I think all of us rapidly became aware of how little we know and how complex it is becoming!
As a brief summary, GDPR is legislation that aims to protect the privacy of all EU citizens. It is a system of principles, rights and obligation which everyone who has a website needs to be familiar with.
If you have a website at all, it is very likely that you need to make some changes to it to comply with the legislation.
If you fail to comply with GDPR, you could be fined for up to 20 million euros or 4% of your yearly turnover, whichever is higher.
- Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the individual
- You must be honest, be open about who you are and what you are going to do with the personal data you collect
- personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
- personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- personal data must be kept in a form which permits identification of individuals for no longer than is necessary for the purposes of the processing
- personal data must be processed in a manner that ensures appropriate security of the data using appropriate technical or organisational measures
You may think that this doesn’t affect you or apply to your website. But if you ever ship or sell products to the EU or offer a digital service that’s used by EU-based customers, then it is likely that it will.
Examples of things to consider
Perhaps an even better alternative is clear pop-up notices whenever you are asking a user for personal information, explaining how this will be used and linking to further information. For example, if you collect an email address on a contact form, you might add an explicit message as to why you need this information and how you will use it, e.g. ‘to allow you to access your account and so that we may contact you with important information about any changes to your account’.
- The default for any ‘opt in’ box must be un-ticked. Individuals must actively give consent.
- If you have pages, say on a blog, where people can comment, you will need to get their explicit permission to retain (store) a connection between their comments and their identity in the form of their email address.
- If you are using analytics, there may be implications about what data you can legally collect and store.
- If you are running an e-commerce store, you will need to be clear about what information you may legally hold. This gets complicated in that most countries require that you retain a copy of all invoices for a certain length of time. So you may find you have to delete copies of orders, but retain copies of invoices for the prescribed time, with an effective process for deletion when that time expires.
There is a great deal of good information available about GDPR and how to tackle compliance. Below are some links to resources we have found useful, including information about the work WordPress is doing to help users with compliance.
Site Owner’s Guide to GDPR – a really excellent resource manual is available, whether or not you download the plugin it supports. (Codelight)
GDPR: How to write a Privacy Notice – Best Practices – very helpful article with some practical examples. (Hashed Out)
Worried about WordPress and GDPR? Start Here – a good starting point (Pagely)
GDPR Compliance Tools in WordPress – what WordPress is doing to support users with GDPR compliance. If you want to see a bit more of the background to this, you may want to look at Roadmap: tools for GDPR compliance