GDPR for WordPress Websites

There is no doubt about it, the General Data Protection Regulation introduces some hefty regulations surrounding how personal data is handled.

If your business processes and stores the personal data of EU citizens (even just in plain old email), GDPR applies to you.

There is a lot of scaremongering over the penalties associated with failing to comply with GDPR – up to 4% of your turnover or €20 million. But it is worth noting that the ICO will work constructively with organisations where an issue is raised, in a non-adversarial way. Fines only tend to be imposed when a business commits a very severe privacy violation, or where a business refuses to cooperate or repeats its mistake. Yes, you do need to take GDPR seriously. But it will be of most value both to your organisation and to your customers if you do so with a positive ‘how can we improve things’ outlook, rather than thinking of it as a box-ticking exercise to avoid penalties.

Update 30/04/2018: Please also see this blog post with an update on a few GDPR specifics.

 

Where should I start/what should I do?

Firstly (and using words pinched from Ninja Forms), an obligatory disclaimer so I don’t get thrown out of a metaphorical window by a lawyer: I’m not a lawyer and what follows isn’t legal advice. I have a vested interest in your success under GDPR, but if you need concrete legal counsel, talk to a lawyer.  This page is purely the result of my own research into the regulation and its requirements. If you notice things that are wrong, out-of-date or missing – please let me know!

If you haven’t started your GDPR preparations yet, here’s a basic plan that should work for small businesses – based on what we have done at Hexagon:

  1. Read through the ICO’s guidance on GDPR and the rest of this article.
  2. Conduct a personal information audit for your business. Here’s the template I created for Hexagon, with a sample row left in. (I’ve also left in a sheet detailing 3rd Party compliance with US-EU Privacy Shield (required for international data transfers).
  3. Identify any weaknesses and address these. This article gives an overview of how GDPR applies to websites, and corresponding action points.
  4. Update your Privacy Information Notice / Privacy Policy. Take a look at Hexagon’s notice here. (Feel free to use this as a starter, but it will need to be personalised!!)
  5. Create/update your Internal Data Security Policy. This should outline the policies and procedures you have in place internally to ensure the security of personal data. Hexagon’s Internal Data Security Policy may be made available on request.

 

The Theory

(Click here to jump straight to the practical stuff).

It’s important to note that GDPR doesn’t just affect your website – it affects all aspects of personal data processing and storage. This article specifically looks at the implications for your website, although some of the resources on this page cover GDPR more widely.

There will be few websites that don’t need at least some tweaking in order to comply with GDPR. For most people, the key concerns will be as follows:

  • Keeping people informed

    The first of the eight ‘rights’ of the individual under GDPR is the right to be informed. At the most basic level, this means you must have a concise, transparent and intelligible Privacy Information Notice (otherwise known as a Privacy Policy) on your website, explaining what data you collect and what you do with it. See the section below on Privacy Information Notices for more details.

  • Consent

    Under GDPR, one of the lawful bases for processing personal information is that the data subject has consented to it. The GDPR sets a high standard for consent. Consent means offering individuals genuine choice and control, and requires a positive opt-in (i.e. no pre-ticked checkboxes!) It must be specific and granular.

    However! You don’t always need consent – it is only one of the 6 lawful bases for processing data. In the words of the ICO: ‘If consent is too difficult, look at whether another lawful basis is more appropriate.’ See the sections below on Forms and Blog Comments for more information on what this means for your website.

  • Data retention

    One of the things that you must consider under GDPR is the retention period for the personal information you hold. There are no minimum or maximum periods for retaining personal data, but you shouldn’t keep data for longer than is necessary to fulfil the purpose for which it was originally collected. Your Privacy Information Notice should outline data retention periods, or the criteria used to determine the retention period.

  • Security & data breaches

    The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.

    The GDPR also introduces duties on all organisations as to how data breaches are handled.

    See the sections below on Password Best Practice & Website Hosting.

