This guide looks at the impact of the GDPR with special regard to website admins, owners and developers – primarily those using the WordPress and WooCommerce platforms, as well as those using Google’s G Suite.
Silicon Dales are accredited WooCommerce developers, as well as Google Partners reselling G Suite to business clients inside and outside of the European Union. While this content is primarily expected to be of interest to those in a similar position, it is likely that this explanation may well be of interest to webmasters, developers, web and PR agencies, business owners, as well as senior executives looking to come up to speed with GDPR, in the context of what this might mean for their web operations.
There is also some discussion of the wider WordPress and Open Source community and how the challenges of GDPR might be addressed within that context.
What is GDPR?
GDPR is the General Data Protection Regulations – a new European Union law effective from 25th May 2018.
This regulation goes further than previous data protection rules by increasing the areas covered, the size of the fines and the threshold for informed consent.
GDPR applies to any corporate entity who stores and processes data from any citizen of the European Union (EU).
What the experts say about the GDPR
Alan Calder, CEO at IT Governance, who literally “wrote the book” on information security told us:
“Organisations may consider the General Data Protection Regulation (GDPR) an administrative burden, but ignoring it or getting it wrong could be costly: organisations found to be in breach of the Regulation face administrative fines of up to 4% of their annual global turnover or €20 million – whichever is greater.”
Summary of the GDPR in Plain English
Don’t understand? That’s fine – the GDPR says this should be simple.
GDPR is an opt-in on everything where any personal data is collected.
Basically, think about people’s privacy before you do anything: design it into your systems, think about how you will secure it and whether or not you even need to collect personal data at all for the service or product in question.
Think about how long you need to even hold data; whether you can get rid of it later; and when you will destroy it.
Think about who has access to this data, and where it gets transferred in the world.
“ARTICLE 1: This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”
Note that the regulations are concerned with the data of individual people, not companies.
Silicon Dales’ Technical Director, Robin Scott, gives this analogy:
“Treat people’s personal data like you would treat their car. When a person lends us their data, it does not become our data. We are borrowing it. It remains their data. We must protect it.
“If you borrowed someone’s car, you wouldn’t leave it with the keys in it. You wouldn’t sell it – because it’s not your car. If you did crash a borrowed car, you’d tell the owner as well as the authorities, and attempt to fix the car or provide compensation.”
Video Overview of the GDPR
This video from the “3 Minutes” series gives you most of the basics on GDPR, as quickly as possible:
There are seven main principles that the GDPR puts forward:
It must be easy to give and withdraw consent for use of personal data. It must be easy to understand. Each different use of personal data must receive consent separately.
Example – Consent
Businesses with website contact forms need permission to add contactee information to newsletters, CRM’s, ad re-targeting platforms and any use other than replying to the original message. It is also a good idea for the website owner to have a policy on deletion of messages after a given period.
What the experts say about consent under GDPR
Alan Calder, CEO at IT Governance:
“Under the GDPR, consent must be specific, informed and freely given and consent can also be withdrawn at any time – and the Regulation mandates that consent must be as easy to withdraw as it is to give.
“This applies unless organisations can prove that the processing is carried on legitimate interest, a contractual agreement with the individual such as goods or services suppliers that request to fulfil an obligation, or for a task or project in the public interest typically expected from government departments, public authorities, education and healthcare sector organisations.
“Often consent is the most appropriate basis and organisations need to be aware of their obligations, especially as the GDPR raises the standard for consent.”
Affected people must be informed of any risk to their personal data within 72 hours of the processor being made aware of a breach. The controller must also notify the supervisory authority. [Article 33]
The only excuse to delay is if notification would hamper a law-enforcement investigation.
Example – Breach Notification
The type of delay in notifying compromised data subjects typified by Equifax is unlikely to pass muster in the future.
Right to Access
Data subjects have a right to information on how their personal data is being used and have a right to an electronic copy free of charge.
Example – Right to Access
The ICO recommends that larger firms do a cost-benefit analysis of providing access to personal data that has been processed via a website.
