GDPR stands for General Data Protection Regulation. It is an extensive EU (European Union) regulation that represents the minimum requirements for anyone handling the data of EU citizens. The regulation has 99 articles, split into 11 chapters. While this might sound intimidating, breaking it down can help us understand its key points and how it affects WordPress websites.
Following the EU’s enactment of GDPR, several other countries and jurisdictions updated their laws taking inspiration from this regulation, including the UK, Japan, Brazil, Turkey, and others. California, in particular, has its own version called CCPA – California Consumer Privacy Act.
In this article, we will look at the core principles of GDPR, paying particular attention to how they relate to securing personal data.
Disclaimer: This article does not constitute legal advice. You should take privacy laws seriously. The penalties for breaching GDPR rules can be very harsh, going up to 20 million euros or 4% of total revenue – whichever sum is highest. If in doubt, seek professional advice.
Table of contents
An introduction to WordPress GDPR
WordPress GDPR works the same way as any other website GDPR. As GDPR is very comprehensive, how you implement it will largely depend on the type of WordPress website you run. While certain aspects of the regulation are universal, other aspects will depend on your implementation and business. For example, the requirements of an eCommerce website will vary significantly from those of a WordPress site running a blog.
The four actors of GDPR
Before we start looking at the core principles of GDPR, it is worth taking a few minutes to understand who the actors are. Think of actors as roles that GDPR identifies as critical to its implementation. There are four actors that we need to know about. Understanding these roles will help us better understand who is responsible for what and make understanding the regulation much more accessible.
1. The data subject
In the case of WordPress websites, data subjects are our website visitors who originate from the European Union. The term data subject directly refers to the person to whom the data we are collecting belongs.
2. The data controller
As the website owner that is collecting data, this is you. Data controllers have several responsibilities. We will go through these when looking at the seven principles of GDPR.
As the data controller, you need to be able to demonstrate that you are GDPR compliant. Failure to do so classes you as non-compliant for all intents and purposes. To this end, it is beneficial to understand what data controllers are held accountable for in the eyes of the law.
3. The data processor
Data processors are those people or companies which process data on behalf of the data controller (you).
Side note: At this stage, it is essential to understand what GDPR views as data processing since the entity that processes data has certain obligations. To this end, GDPR views any action taken on data as data processing, from simple collection and storage to usage, organization, and any other form of processing.
4. The data protection officer (DPO)
The data protection officer, known as DPO for short, is a person that assumes responsibility for GDPR compliance on collected personal data. While not all data controllers and data processors require a DPO, you can always appoint one within your organization to ensure compliance with GDPR.
The seven principles of GDPR
As mentioned earlier, GDPR has seven principles governing personal data processing. These principles are based on data protection and accountability, thus ensuring compliance with the legislation. Together, these principles act as a framework that can help you comply with GDPR.
Principle 1: Lawful, fair, and transparent processing
You must process data per the provisions laid down by the law and fairly and transparently to the data subject. This means that you must be clear and upfront about what data you’re collecting, why you need it, and how you will use it. It is equally important to ensure that all information is provided in plain English.
Principle 2: Legitimate processing
You must process data in line with the data subject’s consent. As previously discussed, you must obtain consent from the user/visitor before collecting and processing their data.
Principle 3: Minimal data collection
Only data that is directly required for processing and for which the user has given their consent should be collected. This is good practice even outside of GDPR since it follows the principle of reducing moving parts.
Principle 4: Accuracy of data
You must keep up collected personal data to date. Any data subject can request to have their data erased or updated – and you’ll need to complete this request within 30 days. In such cases, you must take “every reasonable step” to comply with the data subject’s wishes.
Principle 5: Storage of data
You should keep data for as long as it is needed only. As this can be very subjective (when does a customer stop being a customer?), professional legal advice is highly encouraged to ensure you do not fall foul of this principle.
Principle 6: Data security, confidentiality, and integrity
This principle is the most technical out of all seven. It puts the onus on the data controller to ensure that protections against unauthorized access, theft, loss, destruction, or damage are put in place to ensure the integrity and confidentiality of personal data.
Principle 7: Accountability
Accountability is critical to ensuring that you always meet GDPR’s requirements. This means having the necessary GDPR-compliant process documentation, procedures, notices, records, and assessments in place. GDPR stipulates that the data controller must be able to prove that they are complying with GDPR.
What is personal data?
GDPR is not there to guard all types of data. Its main aim is to safeguard personal data. To this end, personal data includes any data that can directly or indirectly identify an individual. As the definition of personal data is quite open, erring on the side of caution is the recommended strategy.
Personal data collection on WordPress
Depending on how you have configured your WordPress website, you may be collecting various types of personal data from your users and web visitors. As the data controller, you are responsible for identifying what personal data is being collected and ensuring that all related processes are GDPR compliant.
This may be easy enough when you are both the data controller and data processor. An example of this is WooCommerce GDPR compliance with no external services used. However, things can get a bit murkier when using 3rd party services such as analytics and advertising.
