WordPress’s supremacy over other content management systems is unbeatable. With over 60 million users, the reign of WordPress will remain unaffected. In this post, I will share some useful tips to make your WordPress website achieve GDPR compliance.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is data protection legislation passed by the European Parliament in April 2016. The intent behind forming the regulation is to protect the European Union (EU) and the European Economic Area (EEA) countries against data breaches. The law aims to safeguard the people’s rights and freedom with its standards for doing business in the EU territory.
The EU GDPR came into force on May 25, 2018, ever since many EU and member states have made significant changes to their data protection laws to accommodate the regulation and enforce it.
The arrival of the GDPR has steered many organizations to work towards compliance. In most cases, failing to comply results in GDPR levying harsh fines. It applies to any organization, body, or individual who processes the people’s personal data in the EU/EEA countries.
The foundation of the GDPR is built on its principles for data processing. These principles are often the governing factors for GDPR compliance. Adding to that, the EU individuals’ data rights make the EU GDPR an important data privacy and protection legislation in the world.
The seven principles of the GDPR
- Lawfulness, fairness, and transparency: Personal data should be processed lawfully, fairly, and transparently. There should be legal grounds for processing the persona data, of which consent applies in most cases (websites). Collecting personal data and then processing it without the user’s freely given and unambiguously expressed consent is unlawful.
- Purpose limitation: Data collected should only be processed for the planned purpose.
- Data minimization: Do not collect data more than or additional to what is required for your purpose.
- Accuracy: Keep the data collected accurate and up to date. Inaccurate data should be erased or rectified without any delay.
- Storage limitation: Do not store personal data longer than necessary.
- Integrity and confidentiality (security): Store and process the data collected safely.
- Accountability: You must take responsibility for complying with the GDPR and justify your organization’s compliance if necessary.
The GDPR rights of people
It gives the people some control over their data:
- They give people the Right to be informed: the right to request details about the data processing activities
- The right to access: the right to access and receive a copy of the personal data stored
- Right to rectify: the right to rectify personal data in case of inaccuracy or to update
- The right to erase (Right to forget): the right to delete their data
- Right to restrict processing: the right to restrict the data processing activities
- The Right to data transfer: the right to transfer data to another organization
- And the right to object: the right to object to the data processing activities
- Automated decision-making and profiling: the right to object to automated decision-making based on the user profile
You can read the full text of the regulation here.
11 ways to make your WordPress website GDPR compliant?
I bring you 11 ways to get your WordPress website started with GDPR compliance, with some plugin and application recommendations.
Before proceeding, I suggest that you remember to update the WordPress version to 4.9.6 or higher to get some amazing features to help your website comply with GDPR.
Keep a record of your data processing activities
Review your database and how your website collects and handles users’ personal data, including the plugins and other external services.
It will tell you a lot about the areas you need to work on and the risky areas which might cause trouble.
Display Cookie consent notice
Any website requires a cookie consent notification to inform users about the cookies it will store on their device. And, as per GDPR standards, you cannot store cookies (marketing, analytics) until you have the users’ explicit consent.
Therefore, your cookie management must ensure that they provide adequate information about the cookies and block such cookies before obtaining user consent.
Firstly, you must check the website for cookies. You can easily do it using free online cookie scanners. Then, you must add a cookie banner that will alert the website users about these cookies.
Various plugins, such as GDPR Cookie Consent or cookie consent applications, will help you install a cookie consent banner on your WordPress website. It will also automatically block third-party cookies before the user consents. You can also change the content of the banner to suit your website’s requirements. It also adds a cookie audit table on your website to share the information with the users.
Add consent checkboxes for website forms
Your WordPress website forms must have consent checkboxes to collect personal data through them. You cannot store the data entered in the form without the user checking the consent box.
It is crucial to note that pre-ticked consent checkboxes are not valid and are considered a GDPR infringement.
WPForms is a great plugin for adding GDPR compliant website forms. They have “GDPR enhancement features to stop the collection or storage of the user data entered in the form, such as IP address and device information, and deactivate tracking cookies.
The ‘GDPR Agreement’ field will add a consent checkbox to the form to ask the user’s consent for storing their data.
Implement double opt-in for emails
It is advisable to incorporate a double opt-in method to register user consent for sending newsletters or marketing emails.
Double opt-in is verifying the user subscriptions by emailing a verification link after they sign up for email marketing.
Every email must include an unsubscription link for the users to withdraw their consent or cancel the subscription at any time.
Enable settings for user rights
Your WordPress website must have system settings to enable the users to exercise the GDPR rights.
In WordPress 4.9.6 and higher, there are settings to enable the users to erase or export their personal data.
To enable these settings:
- Click Tools on the WordPress dashboard
- Select Export Personal Data or Erase Personal Data
You have to submit the email address to send the emails to the users to verify their request.
Additionally, you can implement other measures to verify and carry out other requests related to user rights, such as the right to access, the right to restrict processing, or the right to modify data.
Plugins like Delete Me lets users delete their data from the website.
Get your website SSL certified
SSL certificates are small data files that encrypt any data exchanged between the user browser and the server when hosted on a web server.
Therefore, if the user shares any personal data such as payment information, it encrypts it and keeps the connection secure.
Tighten login security
WordPress websites may require the users to create accounts to post comments, links. If the website’s login point is not strong enough, it may be easy for the hackers to breach the site.
The best practice to make the login security stronger is to implement two-factor authentication (2FA). 2FA is the logging method in using two or more pieces of evidence than just the username-password combination.
It would also be beneficial only to allow strong passwords containing alphanumeric characters.
Keep remote data backups
In the event of a data breach that results in data loss, maintaining data backups will prove crucial. You can restore the data that you have lost.
However, keeping data backup is a bit tricky. You have to sure the data backups are GDPR compliant. You have to keep them very secure. And restoring data is also a type of processing, which will be subject to GDPR scrutiny.
It may also affect some user rights, such as the right to delete, since the users may not be aware of the presence of a backup.
Therefore, remote backups must only be done with proper guidance from experts.
BackWPup is a great plugin for remote backups. It safely encrypts the data and creates a log for easy documentation. You will immediately get an alert notification if the backup runs into any problem.
To align with the GDPR requirement for transparency, you must inform your users about:
- the types of personal data the website collects
- the purpose of collecting the personal data
- how the website uses, stores, and shares the data
- method to withdraw the user consent
- how the users can request to access, erase, or modify their data
- ways for users to request to stop processing their data or transfer it somewhere else
- what you do to protect the personal data
- Click Settings from the WordPress dashboard
- Select Privacy
Check GDPR agreement of plugins and applications
Plugins help a WordPress website to function more smoothly and extend its list of features. It is evident from the many plugin examples mentioned previously.
However, you must never miss reviewing the GDPR agreement of all the external plugins and applications you install. If they do not follow the GDPR standards, it will put your website at risk. You must ensure that they have adequate measures to protect the data they collect or your website shares with them.
Popular third-party services have aligned themselves with the GDPR, but you still have to remain cautious.
Choose GDPR compliant web hosting provider
If your website is hosted on a web server, you must ensure that its safety measures are at par with the GDPR standards.
Any data you store on the server system must be kept safely, adopting appropriate technical and organizational measures.
Therefore, choose a hosting provider that is GDPR compliant.
It would be worth mentioning that following these steps to the T will not ensure 100% GDPR compliance for your WordPress website. You may want to seek some professional guidance to avoid any risk of violations.
However, these are useful for setting your website on the right path for complying with GDPR.
If I have missed any important point, please do let me know in the comments. I would appreciate your thoughts on this topic.