Video – Individual Rights
Here, Laura Monro from Fox Williams LLP gives a seminar on the changes to individual rights under GDPR:
Right to be Forgotten
When personal data is no longer needed for the purpose for which it was originally gathered for, data subjects can get the data controller to delete their personal data and cease its transmission.
Video – Right to be Forgotten
Data subjects have the right to access and re-use their personal data across different systems.
The GDPR expects all data processors to make data available into readily accessible and widely-used formats, so that data subjects aren’t locked-in to a platform by virtue of the way their personal data has been saved.
Example – Data Portability
In short, allow personal data to be imported and exported in common data formats – this may be interpreted to mean CSV, but perhaps not your own peculiar file extension, for example.
Video – Data Portability
This video from the European Commission likens your data to money in a bank. You should be free to take it elsewhere, no strings attached.
Privacy by Design
Data controllers should build systems which are designed to protect personal data from the outset, rather than as an after-thought or addendum.
Example – Privacy by Design
Think about tick-box permissions and privacy toggling before you build your next website.
Video – Privacy by Design
Good e-Learning provides a great introduction to the principle of Privacy by Design in this short video:
Data Protection Officers
Data controllers (with more than 250 employees, or who deal with large amounts of personal data) must appoint a Data Protection Officer to oversee their data handling processes.
Data Protection Officers will review business operations and plans to ensure they comply with the GDPR.
GDPR – Main Changes
As noted above, the main changes in the GDPR from previous rules within Europe are the penalties, the territorial scope and the bar for consent.
The whole world is covered by GDPR. The only limitation is whether the organisation concerned is selling goods or services to European Union citizens, regardless of whether those citizens are paying.
The maximum fine is bigger: 4% of annual global turnover or €20 Million (whichever is greater).
Consent for use of personal data must be plain and clear, not buried in long and unintelligible Terms and Conditions pages.
Video – Key Changes in the GDPR
Silicon Dales Notes on the GDPR
Here we’ve pulled out some headlines which apply to most businesses operating in the WordPress and G Suite space, though you should take advice from an accredited person for more information specific to your business, such as permissions for children or the application of fines in Estonia!
We’ve kept the notes as brief as possible with annotations so you can read further if you’re interested.
The page numbers are bottom right in the PDF here:
Paragraph numbers are in brackets.
Small businesses – don’t panic!
You should still take heed of the GDPR regulations, but the main aim of this Regulation is to hold big businesses accountable for the ways they use personal data.
“To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.” [Introductory Text Page 8]
All businesses and organisations are being encouraged to take a proportionate approach to managing the personal privacy rights of EU citizens.
GDPR doesn’t apply to suitably anonymised data [Article 6, 4(e), Article 25, 1, Article 32, 1(a)].
Checkboxes and Internet Websites
The GDPR gets really specific about ways in which websites are expected to provide privacy controls, in this case: checking, or ticking, a box. There’s also a part about icons, later on.
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.” [Introductory Text, page 18]
So, just to re-cap:
- pre-ticked boxes are not ok
- each purpose must be consented to separately
- the process should be simple
- the process should not be turned into a kind of punishment
- each individual usage of personal data should be informed and consent given – not as a collection.
Can I pre-tick a consent box?
“Silence, pre-ticked boxes or inactivity should not therefore constitute consent”
This is unambiguous. You can’t, shouldn’t, mustn’t pre-tick a consent box about data. Yes, this includes your newsletter signup box.
You can’t say “untick this box to agree that we can’t share your data with third parties”. That’s just confusing.
Make it clear, simple and be honest with your users. More this in the next section:
Lawful, Fair and Transparent + Data Minimization + Time Limitations + Security Processes
When processing Personal Data, be clear, simple and honest with your users. Think about whether you truly need the personal data in question in order to provide the product or service. Be upfront at the time you gather the personal data. Make it easy to give and withdraw consent. Think about how long your organisation will need to hold the information and consider a policy of deletion after a given time period.
“Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.” [Article 5, Article 6, 1]
Here’s the kicker: periodic review. You should consider how much data your business really needs, for how long, and to submit those needs to regular review as well as appropriate security.
Example – Lawful and Fair
Businesses cannot hoard thousands of email address forever and ever and keep re-importing them from all different sources from the past. Yes, we’ve seen this done and it will be unequivocally unlawful by 25th May 2018.
