Full disclosure: None of the following is legal advice. This is meant to prompt conversation within our community about the implications of GDPR.
What is GDPR?
GDPR (“General Data Protection Regulation”) kicked in on May 25th in the European Union. It’s a law intended to protect EU citizens by regulating the processing, transfer, and storage of any data that’s considered private or personally identifiable. The protection of personal data is considered a fundamental right under EU law.
Any company or company property — like a website — accessed by a European citizen falls under the jurisdiction of GDPR. Let me emphasize that again: Accessed by a European citizen. It doesn’t matter if they’re physically in Europe or not. So blocking visitors from Europe won’t do you any good if an EU citizen visits your site from Barrie.
The penalties for non-compliance are steep: up to 20 million Euros (~30.6 million Canadian dollars) or 4% of global revenue. It’s safe to say that this is intended to put pressure on global corporations to step in line. But as the saying goes, it’s better to be safe than sorry.
Many of the questions around enforcement and compliance are open to interpretation. We won’t dig into them here because it’s beyond the scope of our meetup and, more importantly, we’re not legal professionals. But what we have seen is organizations around the world take steps to become GDPR compliant.
Compliance is hard to determine. The official text is cryptic and difficult to understand. Do a quick Google search for GDPR and you’ll find tens of millions of blog posts, checklists, summaries, etc. from legal firms and consultants who have sprung up to address the confusion.
Despite the ambiguity, the overall spirit and intent behind GDPR is a good thing. Our personal information is spread throughout the web across applications, devices, and servers. GDPR puts a framework in place to guide how that information is acquired, stored, moved, and managed.
A quick start to GDPR
The UK’s Information Commissioner’s Office (ICO) compiled a twelve-step Quick Start guide to help organizations prepare for GDPR. The steps are as follows:
1. Recognize that the law is changing, the significance of it, and the impact on your organization. We’ve covered the gist of this already. GDPR is a big deal, affecting organizations globally.
2. Document what personal data you already have, where it came from, and who you share it with. It may be helpful to perform an information audit. This could also be a good time to consolidate your information into a single place, like a CRM.
The GDPR requires you to maintain records of your processing activities.
4. Check, update, and document your procedures for working with personal data. Documentation, even within a small organization, is hugely beneficial. So if you’re working in or with a small business and they don’t already have a team knowledge base, now is a good time to create one. It could be as simple as a Google Docs folder or as elaborate as a custom WordPress site.
5. Check, update, and document your procedures for handling data requests in a timely manner. Requests must be fulfilled without a fee within a month, but they can be refused or charged a fee if they’re excessive or unfounded. Again, this is something you should cover in an internal team knowledge base – what do you do when someone submits a request?
6. Document how and why you process the personal data that you do. In other words, you should have a legitimate reason for collecting the data you’re asking for. This is another point to cover in the team knowledge base, so everyone is informed.
7. Review and update how you seek, record, and manage consent. Refresh existing consent if they’re not in line with GDPR. Related: Detailed guidance for collecting consent (via ICO)
8. Identify if you need to verify user ages, and if so, how you will obtain parental or guardian consent if processing personal data belonging to minors. If you’re building a site with youth as the intended audience (think kids 16 and under), this will probably apply to you.
9. Ensure you have documented processes in place to detect, report, and investigate data breaches. This is also a requirement under Canada’s PIPEDA legislation, and something else to add to your team knowledge base.
10. Review and implement Privacy Impact Assessments. “A DPIA is required in situations where data processing is likely to result in high risk to individuals.” If you’re working with a larger organization or dealing with sensitive data, check out the ICO guide to DPIAs.
11. Designate someone in the organization to be responsible for compliance. As with the DPIAs, having a Data Protection Officer is crucial for large organizations that deal with a high volume of personal data, or organizations that process sensitive data like healthcare information.
12. If the organization operates in multiple EU member states, there must be a supervisory-level authority responsible for all data processing in the organization. Basically, “the buck stops here” – they’re in charge for how the organization handles personal data.
That’s a lot, even for a Quick Start guide, so to summarize it even further:
- Get an understanding of the scope & impact of GDPR.
- Do an audit of the personal data you already have.
- Update & document your procedures for working with personal data.
- Have a point person responsible for managing data privacy.
Now let’s get into the practical implications for the work that we’re doing online.
A (very) high-level overview of the GDPR in relation to websites
On one side you have a business with a website. They use that website to showcase their services, share updates & announcements, and receive inquiries through contact forms.
On the other side you have the website’s users. They go to the website to learn about the business, read information, and maybe even get in touch.
The business uses a handful of 3rd party tools on their site. They have web analytics; live chat; email capture for their newsletters; and tracking for advertisements.
Under GDPR, the business is considered the Data Controller. If a user wants to make a change, export, or erase their personal data, the business is responsible for giving the user a way to make that request. The business is also responsible for fulfilling that request in a timely manner.
The 3rd party tools are considered Data Processors. They store data, but the Data Controller (the business) is responsible for managing it. The processors will also give the Controller (the business) the means to modify, export, and erase the data if needed.
Additionally, through the use of privacy notices and permission controls, the website allows the user to provide and alter their consent.
How do we apply this as WordPress users?
When we build websites with WordPress, we’re setting up new applications where people’s personal data can be stored. And as the developer or owner of these applications, we have a responsibility to protect our users’ data.
In a basic WordPress site, without any plugins, personal data can be acquired and stored through user registration and comments. As we install additional plugins, the amount of information we collect can grow exponentially. For example:
- Security plugins that use visitor IPs to blacklist traffic.
- Analytics plugins that track user behaviour.
- Contact form plugins that save entries.
- eCommerce plugins that store shipping addresses.
- Marketing plugins that collect email addresses.
- Advertising and social media plugins that connect to third-party trackers.
These plugins will either store data locally on our website’s server, or they will connect to a third party service (“data processor”) to store the data.
Also included in the newest version of WordPress are two new tools for fulfilling data export and deletion requests. By default these tools only affect data collected by the core WordPress software, like user accounts and commenters. Other plugins are stepping in to address data requests for 3rd party services, data self-management, and to help with consent notices. We’ll take a look at those in a moment.
WordPress GDPR Plugins
Alright. Let’s talk about the GDPR plugins that can help us out.
GDPR was developed here in Toronto by the team at Trew Knowledge. It’s a fairly comprehensive plugin. It provides consent management; front-end privacy preference management; double-opt-in emails for right to erasure; reassignment of user data; back-end lookup & administration; logging; telemetry tracking; and more. It’s well documented and feels like an extension of WP core.
Another popular GDPR plugin, though not nearly as well documented, and it only supports WordPress core, comments, WooCommerce, Gravity Forms, and Contact Form 7 out of the box. The roadmap doesn’t cover anything beyond June 3rd, so it’s hard to know what their plans are for future compatibility. It also feels very much like a bolted-on plugin.
Privacy WP takes a different approach. Instead of managing the data stored on your server, Privacy WP integrates the built-in privacy export/erasure tools with the data stored on 3rd party providers (the Data Processors covered earlier). Check out the announcement post from Scott Deluzio.
Cookiebot isn’t a WordPress plugin, but I’m seeing it appear on more websites as a drop-in solution for handling GDPR consent. It scans the site for the presence of any cookies and handles the permission controls. They have a free plan that’s suitable for small sites (under 100 pages), but the price quickly ramps up from there.
This meetup wouldn’t have been possible without leaning on the following resources: