GDPR for WordPress websites
27509
page-template-default,page,page-id-27509,bridge-core-2.5.8,qode-quick-links-1.0,qode-page-transition-enabled,ajax_fade,page_not_loaded,,qode-child-theme-ver-1.0.0,qode-theme-ver-24.4,qode-theme-bridge,qode_header_in_grid,wpb-js-composer js-comp-ver-6.4.2,vc_responsive
 

GDPR for WordPress websites

 

What is GDPR compliance?

The EU’s General Data Protection Regulation (GDPR) will replace the Data Protection Act (1998) in the UK. It seeks to give people more control over how organisations use their data and introduces hefty penalties to organisations that do not comply or suffer data breaches.

 

Who does it apply to?

Any business that processes people’s data. IE if you receive someone’s contact details from a contact form on your website, or you hold customers contact details on your computer or other software. You must gain someone’s consent to hold their personal data.

 

How do I get consent to hold someone’s personal data IE contact details?

Consent must be active and affirmative, rather than passive acceptance such as pre-ticked boxes on a form.

You must also keep a record of how and when a person gave their consent and they may withdraw their consent at any time.

 

What’s the ‘Right for access’?

People can ask for access at “reasonable intervals”, and controllers must generally respond within one month.

Everyone has the right for access to any information an organisation holds on them, and the right to know why that data is being processed, how long it’s stored for and who gets to view it.

Where possible, data controllers should provide secure, direct access for people to review what information an organisation stores about them.

They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.

People can ask for access at “reasonable intervals”, and controllers must generally respond within one month.

 

What’s the ‘Right to be forgotten’?

Under GDPR, people also have a right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected.

This is known as the ‘right to be forgotten’. Under this rule, they can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed.

The organisation is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.

 

What do we do if we suffer a data breach?

Within 72 hours of your organisation becoming aware of a data breach, you must inform the people who are affected and the UK’s data protection authority which is the Information Commissioner’s Office.

 

When is the deadline to comply by?

The deadline is 25th May 2018, so you need to act now to allow enough time for the changes to be made to your website.

 

Do I have to make my website GDPR compliant?

The fine for not being compliant can be either up to €20 million or up to 4% of your annual turnover, whichever is higher.

Investigations may be undertaken on large corporations first but if one of your customers complains that you are not handling their personal data correctly then it’s likely that the complaint will be investigated, and you will receive a fine.

But ‘we are leaving the EU?’ we hear you say. This may be true, but we have one year in which we will still be governed by EU law. Even after we have left the EU, the UK government may decide to bring GDPR compliance into UK law.

 

How do I make my WordPress website GDPR compliant?

As GDPR compliance involves many aspects of data management, there is quite a lot to do with your website to make it compliant which we have listed below.

 

Comments

Is your website allowing the public to leave comments on posts or pages? Unless you have an e-commerce website, we recommend turning this function off.

 

Contact Form(s)

How is personal data that is entered through the contact form(s) sent to you?

We assess which contact form plugin or system is being used and how it sends the personal data to you and if that process is compliant.

Contact form submissions should also not be saved to your website’s database.

If it’s not GDPR compliant then we will change it to one that is. Once a request has been by a user, this must be supplied free of charge within 40 days.

 

Security Monitoring

A requirement of GDPR compliance is that you notify anyone affected if your website suffers a data breach, within 72 hours.

This means we must monitor the security of your website much more closely, so we are increasing our monthly website technical maintenance package to £45/month.

 

SSL certificate

Any data that is submitted to your website must be encrypted, which prevents it from being hacked. Therefore, websites should now all have SSL certificates. This will ensure your site is encrypted and protected.

 

Privacy Policy Page

Do you have a privacy policy page? If not, this will need to be created for GDPR compliance.

GDPR requires that organisations must be transparent about how they collect data, what they do with it, and how they process it and must be clear (using plain language) in explaining these things to people.

 

Cookies Policy Page

Websites now must have a cookies policy page where a user can opt in or opt out.

Cookies are stored in a user’s browser and enable a website to ‘remember’ small pieces of information between visits.

Some cookies collect data across many websites, creating ‘behavioral profiles’ of people. These profiles can then be used to decide what content or adverts to show you.

By requiring websites to inform and obtain consent from visitors it aims to give web users more control over their online privacy.

 

Customer Data

GDPR compliance requires you to allow your customers to request to view, edit and delete the personal information you hold on them.

We suggest a consent form to be present on the Privacy Policy Page or your Contact Form

 

WordPress Plugins

All WordPress plugins associated with your website must be audited and checked for GDPR compliances.

We will ensure this is conducted and provide a report confirming that these have been cleared. If for any reason a plugin is not, we offer an alternative solution.

 

How much does it cost to make my WordPress website GDPR compliant?

To enable us to give you a bespoke quote for your website, we will need to audit your website.

 

What does this package not include?

Why we will take every reasonable step to protect your website from being hacked and GDPR compliant, IT systems are not infallible due to the rapidly changing nature of internet security.

Our GDPR package does not include costs involved to recover your website in the rare instance of it being hacked or if there is a data breach.

 

What else needs to be done to be GDPR compliant?

Apart from your website, you probably hold customer data elsewhere such as on computers, mobile phones and possibly on 3rd party websites such as email accounts, accounting software, etc.

You will need to carry out a data audit to record where you store peoples’ data, if you are storing it for a legitimate reason and if you have consented to hold it.

The full scope of this is beyond this guide about making your WordPress website GDPR compliant so we have listed some guides for small businesses.

 

Next Steps

As the GDPR deadline is only a month away, please contact us by 30th April if you would like to make your website GDPR compliant so we have enough time to schedule the work in on your website.

Contact us or Mel on 01932 932110 or mel@bluebell-web-solutions.com

If you feel there is anything you are concerned about regarding GDPR for your website that we have not covered in this document, please let us know as soon as possible.

 

 

Disclaimer

The content of this web page is information on GDPR as we interpret it.  We’ve spent a lot of time researching GDPR for WordPress websites and believe  we’ve been correct about its intent and meaning.  However, not all aspects, applications and interpretations of GDPR are well-settled. The content of this webpage is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation.  Only a specialist GDPR lawyer will be able to advise on how your organisation specifically can be fully GDPR compliant. We make no warranties as to the information on this web page which may change without notice.