What the experts say about GDPR Compliance
Alan Calder, CEO at IT Governance:
“Initiating a compliance project should be a priority on every organisation’s agenda ahead of May 2018. They can initiate a project by mapping their data sources, conducting a gap analysis, implementing processes and procedures in compliance with the Regulation’s requirements, delivering GDPR staff awareness training and in certain cases appointing a data protection officer. Although it’s not necessarily overly onerous, the project is likely to take months, so the time to act is now.
“Businesses that take advantage of the opportunity the GDPR presents and achieve compliance by May 2018 will not only avoid significant financial and reputational damage but will also find that data handling, information security and compliance processes are secure, robust and reliable. Organisations will be able to provide their clients, partners, investors and stakeholders with the assurance that data is processed in lawful, fair and transparent manner and ongoing GDPR compliance is a high priority.”
Personal Data Information Requests (Subject Access Requests)
The GDPR sets down some rules on how you should respond when EU citizens request information your organization holds upon them.
- Must respond within a month – The controller must respond to a request within one month of the request having been made. [Article 12, 3]
- Must be free (no payment) – The controller cannot charge an administration fee for complying with requests. [Article 12, 5]
It is therefore worth considering making personal data management an automated process, to minimize the impact of many requests, and to comply with the spirit of the law: treating personal data as though it belongs to the data subject, not the data controller.
Example – Information Requests (Subject Access Requests)
Put a Personal Data Information Request form in the My Account pages of your online shop, alongside the consent toggles.
Identity of the Controller – be open about who you are
We always advise being open with your identity and contact information – it’s in our Ethos. Put contact information on your website and email footer. If you are handling personal data, this will become more important.
“For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” [Article 13]
Don’t forget to provide contact information on microsites or other business brands.
Facial recognition falls under “particularly sensitive” personal data – but unprocessed photographs do not.
“The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.” [Introductory text page 31]
There are special rules for “particularly sensitive” data. If your business handles particularly sensitive Personal Data, you may be subject to additional obligations.
Easy to Understand
Information addressed to the public should be clear and easy to understand [Introductory text page 35]
Icons for use on websites
Standardised icons for the management of consent to personal data use are encouraged by the GDPR:
“standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.” [Introductory Text page 36, Article 12, Point 7.]
Page 36 also covers corrections, deletion, objection and consent for profiling.
Verifying Identity on Information Requests
Data controllers should do identity checks on those requesting information about personal data (a “Subject Access Request”). [Introductory text, page 39]
But don’t hang onto it
“A controller should not retain personal data for the sole purpose of being able to react to potential requests.” [Introductory text, page 39]
Data controllers should be encouraged to develop interoperable formats that enable data portability. [Article 20 “Right to Data Portability]
Example – Portability
Gathering personal data is not a method of customer retention. You can’t, for example, offer a photo storage service which saves people’s family photos in a format which cannot be viewed or used anywhere else. Attempts to “lock-in” users by using obscure file formats will be viewed in a dim light under GDPR.
This section is relevant to abandoned cart programmes and newsletter systems:
“Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.” [Introductory Text page 42, Article 21]
Take reasonable steps and consider the possibility of:
“discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage”. [Introductory Text page 46]
Assessment & Risk
Data controllers must perform an proportionate and objective assessment of the way personal data is handled in their organisation, and what steps are reasonable to safeguard that information. [Article 35 “Data protection impact assessment”]
Codes of Conduct
To identify and mitigate against risks, consider using:
“approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer”. [Introductory Text, page 47, Article 24, point 3, Articles 40 & 42]
Measures you can take
- Minimization of data taken
- Monitoring (by the data subject)
- Allowing controller to create and improve security features
Data protection is expected to take place by design and by default.
(Para 79) Each organisation should have a “clear allocation of responsibilities”.
Outside the EU?
