The General Data Protection Regulation (GDPR) is important new legislation in the area of data protection. Developed by the European Union, it’s designed to strengthen individuals’ rights regarding the collection, use and storage of their personal data.
The law applies to businesses or organisations in the European Union. Those outside the EU who offer goods and services (whether paid or not) to people living within the EU, or monitor their behavior, must also comply.
In effect, GDPR becomes the global standard for data protection.
So What Counts as Personal Data?
Any data that can be used to identify a living person directly or indirectly is classed as personal data.
- Email address
- Social security number
- Location data
- IP address
What Is Sensitive Personal Data?
Sensitive personal data is a special class of personal data that has to be even more carefully handled. It includes factors such as:
- Health status
- Sexual orientation
- Religious beliefs
- Political beliefs
What Rights Do Data Subjects Have Under GDPR?
As explained by the ICO, data subjects have the following rights concerning their personal data:
- Restrictions on processing
- Data portability
- Revision of automated decisions or profiling
The GDPR refers a lot to data processing. This simply refers to any operation that is performed on personal data – collection, storage, amendment, deletion etc.
What Will Your Business Have to Do to Comply With GDPR?
1. Audit your personal data
Find out what personal data you process, detailed below.
2. Document everything
Write down your policies and procedures for handling personal data. This is part of demonstrating your compliance with the regulation.
You’ll need a plan for what to do in the case of:
Subject access requests
Individuals may request access to, updating of or deletion of their personal data. How will you verify their identity and fulfil the request?
Detail what you are doing to keep personal data safe. This might involve techniques like encryption, anonymization and access control.
Any personal data breaches which would significantly harm individuals must be reported within 72 hours to the “relevant supervisory authority”. In the UK that’s the ICO. If the breach is serious enough, you’ll also need to tell the individuals affected.
3. Inform your audience
Create or update your privacy statement to explain what personal data you collect and what it is used for in a brief and readable way.
Don’t just copy and paste one; make sure that it is tailored to your business and the data you hold.
4. Identify a legal basis for all your personal data processing activities
All personal data processing must have a legal justification. More about this later.
5. Consider having a DPO
A Data Protection Officer (DPO) is responsible for all data protection activities. A DPO could be within an organisation or externally appointed.
Discovering the Personal Data Your Business Collects
- Who do you hold data on?
- What personal data is collected? Is any of it sensitive?
- What file types are used?
- Where is it stored – locally, on a web server, in the cloud?
- Do any third parties handle the data? Which ones? Where are they based?
- If the data was initially collected and stored within the EU, is it transferred outwith the EU at any time? (Non-EU transfer is permitted only if personal data has adequate safeguards. If data is transferred to the USA, the relevant framework for data transfers is the Privacy Shield.)
- How long is the data stored for?
- Is it secured in any way?
- Are subjects notified about what data is held and used for when you collect it?
Personal data lurks in a lot of places! If you’re anything like me, you will use a lot of tools.
Here are some places to search:
- Live websites, development and staging sites with:
- WordPress plugins that collect and store personal information
- WordPress users – especially on BuddyPress and bbPress installations
- Native WordPress comments or other commenting software
- WordPress ecommerce solutions e.g. WooCommerce
- Files – documents, spreadsheets, databases, PDFs
- Storage and backups: computers, portable drives, USB sticks, DVDs, online
- Cloud storage: Dropbox, Google Drive, Amazon S3
- Email and email attachments
- CRM systems
- Email marketing software: MailChimp and similar
- Social media: Check for your “address book”
- Messaging apps e.g. Slack, Facebook Messenger, Intercom
- Productivity apps e.g. Zapier. Trello
- Booking software e.g. Eventbrite, Calendly
- And don’t forget that paper records count as well as electronic ones!
Third Party Processing
Check privacy policies and/or supplier agreements of any third parties you use. Find out what their plans to comply with the GDPR are. If you don’t get satisfactory answers, hunt for alternative suppliers.
WordPress Plugins That Collect Personal Data
Look for ways to minimize the collection of personal information. Adopt a Privacy by Design approach.
Avoid creating forms like this asking for a lot of data without making it clear what it’s used for.
If you’re a plugin developer, build in options to let site owners choose what they want to collect and store, and the option to delete data. Make sure that when the plugin is removed, all the data is purged.
Implement access via WordPress user roles: subscribers shouldn’t be allowed to view form data, for example.
Now, a look at some specific plugins.
I contacted the developers behind Akismet and asked what happens to personal data when it checks WordPress comments for spam.
Chris from Automattic replied:
“We’re working on getting into full compliance with GDPR by the time it goes into effect early next year.”
(We can infer that this applies to Jetpack and WooCommerce as well.)
