There’s been a lot of recent news about the General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018. The GDPR will have implications for all website owners, even those with U.S.-based companies. Below we’ve compiled a basic review of the GDPR & how to upgrade your website in order to stay in compliance & avoid potential financial penalties.
What is the GDPR?
The GDPR sets new standards for what data is collected on a website, how it is collected, and what is done with that data.
The law was written with very broad language. It will affect:
1) all organizations established in the EU
2) all organizations that process the personal data of EU citizens, regardless of where the organization is established.
The term “personal data’ in the law has been expanded from just common information (name, email, phone number) and it now includes IP addresses, behavioral data, and financial information.
This means that the law sets standards for some of the following:
- how cookies are set up on your website
- how you track a visitor on your site
- how forms are set up on the site
Does this affect your business?
Because of the broad nature of the law, any U.S-based company that processes the personal data of EU citizens may be required to comply with GDPR or face financial penalties as high as 20 Million Euros or 4% of global annual turnover.
- If your business is located in the E.U. or sells products/services to E.U. markets, it’s highly recommended that you consult legal counsel on GDPR compliance and get your website updated as soon as possible.
- If your business is located in the U.S, although the enforcement process of the GDPR is unclear, it’s recommended that you implement the best practices below.
GDPR Best Practices for WordPress
We’ve compiled the following recommendations to get your WordPress website updated for GDPR standards. You can reference the full list of GDPR requirements here. Note: these best practices have been updated as of May 21st to reflect the latest WordPress GDPR news.
1. New GDPR Tools in WordPress 4.9.6
The good news is that WordPress 4.9.6 was released on May 15, 2018 and it includes the following new features for GDPR compliance and data privacy:
- Designate a Privacy Policy page for the site
- Ability to export/erase data
- Email-based method to confirm personal data requests
- Comment settings adjusted for cookie opt-in
IMPORTANT: If you are part of TinyFrog’s hosting & maintenance service, our team will handle the WordPress Core update to 4.9.6 for your website to make sure no compatibility issues or bugs occur. Contact us if you have questions.
After your site is updated to WordPress 4.9.6, it’s recommended that you review the Privacy area in Settings to connect your privacy policy page or set up a privacy policy for the website.
2. Set Up Cookie Preference Management
Under GDPR, you cannot assume that a website visitor has opted into the cookies on your website. You’ll need to set up a way for visitors to:
- Prevent cookie tracking until a visitor opts in
- Allow visitors to update their cookie preferences
- Provide the same site experience for those who don’t opt in
There are several WordPress plugins available & different paid options to manage cookie preferences on your site.
Contact our team for help in setting up & configuring the right plugin for your site.
3.Update Your Website Privacy Policy
Every website should have a privacy policy page and it’s recommended that you adjust the policy to include new GDPR standards.
Right now, the free policy generators do not have the GDPR information included in their templates. This is a good resource for the GDPR standards to add to your privacy policy.
4. Check Email Newsletter Sign Up Process
Under the GDPR, a visitor needs to provide clear consent that their data can be stored & used by the processor.
If you have forms on your website where a user can join your email newsletter when they are providing information for another matter, you’ll need to either:
- adjust the email signup process to double opt-in where an email is sent to the subscriber to confirm & subscribe OR
- Add a checkbox field to your form with language stating that the visitor is consenting to join your email list. The checkbox cannot be checked by default under the GDPR.
5. Secure Your Site to Prevent Data Breaches
The GDPR has a major focus on data security & how businesses handle a data breach. Under the GDPR, a business must notify all users/customers of a data breach on their website within 72 hours of the breach.
Make sure you are following best practices for security, including:
- 24/7 security monitoring & malware removal
- Secured hosting server for WordPress
- Monthly maintenance by an expert WordPress developer
- SSL certificate
- Regular backup of entire site database
NOTE: If you are part of the TinyFrog hosting & maintenance program, our servers meet all GDPR compliance. Contact our team for more information.
What To Expect
Even though the GDPR enforcement process remains unclear for U.S. businesses, European law tends to set the trend for international privacy regulation.
It is only a matter of time before these standards are adopted in the U.S. and globally. Updating your website now to meet these standards can create a competitive advantage for your business & save time and hassle later.