Should allocate a representative in the EU.[Introductory Text, page 48]
Applies even when outside EU [Introductory Text, page 62]
EU can accredit / disaccredit a third country as a whole (Para 101 – 107)
“the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing.” [Introductory Text, page 50 & Article 37 “Designation of the data protection officer”]
- Maintain records
- Be prepared to make those records available
- Consider the risks of processing the data and costs of securing it
- Consider encryption
Data Breach – 72 hours
In cases of data breach, as soon as the controller becomes aware, they must:
- Notify supervisory authority
- Notify affected people
Is okay to delay notification of affected people if that would hamper a law-enforcement investigation.
Addressing GDPR across sectors, segments and common platforms:
This is where the argument for addressing GDPR within WordPress and WooCommerce core resides – in the provisions for conducting Data Impact Assessments across a larger project:
“There are circumstances under which it may be reasonable and economical for the subject of a data protection impact assessment to be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity.” [Para (92) Introductory Text, page 58]
Consent options built-in from the start
Across the whole GDPR, there are plenty of hints that common formats and standards for privacy consent toggling are a good thing and should be encouraged from the outset of a design or software project. For Open-Source projects that includes consideration from core contributors on how the GDPR can be dealt with on a community basis. The EU is trying to make Personal Data processing as transparent as possible and would like consent options built-in as far as possible.
Join the discussion on WordPress core
To join the developer discussion on what should and should not go into WordPress core, go to https://make.wordpress.org/chat/ and join the WordPress core Slack channel. Update: The GDPR chat has been re-named to Core Privacy – the tag can be found here: https://make.wordpress.org/core/tag/core-privacy/
Codes of conduct are encouraged
Right to Lodge a Complaint
Also have right to get someone / something else to complain on your behalf – but that entity may not be able to claim compensation
Right to Compensation / Obligation to Compensate
WP GDPR Compliance Plugin
Linda Scott has written a review of the WP GDPR Compliance plugin, but basically it currently covers WooCommerce, Contact Form 7 and WordPress Comments and the roadmap says the plugin will soon address HTML Forms, Ninja Forms and Gravity Forms. Update: Gravity Forms now supported.
This plugin will not make your site GDPR compliant, but it’s an easy first step.
Get it here:
Example of the WP GDPR Compliance Plugin in use
There’s an example of the compliance plugin in use on the comment form here and a picture below:
What does the GDPR mean for my WordPress business?
From our experience with clients, here’s what Silicon Dales predicts will be the most common changes to Personal Data handling necessitated by the GDPR:
- Mailchimp & other newsletter services: more detailed opt-in, with permission for segmentation
- Contact Forms: detailed permission ticky box & internal company policies updated to regularly clear-out contact information which is no longer in use
- Comments: detailed permission ticky box & internal company policies updated to ensure personal data submitted for the purposes of submitting a comment is not used further unless permission is given
A large number of WordPress website operators, owners and developers use Mailchimp to handle newsletters and other email functions. Here’s what Mailchimp told us about their GDPR compliance efforts:
“We prepared a white paper that outlines the compliance efforts MailChimp is undertaking and also includes some information for our users that is relevant to their own GDPR compliance. You can find the white paper at the following blog post:
“Please know that we are assessing the provisions of the EU’s General Data Privacy Regulation with guidance from the Article 29 Working Party and various member state DPAs. MailChimp is working with experts in this area, and intend to be compliant with the GDPR within the requirements of the provision.
“One example of the steps we’ve taken is updating our DPA to incorporate provisions to address (among other things) Article 46. You may find our DPA here where you can fully execute the agreement online. From that page you may also view and download a sample for review. To fully execute the agreement, go back to the main page and complete the necessary fields.
“Additionally, MailChimp adheres to the Privacy Shield Principles. We are EU-U.S. and Swiss-U.S. Privacy Shield certified through 2018 and listed on the US Department of Commerce Privacy Shield website as The Rocket Science Group LLC d/b/a MailChimp.
“MailChimp is currently in the process of assessing and developing new, GDPR-friendly tools and features for our users, many of which are aimed at helping our users comply (or more easily comply) with requests from individual data subjects pursuant to their new rights under the GDPR. As these features are still in the research and development phases, we do not have any details to share with you as of today. But, please know that we are actively pursuing enhancements to our platform that will help our users with requests like these from data subjects, so please keep an eye on new release information from MailChimp over the coming months.”