“The only information sent to Akismet when a comment is tested for spam is information that the commenter provided: their name, email address, site URL, and comment (plus other non-personal information like the current time, etc.). This information is not transferred to any non-Akismet servers, but we cannot guarantee in which country it will be processed. To that end, we have signed model contract clauses with our Irish subsidiary that cover the transfer of data in and out of the EU for processing.”
German users may wish to use the Akismet Privacy Policies plugin to provide a warning that comment data may be sent to the USA. (No English translation as yet.)
1.6 million WordPress Superheroes read and trust our blog. Join them and get daily posts delivered to your inbox – free!
2. Contact forms
Watch for form plugins that store personal data in the WordPress database. As you shouldn’t keep personal data for longer than required, the ideal situation is to delete it when it’s no longer needed.
The Wider Gravity Forms Stop Entries plugin blocks storage of Gravity Forms entries.
Ninja Forms have a setting to not store form entries. You need to enable it for each form.
Also, check for any forms which automatically opt users into marketing messages via pre-ticked checkboxes.
3. “Email This Page” Plugins
Print, PDF, Email by Print Friendly collects user-submitted email addresses.
The developers have made a clear commitment to protecting personal data:
4. Giveaway Plugins
Plugins like KingSumo run giveaways. Entrants are added to a list of email subscribers.
What about cookies?
Cookies are covered under the ePrivacy regulation, separate from GDPR. Its implementation date was supposed to coincide with GDPR, but it will likely be delayed as it’s still in draft.
The ePrivacy regulation distinguishes between first-party cookies, served by your domain, and third-party cookies e.g. from Google Analytics and some social sharing plugins.
It may be that browser settings will be used as a form of user consent for third-party cookies, but this is something we’ll have to keep an eye on.
Finding a Legal Basis for Your Personal Data Processing
There are 6 main grounds for the legal processing of personal data. At least one condition must be met.
Two of them are unlikely to apply to those working with the Web – vital interests and public function.
That leaves the following:
1. Necessary for performance of a contract
Activities like collecting payment information from a supplier are covered by this principle.
2. Legal obligation
For example, UK businesses are required by law to keep expenses records for 5 years after the 31 January submission deadline of their tax return.
This is a key processing criterion for most businesses. If no other legal basis applies you will need to seek consent for your personal data processing.
Consent must be:
Given freely – no-one should be tricked or coerced into supplying their personal data.
Explicit – if you want to add email addresses from a contact form to a mailing list as well, you can’t use a pre-ticked checkbox automatically opting them in.
This relates to:
Specific and separate – if there are multiple processing purposes, consent must be asked for separately for each one. For the Kingsumo plugin mentioned earlier, there should ideally be 2 checkboxes.
- Yes to entering the competition under its terms and conditions.
- Yes to receiving email marketing.
Named – state your organisation name and any others that will be processing the data.
Able to be withdrawn at any time – if someone wants to opt out later, you must allow them to. You should make it easy to do this.
You need to record:
- What someone has consented to.
- When they consented.
- How they did it.
- What they were told about how their information would be used.
Does consent run out?
There is no minimum time that consent lasts – it depends on the context.
What about previously gained consent?
Many of us have email lists with subscribers who have opted in for marketing information.
You can keep your existing subscriber data if you can prove that it was obtained under the same provisions as in the GDPR.
The obvious way to do this is to ask your email subscribers for marketing consent again, but beware: Flybe and Honda were fined for doing just that!
Communicator has a helpful table for dealing with legacy email lists.
4. Legitimate interests
Data processing is allowed on the basis of legitimate interests of the business, provided that it does not override the rights of the individual.
Using this basis for your data processing means that you must:
- Document your assessment of your interests vs those affected
- Allow individuals to object to this type of data processing
Once you’ve done your audit and identified your legal basis for processing personal data:
If there’s any personal data you no longer need, delete it.
British pub chain Wetherspoons recently decided to delete their entire customer email database:
We felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data.
Do a risk assessment on what personal data you have left, identify any high-risk data and take steps to protect it.
Run a Privacy Impact Assessment on any future or past projects involving personal data collection.
Understanding and adhering to the GDPR is a challenge, but it’s one we can rise to. Higher data protection standards benefit us all.
Start your preparations now. Use the following resources for guidance:
- Data Protection Network
- ICO: Data protection reform
- General Data Protection Regulation – Isle of Man Information Commissioner
- Guide to the General Data Protection Regulation
- Virtual Session: GDPR without the Hype
- GDPR: How to create best practice privacy notices (with examples)
- When and how shall a privacy impact assessment be run?
What steps will you take to abide by the GDPR?