The best compilation of advice on how to make your WordPress site compatible with GDPR
Everyone who has websites on WordPress probably knows about the GDPR. On May 25, 2018, the Law on the General Rule of Data Protection from the European Union entered into force. Despite the fact that most sites have already discussed this issue, we will again raise this issue and try to find out whether this news are so serious in reality. So, what to do with GDPR and your site after May 25?
In fact, this new law was a replacement for Data Protection Directive, a law that previously regulated privacy and data protection, as well as protecting Internet users from the leakage of their personal data. This law came from the European Union, but it will also regulate enterprises and users that are outside the EU.
Therefore, we will consider how much the rights of Internet users changed after the law came into force, and precautions that help you to avoid some issues with the law if you have the WordPress website.
Basic User Rights
The GDPR primarily regulates three issues for users.
1) This item will allow you to access information about the use of your personal information by third parties. Other people who use your data have to give an additional information about this personal information if required by the first owner.
2) Data extermination. The user can request from the company or any enterprise that owns his data to delete the data if it belongs to the owner.
3) Control of personal information. The most controversial part of the new law is the user’s ability to independently manage personal data. That is, he has the right to upload personal data about himself and transfer it to others.
It seems to be ok but several large IT companies have announced that they will suspend users’ work in the EU – precisely because of the change in the law.
Among such companies there is Pinterest and its new Instapaper app. From Friday, its users from the EU will not be able to use the service.
The appendix says that such a step is temporary and access will be restored as soon as it becomes possible. They explained that they underestimated the amount of work associated with the transition to new rules.
The Stardust movie addendum went even further – and removed its product from Google Play and App Store’s European locations and removed all entries from its European users, since on Friday it would not even have the right to even store their users’ data with the EU without adapting to the GDPR.
Some video game companies also block their European users, rather than adapting to new rules. Among them – the famous game Ragnarok Online, whose developers have promised to block all users from Europe (not counting Russia and eight other CIS countries).
For some, of course, the new rules created not only new problems, but new opportunities. So, there were already several new services that offered site administrators a way to detect users from the EU and block them – if they did not want to adapt to the new rules.
What happens if you do not follow the law?
If you are still thinking about whether this law applies to you website – yes if you have a website that is owned by citizens of the Europe. You do not need to be yourself from European countries. That’s why you should take into account the following aspects of the data on your site:
- Personal data (identification of any persons – names, addresses, etc.).
- How personal information is processed, stored and used.
The collection of the user’s personal information is carried out in various ways. For example, based on registration data, comments, entries in contact forms. An enterprise that stores all this data about a user must at any time provide evidence that the original data owner allows the company to use them. The company notifies the user about how it uses this data.
To avoid problems with data storage, you should regulate not only the flow of this data to your site. Also, pay attention to whether the plugins used to correspond to the legislation. They may not be a WordPress product, but they also have to comply with the GDPR. As for correspondence and e-mail, data on interaction with the user are also regulated by this law.
Protecting business from possible GDPR sanctions can implement cybersecurity solutions and professional legal support. Another instrument of protection is cyber insurance, which also covers state fines.
At the moment, most insurance companies, providers of cyber-risk insurance products, confirm that in the case of coverage of penalties under the cyber insurance policy, the client will receive a reimbursement of the amount of the fine furnished in accordance with the GDPR. In this case, the insurance policy can be concluded for the maximum amount of payment to the already mentioned 20 million euros, or the amount that can be pre-calculated on the basis of accounting documentation and will account for about 4% of the global turnover of the company.
What losses and expenses are compensated by insurers? The insurance company will pay the amount of the fine imposed if the personal data leaked as a result of the cyberattack – as an external (created by hackers not connected with the enterprise), and internal (with the assistance of a company employee).
In this event, if necessary, the insurance company will pay for the costs of the services of lawyers for defense in court, including a trial for the purpose of challenging the decision on the amount of fines. In addition, insurance recovery is subject to recovery costs, if not only their leakage, but also destruction.
How to follow the GDPR, if I use the WordPress
In order to follow the law and not stumble upon trouble, you should conduct an audit of the security of your site. For example, use the “WP Security Audit Log” or any other helpers to do this manually. The plugin allows you to save information about each user action on the site in a separate account log. The plugin will notify you in advance about the suspicious behavior of the user on the site. If you run into inappropriate behavior, you can report it to the user, as well as to the authorities within 72 hours.
However, we can face such a problem as defining a user, since it is not specified exactly who it is. For example, we can not know if it’s a registered user or visitor. Therefore, there is a confusion in the concepts and how to use it in court.
In general, there is nothing complicated in following the new law. But you should pay attention to the innovation since most countries are increasingly trying to regulate human rights on the Internet.
Also a group of Activists Privacy International advises users to quickly submit a huge number of new emails about changing conditions, to search for them the following keywords:
This phrase can be mentioned in the section about what information is collected and exactly. Users are advised to read carefully the details of what their personal data will be collected by third parties.
The new law clearly specifies that the places that a user visits or visits in the past is his personal information.
Therefore, the services are required to report how they intend to use such information, in particular, to identify specific users.
In the case of consent, it should be given through a clear, unambiguous action.
The times when the services automatically brought users to their mailing list, if they did not remove the tick in the right place, ended.
But it’s still worth checking how consent was given to one or another service in order to avoid unpleasant consequences.
Users outside the EU should check the location of the online service they use. Facebook has recently pushed millions of its users out of control of their Irish office, which means that these users will no longer be protected by the new EU rules.
“Purposes and Recipients”
These terms usually indicate who will use your data and who they will share with you.
One of the sections of the GDPR prohibits the publication of images of third parties without their informed consent.
If someone else is still in the camera’s lens, you must take a written permission from him to publish the material on the social network. If this is not possible, then the photographer has two options to exit the current situation, the first is to refuse publication of material in social networks, and the second is to blur the faces of random passers-by.
In fact, the law completely kills the plot picture. The whole epoch is disappearing into the past, creating the most famous photographs reflecting the life of Europe. Sights of European cities will be very difficult to photograph, without violating the law.
Posting the photo while still abroad, you should be prepared for serious troubles that may arise on the border. Of course, this ban will be easy to circumvent because the user can make publications after returning from the trip. In addition, closed accounts on social networks will not be displayed when one or another hashtag passes, and this is also one of the simple ways of circumventing the GDPR law.
This also applies to shooting with the DVR in the car. You drove through the crowded street – and you had hundreds of passers-by on the record. You can not publish this video in any form. The ban on the use of DVRs has existed for several years in some European countries, but now it is common, in fact, throughout the EU.
The law of the GDPR provides a very tough punishment for violators: from a large fine to imprisonment. So it’s time to start reviewing your photo and video habits when traveling to Europe, so as not to be in a very unpleasant situation. And it is completely incomprehensible how this law in Europe will work, for example, with regard to the reportage shooting.
Be transparent and simple
Make the registration of the user simple and transparent so that people can see all the information they provide to the site. It is also necessary to delete all information and profile.