Chat with us, powered by LiveChat
10 Tips to Make Your WordPress Website GDPR Compliant

10 Tips to Make Your WordPress Website GDPR Compliant

10 Tips to Make Your WordPress Website GDPR Compliant

As most people should now be aware, the General Data Protection Regulation (GDPR) comes into the force on the 25th May. If you have a WordPress website, this means you will be affected by the new regulation and will need to make changes in order to comply. Failure to do so can lead to very large fines. In this post, we’ll give you some hints and tips to help you put your site in order.

What is GDPR?

GDPR is a new regulation designed to improve the security of the personal data of EU citizens and to give those citizens greater control over how their data is used. It applies to any organisation that collects the data of EU citizens whether they are based in the EU or not. If you need a wider understanding of GDPR, read our article: 15 Things You Need to Know about the General Data Protection Regulation (GDPR).

What is personal data?

Personal data is anything which can be used to identify an individual whether on its own or when used in conjunction with other information. Personal data also includes sensitive data, which can cover a person’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, financial details or criminal history.

How WordPress websites collect personal data

WordPress sites can collect personal data in a number of ways. Sometimes this is done intentionally, while at others, it is done automatically through the website’s software, perhaps without you even knowing. Typical examples include:

  • analytics and traffic logs
  • blog comments
  • contact form entries
  • logging tools and plugins
  • security tools and plugins
  • user registrations or newsletter subscriptions

How to start becoming compliant

When it comes to ensuring that the data you hold is secure, you need to implement a ‘Privacy by Design’ system that protects data from the moment it is collected until it is safely erased. Part of this process requires you to undertake a ‘privacy impact study’ that looks at how any changes you make to your site will help keep the data secure.

1. Log changes to your site

One tool that can help you with this is the Security Audit Log plugin which keeps a record of all changes which take place on your site, showing how data is being processed and stored.

2. Install a firewall

Firewalls are essential to protect your site from cyber attacks and are crucial in keeping your data safe. WordPress users can do this easily by installing a firewall plugin, such as Wordfence Security – Firewall & Malware Scan or All In One WP Security & Firewall.

3. Get an SSL certificate

SSL certificates are essential for WordPress websites as they encrypt data in transit between a user’s browser and your server. This means that if anyone sends you personal information, such as credit card details, it remains secure.

4. Ensure you have remote backups

Remote backups are essential in case your website or server goes down and you need to restore it quickly. However, from a GDPR perspective, you need to make sure that the backup itself is secure as it will contain a copy of all the personal data you hold.

5. Strengthen email protection

Email addresses you keep on your computer or in web accessed systems are also deemed as personal data. The last thing you need is to open a spam email that gets access to your mailing list and begins sending malicious emails to your customers. To keep your email safe, make sure you have all mail scanned, you can do this by using tools such as SpamExperts.

6. Improve login security

Poor login security makes it easier for hackers to break into your website and steal personal data. Although many people find that two-factor authentication can be a long-winded process for logging into your dashboard, it is highly secure and much better than just having a username and password. You can install the Two-Factor Authentication plugin from your dashboard.

7. Update your privacy policy

One of the things you need to do under GDPR is inform your users about:

  • the types of data your website collects
  • why you collect that data and how you use it
  • how that data is used and stored
  • how data is shared
  • how users can get a copy of any personal data that you hold on them
  • how to ask for that data to be erased or moved

All this information should be put together in your privacy policy and a privacy policy page created. In the latest version of WordPress (v 4.9.6) a new privacy policy setting has been created to enable you to create and display your privacy policy page.

privacy-policy

8. Install a GDPR plugin

To fulfil some of the other requirements of GDPR we suggest you download and install a GDPR plugin, such as GDPR or WP GDPR Compliance. These plugins are useful because they carry out a number of tasks you need to comply with. These include:

  • Cookie management
  • Getting user consent for the privacy policy when they register with your site
  • Asking for privacy policy consent when you make changes to your policy
  • Handling requests for data erasure
  • Handling users’ requests to access their data or move it elsewhere
  • Create data breach notifications (by law you now have to do this within 72 hours of any breach)
  • Keep records of all data being sent from plugins to third-party sites

9. Ensure your web host is compliant

If your website is hosted on a service provider’s server, you also need to make sure that adequate security measures are in place on that server. You should have a ‘Data Processing Agreement’ with your host which explains how they handle any data that you store on their systems.

10. Check if you need to register with the ICO

If you handle personal data in certain ways, you are required, by law, to register with the ICO. If you are unsure, there is a self-assessment tool on their site which you can use.

Conclusion

GDPR will have an impact on everyone who collects personal data, so it is important that you comply with the regulation. For WordPress users, there are many things you need to do to ensure that personal data is kept safe and that you enable users to exercise their rights over their data. Hopefully, the tips given here will help you achieve compliance.

Sharing

Leave your comment