  • International transfers

    Importantly, GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. Information may only be transferred outside the European Union to countries that the EU Commission has decided have an adequate level of protection, or where the organisation receiving the personal data has provided adequate safeguards.

    Many small businesses use data services (think email, website hosting, invoicing, CRMs, newsletters, …) provided by companies based outside of the European Union, often in the United States. As the U.S. is not considered to have adequate protection as a country, there is a need to fall back on the EU-U.S. Privacy Shield Framework, which many U.S. businesses have certified under. Be aware that there are ongoing legal discussions about whether this Framework offers sufficient protection – keep your eyes and ears open.

    This has implications far beyond websites, but see the section below on Website Hosting if you host your website through Hexagon (or are a WP Engine client).

  • Being able to easily collate/correct/delete all data on an individual

    As well as the right to be informed, under GDPR provides 7 other rights for individuals (read more about GDPR rights on the ICO website).

    This means you need to know what data is being stored on your website, where it is, and how to pull it out into a format (usually a CSV file) that can be supplied to the end user on request. You will need the ability to edit or delete all data concerning a specific individual from your website. It may be practical to do this manually, or, for larger websites, you may need a more sophisticated solution. The key will be to ensure each data record can easily be identified – probably by email address.

    See the sections below on Forms and Blog Comments for more details.

 

How this works in practice on a WordPress website

The implications/principles listed above are fairly generic. Let’s now take a look at what this actually means in practice for your WordPress website.

  • Introduction: WordPress & GDPR

    WordPress is an open source project, created and run by an extensive global WordPress community. It would probably be fair to say that WordPress is a US-centric project, and as such has been slow off the mark when it comes to GDPR. We are starting to see movement – there is for example a GDPR for WordPress Project that is seeking to provide a standard for plugin compliance.

    As time progresses, I hope that the whole project will become more GDPR-aware – and some of the activities described below will become more straightforward. For the time being, we need to work with what we’ve got.

    Throughout the GDPR compliance process, your first thought should be one of data minimisation. Only request, process and store the data that you need to fulfil the task in hand. Data you don’t have is data you don’t have to worry about.

    When performing your data audit, get rid of any data that you no longer need. Also discard any data that you don’t have a valid legal basis for processing.

    Don’t think of your GDPR preparations as a once-only activity. Given the current state of flux, there will be a need to revisit and keep up-to-date with developments both legally and technically (i.e. WordPress).

  • Website Hosting

    If your website is hosted with Hexagon, the following applies:

    Your website is hosted on a secure managed hosting platform, provided by WP Engine. The WP Engine hosting platform provides enterprise-grade security features, including managed WordPress updates and patches, threat detection and blocking, disk write protection, and more.

    Your website is served over HTTPS; this means that traffic to and from the website is encrypted. When personal information is sent via a form on your website, or when an administrator logs into your website, that information is passed from the browser to the website server in encrypted form – so unintended users are unable to intercept the data.

    Your website is backed up daily as part of WP Engine’s managed hosting service. Backup media is encrypted.

    Your website is hosted in a UK (London) data centre. WP Engine are a US-based company; the company participates in and has certified their compliance with the EU – U.S. Privacy Shield Framework.

    Server logs are kept for operational & security reasons; these contain IP addresses of website visitors. Server logs are stored unencrypted for 7 days, and then moved to an encrypted backup which is stored indefinitely and only accessible by WP Engine. WP Engine does not have any legal means of linking up the IP address with any other personal data of the website visitor.

    Consider adding this information to your Privacy Information Notice / Internal Data Security Policy.

    You should also ensure you have a data breach plan in place – i.e. a clear plan of what you will do if your organisation experiences a data breach (whether via your website, or via other means – e.g. a laptop being lost or stolen).

  • Password Best Practice

    The GDPR requires personal data to be processed in a manner that ensures its security. When it comes to your WordPress website, your first line of defence is your password. I can’t emphasise enough how important it is that you set a strong, unique password for your WordPress account, and also for your hosting and domain accounts.

