Admit it, you still have no idea what GDPR means for your WordPress site

So, you run a WordPress site, and your business is driven by your ability to publish content easily in that system. And today, you’re still not quite sure if GDPR applies to you, and how. You don’t collect any personal data, and you don’t process any transactions. You’re in the clear! Right?

Well… Maybe not. First off, don’t panic. The law just went into affect, and it’s virtually guaranteed with the amount of articles you’re seeing online that an army of people are struggling to catch up. You’re not alone. We’re in the information overload period for the law, and GDPR is topical, so people are literally publishing content just to capitalize on the spike in search traffic. That doesn’t mean you should drag your feet though.

WordPress GDPR compliance is an ongoing conversation.

Long-term, what you’ll want to do, first and most importantly, is to appoint someone to stay on top of this. Someone you can ask questions on an ongoing basis. There is no circumstance in which you can afford to say, “We’re compliant, carry on then.”

The spirit of the law is committing to ensure data privacy for citizens of the E.U. in the long-term, which means that everything from your business strategy, to your plugins, and your internal communication tools have to come under the microscope.

Even if your business has no intention of selling to citizens of the E.U., the moment they land on your WordPress site, you have to be able to comply. The BBC Click goes so far as to suggest that firms appoint a Data Protection Officer as a full-time worker. This might be overkill for local freelancers in the U.S., but only if you can confidently say you’re not collecting any data from users of the E.U.

The rest of us need to pay attention to the law.

WPMU DEV is proud to share GDPR compliance strategies for WordPress users.

Luckily, WPMU DEV has implemented a lot of these changes over the last few years, and we’re thrilled to file them under the context of GDPR compliance. While we have always been protective and proactive when it comes to privacy and security, the GDPR gave us all shared language and a framework of processes to be more transparent in these practices.

Here are a few main points we’ll cover to ensure you know how to maintain GDPR compliance for your WordPress site:

  1. When am I subject to the GDPR?
  2. Defining personally identifiable information in WordPress
  3. Basic GDPR requirements for every WordPress Site
  4. WordPress data retention
  5. Monitoring your WordPress site and incident response plans
  6. Internal communication with workers in the E.U.

When am I subject to the GDPR?

The moment a user accesses your site from an area where the GDPR is in effect. Server location is irrelevant. User location is everything. So, if a user from somewhere in the E.U. accesses your website from their own soil, you are required by law to comply with the GDPR. If the user is visiting America, and they visit your site, then the E.U. has no authority. Sovereignty is all.

Defining personally identifiable information in WordPress.

The law states that pretty much everything can be personally identifiable unless the anonymization is irreversible. The scary part about that is that if someone were to collect multiple sets of data, and piece them together, then if that information is able to be tied back to a living individual, then you are not in compliance with the law. It’s that strict. In fact, if you go to a nation subject to the law, and you write down someone’s email address on a napkin at a coffee shop under the context of your business, then GDPR applies to you. Seriously. Read the law.

Basic GDPR requirements for every WordPress site.

Okay. I’ve sufficiently scared you. Take a breather. Now, just remember that you’re not in the business of collecting personal data. You’re in the business of selling x. You always were. You’ve been using WordPress for a while now, and your customers absolutely love what you do for them. If you haven’t yet, there are only a few things you need to take care of.

Start with this: an updated privacy policy. Login to your WordPress admin area, and under the sidebar menu for “Settings,” click “Privacy.”

WordPress admin privacy policy in the menu.
The WordPress admin area allows you to easily add a privacy policy.

Once on the page, you have the option to select a pre-existing page as your privacy policy page, or create a new one. Select whichever…

Privacy policy settings page in WordPress admin
You can select a current page or create a new one for your privacy policy.

The content generated on the page will be customized to your website with your URL, and even info regarding the plugins you use will be imported if the developer has gone the extra mile. But you’ll also need to address a lot of the headings with your own info. Check back at a later date to see a video walkthrough of how to do this.

Privacy policy info from WPMU DEV plugins
The privacy policy incorporates information specific to your plugins.

You can see the internal note for our plugin Smush. If the note applies to you, keep the paragraph beneath it.

WordPress data retention policy best practices.

Would you want your doctor to retain your data for the next fifteen or twenty years? What about tinder? What about that weird newsletter you signed up for once upon a time that just kind of disappeared? Without GDPR, is there really a law that promotes your security by saying to that entity, “you need to get rid of this data.” I would argue not. Although, I’m not a lawyer. If you leave room for people to collect data, and you don’t explicitly tell them they have to get rid of it, then many won’t.

Here’s what a data retention policy addresses:

  • Deletion of all inactive users completely after a set amount of time (ex. 3-6 months).
  • Deletion of all backups after 3 months.
  • Deletion of all financial records/transactions after X years (many countries may require keeping financial records for auditing for around 7 years)

Monitoring your WordPress site and incident response plans.

Think of your server like a dentist office. The dentist neglected to keep a data retention policy, and someone decides to break-in to obtain your dental records to frame you for a crime. The dentist learns he’s been broken into, and he never reports the incident, never tells any of his patients. Your dental records, and potentially all of the other patients’, are now out there.

GDPR makes it a best practice to have an incident response plan in place, so you’ll get notified of a breach immediately, and the organization will have a bare minimum set of actions they can take to mitigate the incident.

Good monitoring and incident response plans involve:

  • Keeping an updated email list of your customers that you keep any personal data on.
  • Being prepared to write and send an email within 72 hours of any breach with details of what may have been taken, when and how it was taken, and what you have done to mitigate it.
  • Contacting governmental agencies or authorities you need to notify of any breach. If you are in the E.U., you will have a local DPA for your country. Some argue you may need to contact the DPA in each European country where you have users or site visitors that have info potentially stolen, though it isn’t completely clear yet if this is the case.

WordPress and Internal Communications with Workers in the E.U.

WordPress opens up a lot of possibilities for remote workers and collaboration (WPMU DEV included), and it’s commonly paired with systems like Slack, GChat, and HipChat. In these circumstances, data retention applies to even communication tools with workers, during and after employment. This includes all employee and contractor data, payments and invoices, HR records, and any personal contact information that was obtained from your workers in the E.U.

Wrapping Up

GDPR is a signal that data is sacred, maybe even as much as currency. Understand how you’re going to evolve with the law now so you can get the most out of your WordPress site and continue growing online responsibly.

Will Ruff
What are some of the areas that still confuse you with respect to GDPR? What are some outstanding questions you have based on everything you’ve read? Let us know in the comments below so we can make compliance an ongoing conversation.