As most people should now be aware, the General Data Protection Regulation (GDPR) comes into the force on the 25th May. If you have a WordPress website, this means you will be affected by the new regulation and will need to make changes in order to comply. Failure to do so can lead to very large fines. In this post, we’ll give you some hints and tips to help you put your site in order.
What is GDPR?
GDPR is a new regulation designed to improve the security of the personal data of EU citizens and to give those citizens greater control over how their data is used. It applies to any organisation that collects the data of EU citizens whether they are based in the EU or not. If you need a wider understanding of GDPR, read our article: 15 Things You Need to Know about the General Data Protection Regulation (GDPR).
What is personal data?
Personal data is anything which can be used to identify an individual whether on its own or when used in conjunction with other information. Personal data also includes sensitive data, which can cover a person’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, financial details or criminal history.
How WordPress websites collect personal data
WordPress sites can collect personal data in a number of ways. Sometimes this is done intentionally, while at others, it is done automatically through the website’s software, perhaps without you even knowing. Typical examples include:
- analytics and traffic logs
- blog comments
- contact form entries
- logging tools and plugins
- security tools and plugins
- user registrations or newsletter subscriptions
How to start becoming compliant
When it comes to ensuring that the data you hold is secure, you need to implement a Privacy by Design system that protects data from the moment it is collected until it is safely erased. Part of this process requires you to undertake a privacy impact study that looks at how any changes you make to your site will help keep the data secure.
1. Log changes to your site
One tool that can help you with this is the Security Audit Log plugin which keeps a record of all changes which take place on your site, showing how data is being processed and stored.
2. Install a firewall
Firewalls are essential to protect your site from cyber attacks and are crucial in keeping your data safe. WordPress users can do this easily by installing a firewall plugin, such as Wordfence Security Firewall & Malware Scan or All In One WP Security & Firewall.
3. Get an SSL certificate
SSL certificates are essential for WordPress websites as they encrypt data in transit between a user’s browser and your server. This means that if anyone sends you personal information, such as credit card details, it remains secure.
4. Ensure you have remote backups
Remote backups are essential in case your website or server goes down and you need to restore it quickly. However, from a GDPR perspective, you need to make sure that the backup itself is secure as it will contain a copy of all the personal data you hold.
5. Strengthen email protection
Email addresses you keep on your computer or in web accessed systems are also deemed as personal data. The last thing you need is to open a spam email that gets access to your mailing list and begins sending malicious emails to your customers. To keep your email safe, make sure you have all mail scanned, you can do this by using tools such as SpamExperts.
6. Improve login security
Poor login security makes it easier for hackers to break into your website and steal personal data. Although many people find that two-factor authentication can be a long-winded process for logging into your dashboard, it is highly secure and much better than just having a username and password. You can install the Two-Factor Authentication plugin from your dashboard.
One of the things you need to do under GDPR is inform your users about:
- the types of data your website collects
- why you collect that data and how you use it
- how that data is used and stored
- how data is shared
- how users can get a copy of any personal data that you hold on them
- how to ask for that data to be erased or moved
8. Install a GDPR plugin
To fulfil some of the other requirements of GDPR we suggest you download and install a GDPR plugin, such as GDPR or WP GDPR Compliance. These plugins are useful because they carry out a number of tasks you need to comply with. These include:
- Cookie management
- Handling requests for data erasure
- Handling user’s requests to access their data or move it elsewhere
- Create data breach notifications (by law you now have to do this within 72 hours of any breach)
- Keep records of all data being sent from plugins to third-party sites
9. Ensure your web host is compliant
If your website is hosted on a service provider’s server, you also need to make sure that adequate security measures are in place on that server. You should have a Data Processing Agreement with your host which explains how they handle any data that you store on their systems.
10. Check if you need to register with the ICO
If you handle personal data in certain ways, you are required, by law, to register with the ICO. If you are unsure, there is a self-assessment tool on their site which you can use.
GDPR will have an impact on everyone who collects personal data, so it is important that you comply with the regulation. For WordPress users, there are many things you need to do to ensure that personal data is kept safe and that you enable users to exercise their rights over their data. Hopefully, the tips given here will help you achieve compliance.