    A strong password could be one of the following:

    • A random string of letters, numbers and punctuation, generated by a password manager
    • A passphrase – a sentence of words
    • A collection of lower and uppercase letters/numbers generated by taking the first letter of each word in a passphrase. E.g. I have 4 nieces and 1 nephew, they’re all lovely! = Ih4na1n,tal

    Passwords should never be a dictionary word (even if combined with numbers), or set of easily-guessable digits (e.g. 12345 or your birth date).

    Update/change any weak passwords.

    Consider using a password manager such as LastPass to securely store passwords. That way, you only have to remember a single, strong password.

    Communicate the need for strong passwords to staff.

    Add guidance/policy rules to your Internal Data Security Policy

  • Privacy Information Notices

    You need one.

    The ICO has guidance on what information must be supplied in this notice. You can see Hexagon’s Privacy Information Notice here; feel free to use this as a basis from which to create your own – although bear in mind that it has not been reviewed by a lawyer!

    You must provide users with this information at the point at which they are giving you their personal information (e.g. at the most basic level, via a link on a form). Your Privacy Information Notice should also normally linked from the footer of your website.

    Create your own Privacy Information Notice (you’ll probably want to do this after you’ve done an audit of what data you hold and where).

    Publish this on your website, ensuring it is linked from your website footer, and also in-context wherever you are asking users to supply personal information.

  • Website Forms

    There are a lot of resources on the web which state that if you have a form on your website, you must add a checkbox which specifically asks for the user’s consent to process and store their data.

    But the ICO’s guidance on consent actually says the following (amongst other things):

    • The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
    • Avoid making consent to processing a precondition of a service.

    My deduction is that for general contact/enquiry forms, where you are processing and storing information to allow you to respond to an enquiry, consent would be a precondition of service – you can’t respond to an enquiry unless you have the person’s name/email address/enquiry! Consent is therefore pretty meaningless in this situation, and one of the other legal bases for processing data would be more appropriate – e.g.:

    • 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
    • 6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

    If any of these apply, it follows that you don’t need a consent checkbox on your form.

    However!!!

    This doesn’t exempt you from the requirements of GDPR more generally. Specifically:

    • You should link to your Privacy Information Notice, and let people know that by completing the form, their data will be processed and stored in accordance with that notice.
    • You need to have a way to collate/correct/delete that data on request (see below).

    So when is consent required?

    As I understand it, positive opt-in consent WOULD be required if, for example, you are signing people up to a marketing newsletter, as part of another process.

    Imagine you have a contact form. It would be unlawful to simply add people to a marketing list simply by virtue of the fact they have completed your contact form. In this instance, you must have an explicit checkbox, unchecked by default, specifically asking people whether they consent to receiving marketing emails. It should be separate from any terms and conditions checkbox.

    Question: is a consent checkbox required in an email marketing signup form? Most people would say yes. But if the only purpose of the form is to sign people up to your marketing list, and you make people are aware that that is the case, presumably a consent checkbox would be a precondition of service, and therefore rather meaningless. Common sense would argue that it’s unnecessary.

    Establish the legal basis for any contact forms you have & ensure this is documented.

    Add a clear link to your Privacy Information Notice somewhere on your form; the link text could read something like: ‘Your data will be processed and stored in line with our Privacy Policy [link].’

    Data retention

    Many WordPress forms plugins store form entries in the website database, as well as emailing them to the nominated administrator. This is useful in the event that email notification fails. However, under GDPR, it is difficult to justify storing these entries in the website database indefinitely.

    There are several ways around this:

    • We may see the big forms plugins players (Gravity Forms for example) introduce plugin options which allow us to deal with data retention more effectively
    • Alternatively, it would be relatively simple to code a solution to either 1) stop Gravity Forms storing entries in a database or 2) delete entries automatically after 30 days. There is already a plugin which stops Gravity Forms storing entries on the database.
    • As a last resort, one could introduce a manual process whereby form entries were manually deleted every 30 days.

