The general data protection regulation (GDPR) comes into force May 25th, 2018. It covers both the European Union and Great Britain — which amounts to more than 500 million users. WordPress, meanwhile, owns more than 50 percent of the CMS market and powers almost 28 percent of global websites. The result? If you’re using WordPress, like we are at Pagely, GDPR matters. The challenge? Understanding how GDPR will impact WordPress deployments and what this state of affairs means for your organization.
Worried about WordPress? Unsure about GDPR? Let’s dive in to the basics.
GDPR Basics and What We Know Right Now
GDPR replaces Data Protection Directive 95/46/EC, and according to EUGDPR.org is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
Improving privacy and empowering user control over personal data are primary goals of this legislation — accomplishing this aim requires significant changes which impact companies at large, no matter what type of platform they’re using. These include:
- Increased Scope — The new legislation clearly lays out specific types of protected data such as name, address, ID numbers, Web location, IP address, cookie data and RFID tags. Health, genetic, biometric, ethnic, political views and sexual orientation data are also covered.
- Global Expectation — Under GDPR, companies processing the personal data of any subject “residing in the Union” are subject to new privacy requirements, regardless of their geographical location. For example, companies in the United States processing data for U.K. or French customers must abide by GDPR regulations.
- Substantial Fines — Companies found in breach of GDPR can be fined 4 percent of annual global turnover or €20 million, whichever is greater. There is a sliding scale for minor offenses up to full-blown refusal to comply.
- Breach Notification — If a data breach occurs which will “result in a risk for the rights and freedoms of individuals,” notification must be made to regulating bodies within 72 hours and to customers “without undue delay”.
- Portability — Companies must have processes in place to provide individuals all personal data they have provided in a “commonly used and machine-readable format” upon request.
How GDPR Impacts WordPress
With so much of the Web leveraging WordPress, it’s worth having the conversation: What happens to WordPress sites and users when GDPR goes live? Companies using WordPress should address several specific areas and how each one is impacted by GDPR.
- Data collection: As noted by Code in WP, common ways that WordPress sites collect data include user registrations, comments, contact forms or analytics. Under the new laws, consent must be informed — it cannot be assumed. WP sites must be reviewed and amended to ensure all data collection follows consent policies. Best bet? Tell users who you are, why you’re collecting data, how long you’re going to store it, who will have access and for what purpose.
- Plugins: Site owners are ultimately responsible for the data collection and storage methods of any plugins or third-party software used, meaning it’s critical to audit existing plugin libraries and address anything that needs clarification before May 25th — there’s a WP GDRP Compliance plugin available through WordPress to help identify key issues. Third parties are also a critical concern here since the data “controller” — the company collecting personal data — is responsible for its handling and storage. As a result, businesses must ensure that third-party plugins are compliant with GDPR.
- Automatic consent: Companies using WooCommerce or other WordPress eCommerce options need to ensure that all marketing materials, newsletters, etc. are “opt-in” rather than “opt-out”, since already-checked consent boxes are considered a breach under GDPR. According to IT Governance, approved options for lawful consent requests include clicking an opt-in button or link, selecting from “equally prominent” yes/no options or responding to an email requesting consent.
Filling in the Gaps
While it’s unlikely that substantive changes will be made to GDPR legislation before it goes live, any regulation this complex can include grey areas. Here are three worth watching:
- The Case for Consent — While consent is critical under the new legislation, it’s not the only lawful ground for processing data, creating confusion among organizations. For example, if you have an existing contract with individuals or must process data to meet legal requirements, consent may not be required. As noted by Lexology, there are six lawful grounds for processing data listed in Article 6 of the GDPR:
- Legal obligation
- Vital interests
- Public interest risk
- Legitimate interests
Given the potential ambiguity of “vital” and “legitimate” interests, companies should be prepared for more specific guidelines regarding this type of processing after the law goes live. Best bet? Stick to informed consent wherever possible.
- Age Limits — Initial drafts of the GDPR set the EU age limit for choosing to hand over personal data at 13. But pushback changed this limit to 16 — under Article 8, member states can now choose a lower age if they wish. With protecting children’s data as a priority for this new legislation, WordPress sites must be diligent in obeying local age limit regulations and keep an eye on potential revisions.
- New Technologies — Article 35 of the GDPR lays out the need to asses the risk of new technologies for processing and storing data on the risk to personal information. The problem? The scope of “new technologies” isn’t defined, nor is there any template to assess risk. For WordPress deployments, this begs the question: What if a new plugin that streamlines data collection is considered a “new technology”? How do companies assess risk? What happens if/when specific guidelines are put into place? Here, it’s a good idea to err on the side of caution — don’t introduce sweeping policy or plugin changes in May and June — and keep an eye on GDPR news after the law goes live.
The Current State of Affairs
Given the current state of GDPR and potential areas of concern, there are three basic interpretations for WordPress site owners. These are simply observations and should not be taken as advice:
- Same old, same old — If your site doesn’t collect or store any information, this may be true, but chances are high that modification will be necessary. While this “wait and see” approach requires minimal spending and effort up-front, it could lead to substantial fines for non-compliance.
- Complete overhaul — This is the “all in” approach, using what’s known about GDPR to completely overhaul WordPress sites. It has the benefit of better alignment with upcoming policies but could see companies revising newly-minted policies as real-world interactions around consent and breach reporting compel legislative evolution.
- Finding a middle ground — Opting for a “middle ground” model may provide the path of least resistance for WordPress sites. By reviewing current consent, data storage and ease-of-retrieval polices it’s possible to address the bulk of GDPR expectations and streamline the process of implementing new data-handling requirements as the law dictates.
Resources to Stay Informed on GDPR
Worried about WordPress under GDPR? You’re not alone. The new legislation comes with significant impact for data collection, informed consent and direct user control over personal data. Things you can do right now? Review your site before May 25th to ensure consent requests are obvious, clear and concise, all plugins follow GDPR guidelines and consumer information is properly stored, encrypted and available upon lawful request.
Still looking for more help? Start here:
Bookmark these resources:
We are doing everything we can to become experts on GDPR and make sure our sites, and whatever we do that impacts our clients, is covered. As always we are here as a resource for the WordPress community. Don’t hesitate to reach out and speak with our team.