A initial review of your website should reveal how data is being processed and stored on your servers, and steps that are required to comply with GDPR.
Some usual ways in which a standard websites might collect user data:
- User registrations
- Contact form entries
- Analytics and traffic log solutions
- Any other logging tools
- Security tools and plugins
Here are some key aspects of GDPR:
(a) Breach notification
Under GDPR compliance, if your website is experiencing a data breach of any kind, that breach needs to be communicated to your users.
A data breach may result in a risk for the rights and freedoms of individuals, due to which notifying users in a timely manner becomes necessary. Under GDPR, a notification must be sent within 72 hours of first becoming aware of a breach. Data processors are also required to notify users as well as the data controllers, immediately after first becoming aware of a data breach.
In a WordPress website scenario for example, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.
This clause of GDPR thus creates a legal requirement to assess and monitor the security of your website. The ideal way is to monitor web traffic and web server logs.
(b) Data collection, processing and storage
Three elements of this: Right to Access, Right to Be Forgotten and Data Portability.
- The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing and storage of the data. Users will also have to be provided a copy of their data free of cost within 40 days.
- The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their personal data to be used.
- The data portability clause of GDPR provides users a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller.
Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to number of data points.
As a website owner, you first need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored.
Next, you need to have a setup to provide users with a copy of their data. This is perhaps the most difficult part of the process. However, we can assume that when the time comes, most plugin developers or tool developers – for the tools and plugins that you have on your site – will have already come forward with their own solutions to this.
It is still advised, however, to have a system in place to derive the required data out of your database.
Further, it may be wise to avoid data storage altogether in certain cases. For instance, contact forms could be set up to directly forward all communication to your email address instead of storing them anywhere on the web server.
(c) Use of plugins – implications of WordPress site GDPR compliance
Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with GDPR rules.
This can still mean some tough times for some of the most popular plugins out there. For instance, solutions like Gravity Forms or Jetpack have a lot of modules that collect user data by nature. How are those tools going to comply with GDPR exactly?
For plugins too, the same rules apply, although they must be approached from the point of view of the WordPress site owner. Each plugin needs to establish a data flow and inform about the processing of personal data. If you are the developer of a plugin, consider providing users of your plugin an addendum that they may add to their website’s terms in order to make them GDPR compliant. Gravity Forms, for instance, needs to let the user know how personal data being filled in a contact form is going to be published, and an option to get it removed, if necessary.