And it all has to do with the EU.
On May 25th, the GDPR (General Data Protection Regulation) enacted by the European Union in January of 2016 will come into effect.
The GDPR is a tough new regulation aimed at helping users control their data collected by online companies and to force companies to tighten up their protection of user data.
And, the Europeans are not fooling around when it comes to punishments.
Penalties for non compliance can be € 20 million OR up to 4% of the company’s worldwide annual profits of the preceding year, whichever is higher.
The GDPR was not developed as a reaction to the data breaches of Equifax, nor the abuses of Cambridge Analytica, but rather a response to an overall trend toward abuse of personal data on the Internet around the world. The Europeans are just being super cautious. Or something.
If you are wondering if GDPR applies to your WordPress website, ask yourself:
- Am I selling online products or services within any European Union countries?
- Is my site engaging with EU citizens living anywhere in the world?
If you answered yes to either question, then you need to comply with GDPR.
Or, prepare to face the firing squad.
Are you GDPR compliant?
To figure out if your WordPress website is GDPR compliant, consider the many ways WordPress sites collect user data:
- user registrations
- contact form entries
- analytics and traffic log solutions
- logging tools and plugins
- security tools and plugins
Relative to all those engagements, your WordPress site needs to:
- give users a notification of any security breaches within 72 hours
- give users the Right to Access their data, the Right to Be Forgotten by having their data erased, and Data Portability by downloading their own data
- have all its plugins and third party tools compliant to the GDPR
Here are a few practical ways to bring your site into compliance with GDPR:
- Use a security plugin to audit your site to reveal places where and data is being collected and processed. This includes plugins and third-party services. Here’s what Mailchimp is doing.
- Once you’re determined where user data is coming from, put mechanisms in place which allow them to modify or delete their data.
- If you’re using a checkbox to opt-in users by default, kill it. That’s a violation waiting to be caught.
- Kill any unnecessary contact forms and replace them with simply email addresses (obfuscated to prevent being scraped).
For more ideas on how to comply with GDPR, check out this guide.
Compliance starts at home
In general, I don’t use many contact forms, but the ones I use will now have privacy notices attached.
But that’s just this site. The GDPR compliance process needs to be repeated for all the sites I control. There goes the weekend.
Let’s commiserate! How are you complying with GDPR? How long have you known about it?