While GDPR does not prohibit the collection of any personal data, it sets specific regulations about how data can be collected, processed, and stored. While a full understanding of the regulations is recommended, the EU offers seven guiding principles to help you shape your data strategy to comply with GDPR requirements.
GDPR and Data Security
Data security is an important aspect of GDPR, encouraging technical and organizational measures to ensure data protection and security. To comply with GDPR, data protection must be “by design and by default.” This means you should incorporate data protection considerations into everything you do rather than an afterthought.
GDPR.EU gives two examples of technical measures you can take to protect your users’ data. The first one is two-factor authentication, which, fortunately for WordPress administrators, is easy to implement thanks to WP 2FA. This WordPress 2FA plugin supports multiple authentication channels. It comes bundled with many useful features to help you ensure your 2FA rollout is a continued success.
The second example refers to end-to-end encryption. It’s important to note that GDPR does not mandate encryption outright. Instead, it emphasizes appropriate measures to secure personal data – with encryption being an example of such a measure. These measures, whichever they may be, should cover two data states – data in transit and data at rest.
Understanding data in transit and data at rest
Data in transit is data that is being sent over a network. On the other hand, data at rest refers to data that is sitting stationery, such as data in a database. Using an SSL/TLS certificate on your WordPress will help you ensure that data in transit is encrypted. Encryption of email and other communication channels is equally important.
Personal data at rest is slightly more complicated. Firstly, you need to identify what kind of personal data you’re storing in your WordPress database. We covered this in an earlier section. While WordPress does not collect personal data by default, custom forms and 3rd party plugins may collect such data.
WordPress does not offer data encryption at the moment. Therefore, you must undertake other measures to ensure that data is as secure as possible. A strong WordPress password policy is one of the steps you can take to ensure access is as secure as possible. Of course, this should accompany an access policy that complies with the principle of least privilege.
Data collection and consent
You should minimize[a] data collection to the absolute necessity for the purpose it is collected for, and, where possible, you should anonymize it[b]. Even so, it is essential to always obtain consent from the data subject – explaining why you’re collecting the data and how you will use it.
Consent is a significant part of GDPR. Consent must be unambiguous, which means you cannot hide it in the fine print. You must ensure that you write all policies in clear and plain language. Furthermore, you must obtain consent separately – in that you cannot include it with other declarations.
Data subjects also have a right to withdraw consent at any time. Withdrawing consent must be made as easy as giving consent. Furthermore, data subjects retain the right of erasure, where they can request that all personal data related to them be erased.
The typical WordPress website collects and processes data in various ways. While it’s virtually impossible to cover all of the ways data is collected and processed on all websites, we can look at some typical examples to understand how GDPR affects these.
Analytics tools, such as Google Analytics and Hotjar, to name a few, process customer data on your behalf. In the eyes of GDPR, this makes them a 3rd party data processor. Even so, you are still responsible for what happens to that data, which means you must take some precautions to ensure compliance.
One thing that is very important to have is what is known as the Data Processing Agreement. This written agreement, which both parties must sign, explicitly details the responsibilities of each party. This document is legally binding, and signing it can save you a lot of trouble.
This is especially important if you have integrations with 3rd parties, whether it’s through an analytics plugin or directly. Either way, it’s essential to understand what data is being collected, whether its geolocation information,
Furthermore, the user must be able to choose what they give consent to and equally be able to withdraw their consent at any time. Consents must be renewed every year and must be stored as legal documentation.
GDPR Cookies consent
Cookies have been subject to their own EU regulation since 2002 – when the ePrivacy Directive, also known as the cookie law, came into effect. The EU further amended this law in 2009. It acts as a supplement to the European Union’s GDPR and, in some cases, overrides it.
The ePrivacy Directive, EPD for short, is on its way out and set to be replaced by the EPR – ePrivacy Regulation.
The difference between a directive and a regulation is a technical one. Directives must be incorporated into law by each country’s government within the EU, while Regulations are EU-wide laws.
Either way, to comply, you must:
- Ask users for their explicit consent before using any cookies
- Provide users with plain-language information about each data being tracked when they opt-in
- Allow users full-service access even if they decline certain cookies
- Document user consent
- Allow users to withdraw consent
Is WordPress GDPR compliant?
WordPress introduced several features in version 4.9.6 that make complying with GDPR much easier. While these features do not necessarily make you GDPR compliant (more on this later), they will help you ensure you have the basics covered.
Personal data export
You can easily export all of a user’s data should they file a data request. To export a user’s personal data, simply navigate to Tools > Export Personal Data and enter the user’s username or email address in the provided text box.
You can also send a confirmation email by checking the Confirmation Email checkbox.
Personal data erasure
To comply with the right to be forgotten, WordPress also offers a personal data erasure feature. You can access this feature by navigating to Tools > Erase Personal Data. Like the personal data export feature, there is also an option to send a confirmation email.
You can access this feature by navigating to Settings > Privacy and following the provided instructions.