    The information above deals specifically with Gravity Forms, but applies in principle to other plugins too. This analysis of how and where popular WordPress contact forms plugins store data may be useful.

    Establish how long you will be storing forms information, and document this.

    Where necessary, establish a process and/or systems for deleting data when it is no longer required.

    Responding to requests for access/rectification/erasure

    How you handle this will be dependant on the forms plugin you use, and where you store form submissions.

    If you use Gravity Forms, the plugin has an Export facility which allows you to pull out entries by email address, and export to CSV file.

    Likewise, you have the ability to search for entries by email address, and bulk delete.

    Note: it’s therefore generally a good idea to ask for an email address in any forms on your website – so that you have a unique handle by which to pull out users’ data should they request it.

    Check that you have a process for easily finding form submission data relating to an individual.

    Check you have a process in place to correct, delete, or export the data (normally to a CSV file). Consider doing a dummy run.

    Ensure this process is documented in your internal data security policy (this is also a good place to list all the places where you hold data (not just your website) – so if an individual requests access/rectification/erasure, you know where to look.

  • Blog Comments

    Many WordPress websites will have a blog, with the ability for visitors to leave a comment on individual blog posts. When a user completes the comment form, their name, email address, comment (& optionally, their website) is stored within the website database. Their name, website (if provided) and comment are published publicly at the bottom of the blog post.

    As with contact forms; if someone doesn’t consent to their data being processed and stored on the website, it means we can’t offer them the service of commenting on the blog. A consent checkbox would therefore be inappropriate. The legal basis for storing personal data in this situation would seem to be as follows:

    • 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

    Again, what you do need to do is ensure the user is aware that by submitting a comment, their data will be processed and stored in accordance with your Privacy Information Notice. A short statement explaining this, and linking to the Privacy Information Notice, would make sense here.

    It would also be sensible to explicitly request that users do not enter personal information into the comment field itself.

    Note that by default, WordPress also stores commenter IP addresses in the database. This is partly to help combat comment spam. You should address this in your Privacy Information Notice, or alternatively, there are ways that you can stop storing the IP address – via a plugin, or if you’re a developer, by using a filter. More details. I’m guessing this may affect the functionality of anti-spam services such as Akismet.

    Add a clear link to your Privacy Information Notice somewhere on your blog comment form; the link text could read something like: ‘Your data will be processed and stored in line with our Privacy Policy [link].’

    Consider explicitly stating in this notice that users should not enter personal information into the comment field itself.

    Consider implementing a solution which prevents WordPress storing comment author’s IP address in the website database.

    Data retention

    By their nature, it makes sense to retain comments until the corresponding blog or blog post is deleted. They are part of a wider conversation which exists for public information.

    Responding to requests for access/rectification/erasure

    WordPress provides an easy way to search comments, so it is relatively straightforward (at least on a relatively small scale blog) to view all comments for a given email address.

    WordPress doesn’t currently provide an easy way to export comments for a given email address. There are plugins available that will do this (the premium version of WP All Export being one). I expect, or hope, that as the GDPR deadline gets closer, WordPress may introduce a way to do this natively.

    Deletion – although it’s easy to bulk delete comments by email address, that may not be appropriate, as the flow of conversation will be destroyed. My gut feeling on this is that it’s not reasonable to be expected to delete comments in this way, but I stand to be corrected. As a minimum, you will need to remove/edit personal data from comments on request. Individual comments can be edited and the name/email address/website removed. There is currently no way to do this in a bulk fashion, as far as I am aware. Again, I would hope that WordPress will introduce a way to manage this requirement in future.

    If blog comments are enabled on your website – verify you know how to find/change/delete comments.

    Consider whether a manual process for exporting comments is realistic for your website, or whether you need a more sophisticated solution.

    Ensure this process is documented in your internal data security policy.

  • Google Analytics

    This is an interesting one. Google Analytics is used to track how many visitors you get on your website, what content they’re looking at, etc. No names, email addresses or addresses should end up in Analytics (unless you stick those in URL query parameters – ouch).

