Starting May 25, 2018 the GDPR (General Data Protection Regulation) will come into force and will require all concerned organisations to meet its requirements or face serious action.
According to the GDPR, all organisations that collect data of EU citizens, irrespective of whether they are located in the EU or not, are required to observe the data transparency and protection clauses so as to enable a better upkeep of data and give its control into the hands of the citizens.
Given the increased public concern over privacy, GDPR is one legislation that is to be taken very seriously. Not only will it lead to more accountability in businesses but may also force some of them to rethink their entire strategy for data collection.
GDPR compliance is mandatory and not a choice anymore. With the deadline around the corner, it becomes imperative to plug in all the major loopholes immediately and focus on how best to implement the concerns in a sustainable way.
GDPR and WordPress – what you need to know
WordPress sites that collect and process data will also be impacted by the GDPR. All the regulatory clauses will need to be addressed in detail by all WordPress sites and they need to make sure that citizens are able to regain their trust in the widely popular platform.
There are significant grey areas in the legislation at present, but given the principles of the legislation at large, it may be possible to work out the roadmap that a company can take.
At the basic level, in order to be positioned in accordance with the GDPR, your WordPress site needs to comply with the following:
- Tell the users about data extracted right upon arrival at website
The default privacy settings should be set to the highest level so that there is no incidental collection of data by any means.
- Get a clear consent for extraction of data
If the website needs to collect any data, it should seek the consent of the user upfront. There should be no automatic mechanism to extract data or any hidden process that discreetly works in the background. There should be no automatic pre- checked boxes. Rather than an opt-out system, the system should be an opt-in one where the user is armed with complete knowledge and awareness of the implications of his opting in.
This principle must apply to all the multiple ways in which a WordPress site can extract data , including:
- Registration forms on websites
- Section for comments
- Use of a contact form on the website
- Traffic logging
- Other added plugins e.g for security
As an extension to this, the purpose and scope of the data extracted must be specified to each user by and they should be able to act on it rather than it lying in the small text that often tends to remain ignored and obscured.
- Let the users access their data
This aspect deals with the right of user to access the data collected. The entire data has to be accessible to the user in a readable and comprehensible form so that there is complete transparency in the collection process. The right to access data again emphasizes on the need of site owners and data processors to make sure that there is no hidden data that is collected or used without the user being in the know-how of it.
The GDPR also requires all data to be portable, that is, a user should be able to download the data completely onto their machine and transfer it to another controller if they so desire.
- Let the users delete the data
The GDPR asserts on the ‘right to be forgotten’ to be available to each user. Under this mechanism, a user can delete all record of his data at his will and choose to become invisible. The site owners would need to comply if any user wishes to exercise his right to be forgotten and not only delete all data but also stop collecting any further one as well.
Control of data should be with the user at any given time and he/she should be solely authorised to allow any use of his personal data.
- Notify users if any data breach occurs
This clause states that in case there is a breach of data that can pose any sort of a threat to the rights and freedoms of individuals or can influence the society in a negative way, then the concerned authorities should be alerted and immediate notification should also be sent to customers who have been affected.
To protect the interests of the users and their rights, it is imperative that the notification mechanism is implemented without delay and enforced as the first corrective step in case of any breach of data.
Conclusion – The approach
Based on the above factors and the degree of infringement, it would be a good first step to do a security audit for your website. A sudden and drastic change in policy to meet the deadline might open a new can of worms. Start with understanding the law and then focus on the practical aspects that can ensure a co-existence of trust and technology.