as the controller of the process, you are responsible that the processor, your payment gateway, is GDPR compliant.
Your Google Analytics tracking code is grabbing all sorts of information from your website visitors, specifically their IP address. This is personally identifiable information when combined with other data points. Google has recently updated their data retention policies enabling you, as the data process controller, to determine how long the data collected on your behalf will be held, and how to remove it from their storage.

How You Can Stay in Compliance

Mail service providers are updating their policies to make GDPR compliance a smooth process. Recently, MailChimp announced updates to its signup forms to help its users comply with rules about gathering consent. The new forms have checkboxes for opt-in consent and include editable sections where users can explain how and why the collected data will be used.

The company also included a step-by-step primer on how to use the forms to gather consent in compliance with GDPR.

WordPress is adding a variety of data extraction and erasure features to the core project. It is expected to be available as soon as v4.9.5 is released.

If your e-commerce store runs on WooCommerce, you are covered. Woo has a wealth of new features to help make your e-commerce site fully GDPR compliant with v3.4 of the core product, expect to be released on May 23rd.

What website doesn’t offer some type of form for visitors to fill out and submit? Gravity Forms offers a well laid out plan for using its flagship product in a GDPR-compliant way. Combining a small code snippet and 3rd party integration tools will help get all your data gathering forms where they need to be.

Next Steps for WordPress Website Owners

Start now. Take your time. Work through your processes.

At the heart of the GDPR is the protection of a person’s private information. They entrust you, as the merchant, to safeguard their most valuable commodity – personal information. The GDPR requires companies to know what they are doing with personal data, how companies are processing it, where it is being used, permit people to see what data companies have, find out how long companies are going to use it, and be sure to erase it when people want it to be erased or at the very least, when companies are done with it.

As a US-based company, review your data collection processes. Document the processes. Fully spell it out in your privacy policy. Make that privacy policy available to your website visitors. Set limits on data being stored and get rid of everything that is not needed for your documented purposes. Establish internal processes to cleanse that data you have on a regular basis.

It’s a big task. Too much for you to take on alone? Give us a call. Web Savvy Marketing can help you. We are not your legal team, but we are skilled technical and business savvy professionals ready to work with you to put you in the best position to be fully GDPR compliant.

Leave a Reply