    But. Crucially, under GDPR, IP addresses are considered to be personal information. The user’s IP address is not accessible within Analytics (to the administrator), but Google uses it to determine visitor location and apparently it could potentially be accessed by a Google employee.

    It’ll be interesting to see how this pans out, but if you’re after a belts and braces approach, it is possible to anonymise the IP address (by setting the last octet of the address to 0), whilst still allowing Google to approximate location. This is achieved through adding a setting to your analytics tracking code. Read Google’s instructions for IP Anomymisation in Analytics or view the source of this page to look at the analytics tag on this website.

    If your website uses Google Analytics, consider whether you need to anonymise IP addresses

  • E-Commerce

    WooCommerce (the de-facto WordPress e-commerce plugin) will store order and user account data within your website database. Much of what is written above regarding forms applies to e-commerce – e.g. making sure you inform users of how their data will be processed, this time within the checkout form somewhere.

    If, as part of the checkout process, you are signing users up to an e-mail marketing list, or using their data for any other purpose than to fulfil the initial order/administrate their user account, you will need to ensure you seek clear, unambiguous consent, with a checkbox unchecked by default.

    If you are using any WooCommerce extensions, you should check to see if these are requesting/processing/storing personal information in any way.

    Add a note/link to your checkout page, informing customers how their data will be handled.

    If you are signing users up to a mailing list or other service on checkout, ensure you have a specific, unambiguous, opt-in checkbox, unchecked by default.

    Establish whether you are using any WooCommerce extensions that request/process/store personal information. Document/address as appropriate.

    Data retention

    By default, WooCommerce will store order records indefinitely. You will need to assess whether this is appropriate, and what legal responsibilities you have for retaining order data. In the UK, there is a legal duty to retain accounting records (including all money received by the company, for example invoices, contracts, sales books and till rolls) for at least 6 years.

    Likewise, user accounts will normally exist indefinitely in WordPress, unless they are manually deleted.

    Establish how long you need to store order information for, and document this.

    Where necessary, establish a process and/or systems for deleting data when it is no longer required.

    Responding to requests for access/rectification/erasure

    Because of the legal requirement to retain order data for a minimum of 6 years, it won’t always be appropriate to respond positively to requests for erasure or rectification of this data. You should however document how you will deal with requests for access.

    As regards user accounts created by WooCommerce, the normal points will apply – ensure the details are documented in your Privacy Information Notice, document retention periods, and ensure you have a documented process for responding to requests for access/rectification/erasure. WordPress/WooCommerce allow you to search by username or email address, so this shouldn’t prove too onerous.

    The following resources may also be helpful: Willows Consulting article on GDPR for e-commerce; Xanthos article on what GDPR means for e-commerce businesses.

    Check that you have a process for easily finding all e-commerce data relating to an individual.

    Check you have a process in place to correct, delete, or export the data (normally to a CSV file) – and know when data should not be updated for legal reasons. Consider doing a dummy run.

    Ensure this process is documented in your internal data security policy – so if an individual requests access/rectification/erasure, you know where to look.

  • Other areas to consider
    • User registration – applicable if you are allowing users to register directly on your website. I suspect this would be a case of ensuring users are kept informed (link to Privacy Information Notice at the point of registration), and also ensuring you have the means to collate/rectify/delete user data on request.
    • Newsletter lists. You might like to read MailChimp’s GDPR guide (there’s a link to the guide PDF towards the bottom of the page). Plus this article on legacy email marketing lists & GDPR has a table which gives a handy overview of what you should consider doing under different circumstances.

 

Get in touch

If you would like clarification on any of the above, or advice on how to ensure your website is GDPR compliant (bearing in mind I’m not a GDPR expert or lawyer!), please get in touch. Please also let me know if you have noticed any errors or omissions in this page.

Contact

 

Ready to talk? Call +44 (0)1235 811 088 or email for a no-obligation discussion about your new website.