To help with GDPR cookie compliance, WordPress comes with a built-in cookie consent checkbox, which is enabled by default. Keep in mind that this is only valid for commenting users – you need to take care of the rest should you configure anything else that drops a cookie.
You can enable this setting by navigating to Settings > Discussions.
Complying with GDPR
Complying with GDPR is not a one-time process you can complete once and throw to the bottom of the pile. While the initial compliance exercise will be the most laborious of all, investing some extra time here will yield dividends well into the future.
Not only will it keep your website in compliance, but it will also ensure that maintenance and updates take the least amount of time possible. To this end, you’ll need to:
Take stock – The first step you need to take is to assess what personal data you’re collecting and where it is being stored. Email marketing lists, user profiles, and user data stored in cookies are some things you need to consider. Ensure you note identifiable information, including pseudonyms, IP addresses, etc. The actual list will depend on which data you collect and how you process it.
Install a consent plugin and ensure there is a consent checkbox for every data process. While we will talk more about such plugins in a short while,
Cookie consent banner – Add a cookie notice banner that informs the user or visitor what data you’re collecting and why while providing the option to opt-in or opt-out.
Getting started with GDPR technical compliance
Complying with GDPR requires both technical as well as operational efforts. While your obligations will depend on your specific setup and circumstances, the basics tend to be the same. These include:
A strong WordPress password policy is another crucial aspect of GDPR compliance since it ensures better overall account security. You can easily implement this with WPassword, which includes many WordPress password security options to keep your WordPress secure. Equally, enabling 2FA on WordPress can get you closer to being compliant with GDPR, with many studies showing how effective 2FA can be in stopping most attacks.
One thing to keep in mind is that WordPress security is an iterative process – it’s not something that you set up once and forget, but it needs constant monitoring and tweaking to ensure that it remains strong as technology evolves.
WordPress plugins to help you achieve GDPR compliance
GDPR optimization does not need to be cumbersome. Thanks to WordPress plugins, you can easily ensure you meet all your obligations. Do keep in mind that no single plugin can ensure complete compliance. Since requirements may vary from one website to another, it is up to you to ensure you meet all legal requirements. If in doubt, consult with an attorney/lawyer.
Cookieyes focuses on helping site owners achieve cookie compliance in line with GDPR requirements. Furthermore, it also supports compliance with aCCPA, CNIL, and LGDP.
Complianz labels itself as the privacy suite for WordPress, offering a comprehensive set of tools that includes cookie notices, legal pages, records of consent, and many other features. MonsterInsights is a GDPR-ready plugin that allows you to get Google Analytics compliant with GDPR. It offers many other non-GDPR-related features, including analytics and tracking.
WPassword allows you to implement password policies for your users, ensuring strong passwords are used. Having strong WordPress passwords minimizes your risk of breaches, ensuring user data is always kept safe.
WP Activity Log keeps an activity log of user and system activity on your WordPress websites, recording who did what and when. It also includes a user session module to help you better manage user sessions.
WP 2FA allows you to easily implement 2FA on your WordPress website – a requirement of GDPR and other standards and regulations, including PCI DSS. It offers multiple authentication channels to help you get all users onboards.
How to choose GDPR plugins
Features – Plugins come in different shapes and sizes with different feature sets and at different price points. While free plugins are always nice, premium plugins tend to have more business features, which your website might find critical to its success.
Integration – You’ll need to make sure that any plugin you choose can function with your WordPress theme and any 3rd party plugins you might be running, such as contact form plugins. The best WordPress plugins are always tested with major 3rd party plugins, ensuring a smoother implementation in most cases.
Pricing – Most plugins come in a premium version and a free version. In most cases, the free version will offer basic functionality, while the premium version will include addons that may or may not be important for your website and business. Free versions can be downloaded from the official WordPress repository at WordPress.org, and premium plugins are typically downloaded from the manufacturer’s website.
Support – Sometimes, things break and when they do, having good support is crucial to minimizing downtime. This can be in the form of email support, documentation, and GDPR FAQs to help you get quick answers to important questions. It can also help you ensure help is at hand should you require it at any point.
Frequently Asked Questions
What does WP GDPR mean?
WP GDPR is an acronym that stands for WordPress General Data Protection Regulation. It refers to GDPR compliance on WordPress websites, which requires a good understanding of both GDPR and the user data you collect from website visitors and users.
Is WordPress GDPR compliant?
WordPress offers GDPR-compliant features; however, this does not necessarily make every WordPress website GDPR compliant. Depending on how you set up your WordPress website, what you use it for, and the data you collect, you may need to take additional steps to achieve GDPR compliance.
How do I make WordPress GDPR compliant?
You need to do several things to make your WordPress GDPR compliant. Unfortunately, there is no one-size-fits-all formula that applies to everyone since WordPress websites can be drastically different from each other. Refer to our article to understand what your responsibilities are and what steps you need to take to achieve GDPR compliance.
*** This is a Security Bloggers Network syndicated blog from WP White Security authored by Joel Farrugia. Read the original post at: https://www.wpwhitesecurity.com/achieve-gdpr-compliance-wordpress/