The GDPR is the hottest topic of the moment and unless you are very comfortable with lawyers jargon, it can be quite confusing and hard to interpret.
In this post we’ll try to explain what it is in the simplest possible way and we’ll provide a checklist to help you understand if you are compliant or not.
What is the GDPR
The General Data Protection Regulation (GDPR) is a new EU law that sets guidelines for the collection and processing of personal information of citizen of the European Union (EU) or individuals in the EU.
This new legal framework is designed to enable European internet users to better control their personal data.
It took the European Parliament and the European Council more than four years of discussion and negotiation to find an agreement, that finally came on April 2016.
The 88 page GDPR will come into effect on May 25, 2018. Companies and organizations had 2 years to get ready.
Unfortunately the WordPress community as a whole neglected this deadline way too long. Everyone now is rushing to be fully compliant.
Most likely and it is unfortunate, the vast majority of us will not be 100% compliant by May 25th.
Later in the article we will explain why, but first, let us explain the GDPR in layman terms.
Territorial Scope – Who does the GDPR apply to?
1) Anyone that holds or processes data within the EU. That’s all companies within the 28 countries that form the EU (full list here).
2) Companies outside the EU, for example, US companies who hold any data on users from one of the 28 EU countries.
If a website doesn’t restrict EU residents, allows European resident to register, accepts one or more currencies of an EU country, offers shipping services to EU countries, provides translation in the language of an EU country, publish comments or reviews from EU citizens or markets in the language of an EU country, the GDPR will apply.
If a company monitors the behavior of EU visitor by collecting data about EU users to predict their online behavior, (Through Analytics or Facebook Pixel to name the most popular) the GDPR likely will apply to that company too no matter where it is located.
GDPR Key Elements
The Data subject
Is the individual (website visitor) who you are collecting data from.
Anything that you do with the data is considered processing data. Collecting, storing, transferring, modifying, use it for marketing are just few examples.
More info here: GDPR Art. 4 (2)
What is Personal Data?
To simplify : any data that you collect about an individual is personal data.
For example: full name, email, age, personal identification number, location info, ip address, preferences, email address, social network ids and so on.
More info here: GDPR Art. 4 (1)
What is Sensitive Data?
Sensitive Data is considered a special category of data such as, but not limited to: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic data or biometric data.
If you are dealing with sensitive data you must obtain explicit consent and it requires strengthened data protection measures. Getting legal advice to ensure compliance in this case would be wise.
What is Anonymous Data?
Personal data is such as long as it is tied to a personal identifier such as name, an identification number, location data or an online identifier.
If data is not tied to one such identifier because it has been removed, the data is no longer considered personal. In that case it is considered anonymized data.
Who is the Data Controller
The data controller can be an organization or an individual. The duty of the data controller is to determine what personal data is collected, how it used and he is the sole responsible of the data protection.
If you are a small company/website owner, that’s you.
Who is the Data Processor?
The data processor is normally a software or a service. For example your hosting provider or the service used to send newsletters would be the Data Processor.
For our customers, GeoDirectory is a Data Processor too, for example whenever you provide us access to your website to get support.
There must be a contract between the Data Processor and the Data Controller as specified here. (In our case we will include this in our Terms and Conditions.)
The Data Processor is never held liable for the data protection rules, the data controller is always responsible for data protection.
How to be compliant
You must outline which data you collect, why you collect it, for how long you will store it and you protect it.
You must make it easy for users to contact the data controller to request information about privacy and data collected/stored by your website.
Data Subject Rights
You must provide all personal data collected from an individual, should that individual request it.
You must provide information about how they are processed and transfer them or delete them should the data subject requests to do so.
You can provide tools for users to do this autonomously or request users to contact you for it and process it manually.
Obtain Explicit Consent
If you collect data and processes it beyond the legitimate purpose for which that data was collected, you must obtain a clear and explicit consent from the data subject.
For example, if you wish to sign up to your newsletter, people that are purchasing your services, you must obtain consent. The checkbox to obtain consent can’t be ticked by default (opt-out). It must be un-ticked by default (opt-in).
Consents must be logged, because you must be able to demonstrate when and how you obtained it.
The Data subject must be able to revoke consent at any time.
