If you've been reading blogs and tech websites recently, GDPR is all the rage. This acronym stands for the General Data Protection Regulation (GDPR) announced by the European Union, which is a new law coming into effect in the next months (more below) governing the use and storage of personal information of all EU citizens.
How is that GDPR thing related to WordPress websites or WooCommerce stores even? Well, here's how...
Let's drill down into the details of this new law and, more importantly, how that all comes to you and your WordPress/WooCommerce business.
What follows is not legal advice and it's intended to give WordPress and WooCommerce website managers a better understanding of such technical matter as GDPR.
Table of Contents
- What is the General Data Protection Regulation (also known as GDPR)?
- What is the purpose of GDPR?
- What are the rights GDPR stands for?
- Does my WordPress website/WooCommerce store need to be GDPR-compliant?
- What is considered as Personal data?
- I don't sell anything via my WordPress website! Should I comply with GDPR?
- How to make WordPress website or WooCommerce store GDPR-ready?
- Handling personal data is like borrowing someone else's car
- What are the very first things that need to be implemented to become GDPR-compliant?
- 3 aspects to focus on immediately for website/store managers:
- What are the consequences of not complying to GDPR?
- Wrapping up
What is the General Data Protection Regulation (also known as GDPR)?
The GDPR is a new law that has been in the works for quite some time and was passed in 2016. After a two year transition period, it is finally expected to become applicable in May 2018.
It replaces its predecessor from 1995 with updated guidelines that govern and protect the privacy of individuals in the European Union. WordPress developer and Codeable expert Robin Scott highlights:
GDPR is a regulation, not a directive. And without going into details that means it's not just an advice, it's the law. This is very important to the Union and you've really got to pay attention to it.
Here's a nice and informative infographic from the European Commision about GDPR.
What is the purpose of GDPR?
The purpose of this new set of regulations is pretty elaborate but mainly focuses on giving EU citizens more control over their personal data they share with websites. This will, of course, resolve into a different approach from companies and organizations worldwide towards privacy, data management, data collection, security, and profiling of their users. As Robin sums it up:
GDPR really sets down the idea that persons - as opposed to companies - have the right to have their personal data protected. By calling it a 'right', it should be clear how important and strong EU want businesses to interpret this law.
What are the rights GDPR stands for?
The following individual rights are those provided by GDPR:
- Right to be informed [Chapter #3; Art. 12]
- Right of access [Chapter #3; Art. 15]
- Right to rectification [Chapter #3; Art. 16]
- Right to erasure [Chapter #3; Art. 17]
- Right to restrict processing [Chapter #3; Art. 18]
- Right to data portability [Chapter #3; Art. 20]
- Right to object [Chapter #3; Art. 21]
Besides these, GDPR also has provisions for automated individual decision-making and profiling.
Now, that you're getting the gist of it, let's see how GDPR and WordPress or WooCommerce relate each other.
Does my WordPress website/WooCommerce store need to be GDPR-compliant?
If your WordPress website or WooCommerce store collects any personal data from EU users, you need to get it GDPR-compliant. In other words, all websites that collect personal information from individuals and citizens within the EU will fall under the jurisdiction of the GDPR.
I see the look on your face now: personal data, right? Is an email address considered personal data, for example? GDPR has a clear definition of what consists personal data.
What is considered as Personal data?
As the regulation defines it (Chapter #1; Art. 4, point 1):
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
For a website or store manager, those words can be more easily grouped into something like this:
The important thing to understand here is this: since your website is accessible from everywhere in the world and, if it is somehow collecting data from individuals within the European Union, it falls under the jurisdiction of the GDPR.
I don't sell anything via my WordPress website! Should I comply with GDPR?
The focus of GDPR isn't about the type of website or store you're managing. The regulation doesn't care about it. The main thing which GDPR resolves around is data and that can occur through a simple contact form on one of your pages. As Robin elaborates:
If you have a WordPress website and you have a comment form, and people put their name and email address into your comment form, you are collecting personal data. And if your website is available to people in the European Union, you are collecting personal data from people in the European Union. So it's kind of you might think 'Oh, that does not apply to me' but it might do. Every WordPress website is likely to be potentially impacted by this.
How to make WordPress website or WooCommerce store GDPR-ready?
Short answer is having a strategy in place. One where data is collected, stored, and protected as the regulation requires but also one accounting for the procedures that any website/store manager will need to have for data breach, data portability, and data erasure.
