GDPR compliance and WordPress

With a month to go, preparations for the European General Data Protection Regulation (GDPR) which comes into force on 25th May 2018 are underway with most businesses. This guide aims to explain the ins and outs of what should be considered for GDPR compliance when using WordPress – the intended audience is website owners using WordPress to run their business.

The basic premise of GDPR is consent; consent from your customers to store and use their personal data. GDPR aims to protect the privacy of individuals from organisations using their data unfairly. GDPR is an opportunity to rethink about how you use your customer’s data.

The UK will enshrine GDPR into UK law by introducing a new Data Protection Bill, which has now been published by the government. The Data Protection Bill introduces a few key differences (such as requiring parental consent to process data on children under 13, rather than 16 in other European countries). Brexit will make no material difference on compliance.

The biggest changes compared to the Data Protection Act 1998 are accountability and compliance. GDPR introduces fines of up to €20 million or 4% of an organisation’s global turnover (whichever is greater). Anyone can be fined, should they not follow a “clean up your act” compliance process from the relevant authorities (following a non-compliance notification).

So what is personal data?

According to the Information Commissioner’s Office (ICO), personal data is: “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”

According to Wired (and in a language we can more easily understand): “Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data and can also encompass pseudonymised data if a person can be identified from it.”

GDPR also has special categories of information which are subjected to additional regulation which we won’t cover here. These include trade union membership, religious beliefs, political opinions, health information, racial information, and sexual orientation.

If you’re collecting personal information through your website, then you are either processing or controlling personal data and therefore have an obligation to put safeguards in place for that data.

GDPR is not a tick-box exercise and no one solution or service can claim to make you GDPR compliant. From a practical perspective you should ensure:

1. You are only collecting the personal data that you actually need.
2. You have permission to use the personal data for the purpose you set out when you collect it.
3. You store personal data securely.
4. You allow access to personal data when requested by an individual.
5. You only store personal data for the period that you need it.
6. You report any breaches of personal data to the ICO.

How to ensure your WordPress site is following best-practice towards GDPR compliance

Privacy Policy

Your privacy policy should state what data you collect; how you store that data; how long you store it for; and what you will do with that data. You cannot use data that you previously collected for a new purpose without first obtaining permission from your customers. You can view our privacy policy here.

There’s no one single template you can use to create your own privacy policy – all businesses are different. Heather Burns from Web Dev Law recently spoke at WordCamp London about what to include in a privacy policy. Heather’s guidance is to include:

• Who you are
• What personal data you collect
• What categories (including sensitive)
• The consent or legal basis you collect it by
• Who it is shared with, including third parties
• How long you retain it
• What consent and user access rights people have over their data
• How they can contact you

WordPress Core

The core software of WordPress is currently being worked on to enable GDPR compliance. There’s a software roadmap outlining the details. New tools such as being able to generate a Privacy Policy from within WordPress; being able to export user’s personal data; and being able to delete users’ personal data are being developed. There’s no estimate yet for when these tools will be available, but they are being actively worked on.

Forms

The primary method you’ll collect personal data through your website is via forms. All the forms on your website should be reviewed to ensure they only collect personal data that you actually need, and that there is a tick box to state that by submitting their personal data, they accept the terms in your privacy policy. This tick box cannot be ticked by default.

Plugins

Many plugins and WordPress itself reports telematic data back to their motherships (usually the plugin author or wordpress.org’s servers). This data can include how a plugin is being used (e.g. number of form entries, or number of visits). Many plugins (but not all) are working towards GDPR compliance by enabling site owners to turn this off.

For a full review of whether your installed plugins are following GDPR best practice towards compliance, get in touch.

The following plugins are ones we’ve used extensively on our client sites so we’ve put together a few notes on what to look out for:

WooCommerce

Automattic (developers of WooCommerce) have published a brief overview on GDPR on their blog: https://woocommerce.com/2017/12/gdpr-compliance-woocommerce/

Here are our practical tips for WooCommerce site owners:

1. Update your privacy policy as above.
2. Check whether you are automatically adding users to an email marketing list without their explicit consent (even if it’s double opt-in). Explicit consent must be obtained before adding users to lists so review all your plugin settings if you’re list building using tools like Mailchimp.
3. Review your checkout process and forms on your site – only collect data that you need to fulfil your customer’s orders or requests.
4. Review how long you keep customer and past order information for. Do you need to keep it longer than a year?
5. Be prepared for a customer to request a copy of the personal data you hold on them.
6. Be prepared for a customer to request that you ‘forget’ them from your website and any other order system you may use.
7. Review your email marketing lists. Ahead of May 25th you could email your existing lists asking users if they wish to still remain on your lists – then at least you know you have explicit permission to contact them again.
8. Never send unsolicited marketing emails to customers (even if they were a previous customer) unless you have gained explicit permission from them to do so.
9. Review your abandoned basket process, if you have one. Customers must have opted-in to receive follow ups to orders they didn’t complete.

Gravity Forms

By default Gravity Forms records all form submissions into the WordPress database. Data retention and security should be your concern here. Who has access to the dashboard of your WordPress site, and do they understand the responsibilities of GDPR to manage that data? How long do you store those form entries for? Consider using a tool to automatically delete entries after a month or immediately if you do not wish to store submissions on your site.

Review each of your forms and ensure each relevant form has a tick box linking to your privacy policy.

Gravity Forms have been a little quiet in terms of GDPR compliance, especially around telemetry data they are collecting. If you are concerned about this then get in touch and we can discuss alternatives. Gravity Forms’ position on GDPR.

Simple History

On some of our client sites we use the Simple History plugin to record activity within WordPress. This tool enables WordPress Administrators to audit activity on a site – it records events such as who’s logged in; who’s editing posts; who’s activating plugins. It’s a great tool for auditing but it also retains user data – this is especially important if your customers login to your site as it’ll be recording data from them.

By default it will delete it after 60 days, but this setting can be changed with some code so it’s worth checking you’re retaining data only for the period you need it.

Contact Form 7

By default Contact Form 7 does not record form entries. Although if you have the database extension installed then it will retain data and you should consider retention and security.

Review each of your forms and ensure each relevant form has a tick box linking to your privacy policy.

Google Analytics

Not strictly a WordPress plugin, but Google Analytics records anonymised data and stores cookies in your users browsers. The EU Cookie directive caused the same level of hysteria as GDPR. Cookies themselves will be subject to a new EU ePrivacy regulation. The idea of this regulation is to simplify consent. Cookie pop-ups will no longer be needed for analytical tracking of anonymised data.

Our understanding of GDPR compliance for Google Analytics is that the data is anonymised (although IP addresses are used to track geographical data, they are not stored after being converted to a geo-location), and therefore you don’t need specific wording for Google Analytics data, unless you have customised your tracking to include personal data.

Further Advice

If you’d like further advice on GDPR compliance with your WordPress site, get in touch.

There are a number of plugins available on wordpress.org to help with compliance aspects: https://wordpress.org/plugins/search/gdpr/

Small businesses and charities can telephone the Information Commissioner’s Office for advice.

Theres an excellent article on the forthcoming EU ePrivacy Regulation here: https://www.i-scoop.eu/gdpr/eu-eprivacy-regulation

Footnote

We are not legal experts and this blog post does not constitute legal advice.

The Author

Jonny Vaughan

Founder & Technical Director of 10 Degrees. Jonny's day to day focus is on determining the best technical solutions for our clients, driving technical innovation and leading our sustainability agenda.

The 10 Degrees Team