It's widely known by now that the GDPR has come into effect since May 2018. The primary aim of GDPR is to strengthen the control of EU residents over their personal data and unify data protection for all individuals residing in the EU. If you haven't yet read up on this, here's something for your treat:
- The new law concerns all website owners and developers who deal with personal information relating to EU users;
- The law gives EU residents the right to control their personal information.
- The regulation has placed measures to track compliance and exponential penalties for non-compliance.
- Individuals, organizations, and companies that are either ‘controllers' or ‘processors' of personal data will be covered by the GDPR.
Of course, that includes us too, weDevs, since we are developers of WordPress products and has a major portion of EU customers.
Why you should care?
If you are residing in the EU globe, this should concern you, even if you are using a site of a business that's not based in the EU. The data controllers, processors, or the data subject/customer has to be based in EU for the law to apply. We have seen enough debacles and downfalls in businesses or their reputation thereof for failure to keep up with user data privacy and protection. Information leaks and breaches have all cost companies billions of dollars and loss of customer trust.
GDPR holds transformational value in altering the way data of customers is handled and used by businesses and public section organizations. It also gives more rights to individuals to exercise control over their information.
This makes the introduction of GDPR a revolutionary arrival in the already hyped topic on data protection and conservatism, making it instantly impactful.
GDPR and other data protection laws rely on the term ‘personal data' to discuss information about individuals. Personal data is anything that allows a living person to be directly or indirectly identified, whether it be professional, personal or public. This includes:
- email address
- bank details
- IP address
- medical information
- automated personal data and encompass pseudonymised data
Thus GDPR is a means by which companies can be held responsible for what they do with the information they collect from you:
For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place. – Wired
Steps to follow to ensure rigorous GDPR Compliance
- Discover – identify what personal data you have and where it resides.
- Manage – govern how personal data is used and accessed.
- Protect – established security controls to prevent, detect and respond to vulnerabilities and data breaches.
- Report – keep required documentation, manage data requests and breach notifications.
The new EU law is strict about these steps. Organizations are highly encouraged to get Data Protection officers (DPOs) to create robust data security policy and procedures to help mitigate risks and ensure compliance. Meanwhile, the company's stance on data protection should be passed on to all employees and stakeholders, including third-party agents that the company deals with.
GDPR for WordPress site owners
WordPress is now diligently working on becoming fully GDPR compliant. Its areas of focus are:
- updating its core policy to reinstate the importance of data privacy and policies;
- assisting site owners with functionalities to comply with privacy policies for their websites;
- modify plugins guidelines accordingly;
- encourage and facilitate compliance in general;
- update privacy tools and documentation to educate site owners on privacy, GDPR requirements and usage.
For those of you using WordPress to run your sites, be careful of the following:
- find out all the ways you are collecting customer data.
- insert mechanisms so users can control their personal data.
- ensure any third-party tools and solutions you are using are also GDPR compliant.
- avoid obtaining data from users when it doesn't serve a purpose.
- the checkboxes should not be checked by default.
- Add a dedicated separate web page for the policy in their websites.
- Add privacy information from plugins that their products will be dealing with.
- Reviewing and publishing the policy.
GDPR for WooCommerce and store owners
- right to access requests
- right to erasure requests
- security breaches, and
- the need to have a DPO.
So that EU residents know better how eCommerce sites running on WooCommerce are collecting data, who and how they are sharing it, and how they are being tracked.
It must be mentioned here that the fines for non-compliance are substantial for businesses: 4% per annum, and this applies to both businesses inside and outside of EU.
Similar to other sites, the new law requires eCommerce stores to inform users about the kind of information they collect, store, and share. It also places certain rules about the kind of consent required before the business can collect personal data.
WooCommerce stores will also be required to explicitly detail and notify how they will use this data in their privacy policies.
WooCommerce customers will also be able to exercise the following new rights:
- Demand a copy of all the data stores have about them [Right of Access].
- Demand any errors in the data be corrected [Right to Rectification].
- Request the removal of all personal data [Right to be Forgotten/Right of Erasure].
Online marketplaces also need to consider the following 2 issues:
- Pseudonymisation: The GDPR is big on this. This process is required to transform personal data in a way so it cannot be attributed to an identifiable user, without the use of additional information.
Pseudonymisation enhances privacy by replacing most identifying fields within a data record by one or more artificial identifiers, or pseudonyms. GDPR: Report
Along with pseudonymisation, eCommerce stores can also protect personal data by employing access restrictions, encryption, backups, data minimization, and regular testing.
- Records of processing activities: eCommerce stores must keep track of all information of users collected. WooCommerce stores have to keep track and record how they collect data via forms, such as, contact and support forms, newsletter signups, subscription buttons, etc. This also includes how the store collects analytics data, what they do with it, how the data is stored, codes used in plugins and themes, and how they communicate with users. eCommerce stores must also notify customers if their information gets stolen by breach.
What weDevs is doing about GDPR
As already stated, both WordPress and WooCommerce have embarked upon this important task to comply their privacy policies and work with GDPR. Following the same footsteps, weDevs is transforming its plugins guidelines. The company has started doing so with WP User Frontend plugin, and is now working its way towards making Dokan, WP Project Manager, WooCommerce Conversion Tracking, weForms, and all the others GDPR friendly.
So, you should start working on GDPR compliance as soon as possible if you haven't started yet. Also, share your thoughts and opinions on what you have done so far.