That's a good starting point because the main thing GDPR is aiming at is about enriching the security of personal data. And that goes through an overhaul of your current strategy of how you not only handle and store user data; it starts with how you collect it.
Specifically, you should tweak all your copy and untick all those options on your form to let people subscribe without them directly doing anything and, instead, clearly ask for customer consent.
Obtaining consent can be hard on WordPress websites but even trickier on WooCommerce sites
The most basic feature that GDPR introduces is that, although consent was being asked before, now it has to be asked very clearly and explicitly. Robin elaborates:
The consent has to be clear, really clear. The word they use in the regulation is unambiguous. So it can't be 'Maybe I'm agreeing to be put on a newsletter list.' No, it has to say, 'I'm agreeing.' And so on with other points of contact with the website or store. In addition, the consent needs to be for each purpose that you collecting data and you also need to give consent on each occasion. And you also need to describe what you're using it for
WooCommerce forms and obtaining permissions on them is difficult because of the tweaks required in order to make them effective. Robin points out:
In the WooCommerce context, there's a couple of eCommerce issues that might be more difficult to deal with to get consent on: abandoned carts, abandoned checkouts for example. Another one is segmentation of customers based on orders. So if you're using a service like MailChimp, for example, and you have it connected to eCommerce data that is segmenting customers based on previous purchases. For that, you're going to need to obtain consent for doing that, and that's actually hard in checkout because you're going to have to add an extra field.
There are some things to think about in there for retailers that will be strictly related to business decisions about 'Okay, what's more important to us?' In which case, we need to obtain specific consent. Or: 'Are we going to have to stop segmenting users in this way?' That's the type of decision for the store owner.
Handling personal data is like borrowing someone else's car
This regulation states that everything should be made crystal clear than ever. Robin explains this key point with a great analogy, where the car plays the role of personal data:
It’s like borrowing someone’s car. You have to state clearly when you need it and for what reason. An important thing to remember here is that you’re only borrowing the car, it’s not your property. So as a result, you can’t use it without authorization, you can’t sell it and, if it gets damaged somehow, you inform the owner and the relevant authorities about it.
What are the very first things that need to be implemented to become GDPR-compliant?
There are a number of features that need to be implemented in accordance with this new law, and as a website or store manager, you should start with these 3 main areas.
3 aspects to focus on immediately for website/store managers:
- Breach notification
- Data collection, processing, and storage
- How plugins running on your website/store handles data from user
To help you with that, there are free WordPress plugins already available on the repository:
WordPress plugins for GDPR: WP GDPR Compliance
Through a bunch of options, you can toggle on and off, this plugin will help website and store managers to comply with GDPR. As stated on the plugin page, currently this plugin supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments. Additional plugin support will follow soon.
WordPress plugins for GDPR: WP GDPR
This plugin will help you dealing with users asking to see which personal data is collected on your website/store and will enable them to either download or ask for data removal.
GDPR plugin standard initiative: GDPR for WordPress
This one is in the making and, at least for website and store managers, there's nothing currently available. But the initiative is brilliant as the involved developers aim at developing standards so that anyone within the WordPress ecosystem will benefit from a shared solution.
Beside website and store managers, this initiative is working on solutions to give plugin developers a simpler way to validate plugins and make them GDPR-compliant. Here's the documentation on GitHub.
It might seem that this GDPR is a kind of a big deal, doesn't it? Well, here's what businesses who don't comply can risk.
What are the consequences of not complying to GDPR?
The consequences of ignoring GDPR are pretty severe. If your guilt is determined and you're found to be in violation of it, the penalty is a fine, a very heavy fine in fact: €20 million (~$24.6 million USD) or 4% annual global turnover of the company, whichever is greater.
Given such numbers, would you feel confident risking it? Your call!
GDPR brings a new set of strict regulations that concern and govern most websites especially WordPress and WooCommerce-based ones that collect data from customers. Therefore, it is important to study the regulation and have the necessary strategy relevant to it made to your website or store at the earliest.
If you have no idea what you should do at first, jumping on a call with a WooCommerce expert might be a cost-effective solution.
We'll be covering GDPR-related topics in the coming weeks, with more tips, explanatory content, and resources. But as for now, you already have a ton of information and links to browse through!
This blog post features Robin Scott, an experienced WordPress developer who's also one of the founders of Silicon Dales, an agency focused on WordPress, WooCommerce, and a variety of other services. Robin has specialized in several areas such as Custom Plugins, Gravity Forms, Hosting Transfer, Maintenance, and WooCommerce Extensions, just to name a few.