Monitoring and Alerting about Personal Data Breach
The data controller must keep a Personal Data Breach log. In case of Personal Data breach, the data controller must alert the regulator and the data subject within 72 hours of discovering the data breach.
Privacy by Design
Any new project must include procedural and technical mechanism to protect personal data. Privacy and data protection procedures and tools should be included in new projects by default.
Should you redesign your directory, make sure to keep privacy in mind from the start.
Data Protection Impact Assessment
a Data Protection Impact Assessment is required when modifying the way data is processed within your organization or when initiating any new project.
The Personal Data Controller (you) is responsible to ensure data protection at all time, even when data is transferred to any external data processor.
Data Protection Officer
When a significant amount of data is processed, a Data Protection Officer should be appointed. A GDPR draft mentioned this requirement was for companies with more than 250 employees, but in the final law that number no longer appears.
Training and Awareness
What is AyeCode LTD doing to make all its product GDPR compliant
We will soon release new versions of all our plugins that will take advantage of the new privacy tools included in the last version of WordPress 4.9.6, released few days ago.
Why most WordPress website won’t be GDPR compliant by May 25th?
Frankly no one (but specialized lawyers) really understand the 88 pages of legal jargon that is GDPR and everything you have read about GDPR is someones interpretation or even an interpretation of interpretation.
When we had some questions about GDPR we could not find the answer to, we called the UK government specialized GDPR help line and waited over 1.5 hours just to get through.
In the end they could not satisfy our questions about a EU company hosting their data outside the EU.
At the time of writing this, their helpline contact page on their website is down (the day before the deadline)…
Also because the tools provided so far in WordPress core are insufficient to be fully complaint.
Both for site owners to make their site fully compliant, but also for themes and plugins developers to make their products 100% compliant.
At present the export tool does not export post or pages that the user is the author of.
There have been many reasons why such as “there might be many authors” but if there is not then this is a missing part that should be provided to the user.
Also one of the main points about GDPR is consent, and to prove consent you must have a log of when the consent took place and what exact text the user consented to.
There is currently no consent log in WP core, there is a ticket open that hopes to add this functionality, but we believe it should have been in WP 4.9.6.
Without it all plugins and themes will have to build their own system. When/if the time comes when you are audited for GDPR compliance, it will be a nightmare without a centralized system.
Only WordPress websites won’t be compliant?
Not at all!
According to the Verge.com the vast majority of companies, especially from the US won’t be GDPR fully compliant by May 25th.
After reading their content we checked if they were compliant too, but they are probably not.
They GeoLocate users before showing the cookie consent popup and they show it only to visitor browsing from within the EU.
If you browse from the EU, they will add a cookie stating that you are from the EU without asking you for consent, which probably makes the website already non compliant with the GDPR. (we are not 100% sure about it, only a lawyer could confirm this.)
They use this code:
If you are thinking about doing something similar, make sure to contact a GDPR lawyer to see if it’ll make you non compliant.
What is going to happen to those that are not fully compliant by May 25th?
While the GDPR imposes stiff fines on data controllers and processors for non-compliance, the risks of a company being fined to this extent is minimal, even in the face of a serious breach.
In case of being contacted by the authority, if you show maximum cooperation and you prove that you are actively working to become fully compliant, there shouldn’t be much to worry about.
Your website has a SSL certificate and all data sent to your server is encrypted.
You have a list of all types of personal information stored by your website, the source of that information, who you share it with, what you do with it and how long you will keep it.
You have a list of places where personal information from your website is stored and the ways data flows between them.
You appointed a Data Protection Officer (DPO).
You create awareness among decision makers within your organization about GDPR guidelines.
Your technical security is up to date.
Staff was trained to be aware of data protection.
If your business operates outside the EU, you have appointed a representative within the EU.
You report data breaches involving personal data to local authorities and to the data subjects involved within 72hrs.
You obtain and keep track of consents to use personal data beyond the legitimate purpose for which that data was collected.
Your users can easily revoke consent.
Your users can easily request access to their personal information.
Your users can easily update their own personal information to keep it accurate.
You automatically delete data that your business no longer has any use for.
Your users can easily request deletion of their personal data.
Your users can easily request that you stop processing their data.
Your users can easily request that their data be delivered to themselves or a 3rd party.
You should only transfer data outside of the EU to countries that offer an appropriate level of protection.