You can find Mailchimp’s GDPR Guide here.
Contact Forms will need an extra tick box or toggle, giving permission to use any Personal Data submitted in the form. The text should give a plain language explanation of how the data will be used.
Here are some relevant examples of things you will need permission for on your Contact Form:
- Allow Personal Data to be added to site Salesforce or other CRM account
- Allow Personal Data to be added to newsletter list
- Allow Personal Data to be used to segment
- Allow Personal Data to be used to target advertising
Gravity Forms is a great WordPress forms plugin we use regularly here at Silicon Dales.
Ninja Forms have a particularly good response to GDPR here and they have a couple of really handy suggestions for different ways to approach compliance.
An extra permission tick box is required.
Automattic and Automattic Products
If your site is hosted with WordPress.com, or if you use Jetpack or any of the other Automattic services – there’s a GDPR information page here:
There are some specific ramifications for those running woocommerce websites:
Tracking of WooCommerce Stores
For full information on this see:
It is possible to opt-out of your store’s usage of WooCommerce being tracked by WooCommerce by going to WooCommerce > Status > Tools and then select Reset under Reset Usage Tracking.
What does the GDPR mean for abandoned carts?
A strict interpretation of GDPR could indicate that some abandoned cart practices are a breach of the requirement for “consent” to using personal data. In short, if consent to using data is granted – during checkout – by a consumer completing checkout, then consent is surely not given when someone abandons checkout half way through.
The key thing, here, is consent to use the data must have been – unambiguously – granted at the start of the customer journey.
So, if you don’t want to fall foul of GDPR, box number one needs to be an affirmative “yes you can use my data, including if I do not complete checkout” if you want to put cart abandonment email capture into your checkout process, for EU citizens.
In this regard, you might even put some consent in the site, which is geo-targeted to EU citizens, or make the consent display after customers select a country within the EU – and therefore make the country selection an early stage part, pre-consent, and pre “cart abandon” data collection. This would appear to be a Good Idea.
Silently collecting the email addresses of EU citizens from checkouts will not be a GDPR compliant activity.
What does GDPR mean for third party shipping handlers?
You will need to check up on your third party shipping handlers to ensure they comply with the GDPR and ensure your customers know how their personal data is going to be used and by whom.
What does GDPR mean for My Account pages?
My Account pages are a great place to allow users to self-manage their personal data.
This will most likely include a Privacy Settings page or tab with standardised toggle icons to allow the giving and withdrawal of consent to use Personal Data.
Another potential response to GDPR may be to include a “Delete My Account” button and / or a form to allow for a Personal Data information request.
Following the spirit of the GDPR, it would be best for these updates to be addressed within core, but individual site owners can also achieve these changes with plugins and custom code.
The Impact of Brexit
Robert Bond from Bristows LLP explains how the relationship between the UK and EU will change under GDPR after Brexit:
“GDPR will come into force well before the UK leaves the EU and the new Data Protection Act 2018 reflects GDPR. We will therefore be on a level footing with the rest of the EU before and after Brexit.
“However unless UK negotiates an “adequacy” status as part of Brexit, we will not be in the EU and as such UK businesses may have more hoops to jump through when processing EU citizens’ personal data.”
Choosing a Lead Supervisory Authority
From 19th March 2019, the ICO will no longer be the Lead Supervisory Authority for personal data processing in the UK as far as GDPR rules are concerned.
UK companies with existing “hubs” on the continent will be expected to use most appropriate local LSA if a data breach occurs.
There is some leeway in the legislation, expertly explored here by Deirdre Kilroy, for companies which are wholly based in the UK for data processing and HQ purposes. These companies may decide to go “jurisdiction shopping”, though in practice, most will use Ireland’s Data Protection Commission (Coimisiún Cosanta Sonraí), for the familiarity of the legal setup and English language.
Need an accredited DPO to check over your business or service? Need to formulate a GDPR strategy? Take a look at our list of accredited DPO’s below:
Choose your DPO’s carefully, especially if outsourcing from outside the European Union.
Get help adjusting your WordPress website or G Suite system
For help formulating or implementing a GDPR strategy, get in touch with Silicon Dales today.