If you’ve been getting a lot of “Updates to our Privacy Policy and Terms of Use” notices in your email box lately, you should know that these companies are informing you not because they feel like it, but because they have to.
And it all has to do with the EU.
On May 25th, the GDPR (General Data Protection Regulation) enacted by the European Union in January of 2016 will come into effect.
The GDPR is a tough new regulation aimed at helping users control their data collected by online companies and to force companies to tighten up their protection of user data.
And, the Europeans are not fooling around when it comes to punishments.
Penalties for non compliance can be € 20 million OR up to 4% of the company’s worldwide annual profits of the preceding year, whichever is higher.
The GDPR was not developed as a reaction to the data breaches of Equifax, nor the abuses of Cambridge Analytica, but rather a response to an overall trend toward abuse of personal data on the Internet around the world. The Europeans are just being super cautious. Or something.
If you are wondering if GDPR applies to your WordPress website, ask yourself:
- Am I selling online products or services within any European Union countries?
- Is my site engaging with EU citizens living anywhere in the world?
If you answered yes to either question, then you need to comply with GDPR.
Or, prepare to face the firing squad.
Are you GDPR compliant?
To figure out if your WordPress website is GDPR compliant, consider the many ways WordPress sites collect user data:
- user registrations
- comments
- contact form entries
- analytics and traffic log solutions
- logging tools and plugins
- security tools and plugins
Relative to all those engagements, your WordPress site needs to:
- give users a notification of any security breaches within 72 hours
- give users the Right to Access their data, the Right to Be Forgotten by having their data erased, and Data Portability by downloading their own data
- have all its plugins and third party tools compliant to the GDPR
Getting compliant
Here are a few practical ways to bring your site into compliance with GDPR:
- Use a security plugin to audit your site to reveal places where and data is being collected and processed. This includes plugins and third-party services. Here’s what Mailchimp is doing.
- Once you’re determined where user data is coming from, put mechanisms in place which allow them to modify or delete their data.
- Write a Privacy Policy informing users of their rights under GDPR similar to any number of policies being floated. Post the policy around the site, anywhere data might be collected.
- If you’re using a checkbox to opt-in users by default, kill it. That’s a violation waiting to be caught.
- Kill any unnecessary contact forms and replace them with simply email addresses (obfuscated to prevent being scraped).
- If you have an email list collected with little oversight, send a notice to your list requesting users to reconfirm their listing, along with your privacy policy notice. Remember how four years ago, Canadians went through a similar process when the Canadian Anti-Spam Law came into effect? Do that.
For more ideas on how to comply with GDPR, check out this guide.
Compliance starts at home
As for this site, I will soon inform my subscribers of my privacy policy and their right to be forgotten or change their data. All of them have registered in a double opt-in form, so no need to reaffirm them.
In general, I don’t use many contact forms, but the ones I use will now have privacy notices attached.
But that’s just this site. The GDPR compliance process needs to be repeated for all the sites I control. There goes the weekend.
Le sigh.
Let’s commiserate! How are you complying with GDPR? How long have you known about it?
Does it imply on bloggers too, between I don’t know what to don’t think bloggers keep their audience data.
Yes, bloggers do need to comply as blogs use comments and comments contain data.