Disclosure: These are general guidelines for informational purpose only and not meant to substitute the professional opinion of a legal team. For further clarifications regarding your website and business consult a lawyer familiar with this particular legislation.
GDPR, short for General Data Protection Regulation, is an European Union law that took effect on on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world. You may have noticed since then that big companies like Google, Tweeter, Facebook, etc. have made changes to their privacy policies and user end notifications and other legalities.
Basically after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater). That brings us to, who is affected by this?
Does GDPR apply to my WordPress site?
And so it does if you collect any data from visitors to your site and they may happen to be from the EU. It applies to every business, large and small, around the world (not just in the European Union).
While GDPR has the potential to escalate to those high level of fines, it will start with a warning,
then a reprimand, then a suspension of data processing, and if you continue to violate the law,
then the large fines will hit. Plus there’s the larger question of how enforceable this is. Of course the big web players will be easily monitored, not so much small sites/blogs. But should you take a chance? No!
The goal of GDPR is to protect user’s personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data. The personal data includes: name, emails, physical address, IP address, health information, income, etc.
While the GDPR regulation is 200 pages long, here are the most important pillars that you need to know:
Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter.
For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.
Rights to Data – you must inform individuals where, why, and how their data is processed/stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted. This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that!
Breach Notification – organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company MUST also inform individuals who are impacted right away.
Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. This is not required for small businesses.
In a nutshell, GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for.
- Businesses can’t sell people’s data without their explicit consent (good luck getting this consent).
- Businesses have to delete user’s account and unsubscribe them from email lists if the user ask you to do that.
- Businesses have to report data breaches and overall be better about data protection.
Is WordPress GDPR Compliant?
Yes, as of WordPress 4.9.6, the WordPress core software is GDPR compliant. But due to the dynamic nature of websites, no single platform, plugin or solution can offer 100% GDPR compliance.
The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site. If you have comments enabled on your website, then you need to add a comment privacy checkbox to comply. WordPress has added the comment consent checkbox. The user can leave a comment without checking this box. All it would mean is that they would have to manually enter their name, email, and website every time they leave a comment.
If your theme is not showing the comment privacy checkbox, then please make sure that you have updated to WordPress 4.9.6 and are using the latest version of your theme. Also please make sure that you are logged-out when testing to see if the checkbox is there. If the checkbox is still not showing, then your theme is likely overriding the default WordPress comment form.
These changes add a level of security for your site visitors and and won’t hurt you to implement. Let’s get compliant!