Written on 4. September 2018 by Lennart Christensen

10 Tips to Make Your WordPress Website GDPR Compliant

As most people know, the General Data Protection Regulation (GDPR) entered into force on 25 May. If you have a WordPress website, this means you are affected by the new regulation and need to make some changes to comply with the legislation - failure to do so could result in large fines.

In this post, we give you some tips and tricks to get your GDPR in WordPress under control, which ensures that the personal data collected (e.g. via Cookies), is done in a responsible way. The list here is meant to help you with the topics you should at least be aware of. However, remember that GDPR is much more than just your WordPress website and there are several precautions that you need to consider.

What is GDPR?

The GDPR is a new regulation that aims to improve the security of EU citizens' personal data. It applies to any company that collects data on EU citizens, whether they are EU citizens or not. If you need a broader understanding of the GDPR, you can read this article:

What is personal data?

Personal data is anything that can be used to identify a person. Personal data also includes sensitive data, which can cover a person's racial or ethnic origin, political opinions, religious beliefs, physical or mental health, financial details. Note that IP addresses are also referred to as sensitive personal data.

How do WordPress websites collect personal data?

WordPress websites can collect personal data in a number of ways. Sometimes this is done deliberately, sometimes automatically through the website's software - and you may not even know it. Typical examples are:

  • Analytics and other pixels
  • Blog comments
  • Contact forms
  • Logging tools
  • Security tools
  • Website extensions / Plugins
  • User registrations or newsletters

Information can be, for example, customer names and e-mail addresses, or registration of purchase/query. Furthermore, it can also be data collected through the use of a 'cookie' via a website. Something often seen in the context of a remarketing campaign. 

How to make your WordPress GDPR compliant

1. Consider the necessity
Make sure you only collect the personal data you need. If it is necessary for the use of your WordPress website, your marketing or to get in touch with the customer afterwards, it can be your reasoning. If you get a request from a customer, it's perfectly OK to ask for their information, but don't ask the user for personal information that you won't use anyway. At the same time, you need to assess if and when the personal data you have already collected should be deleted.

2. Install a firewall
A firewall is a security defence against outside attempts to steal the data you have on your website. In particular, personal data is of high interest among cyber-attackers.

In the context of GDPR, you have a huge responsibility where this data is concerned, and it is therefore important that you have a firewall that can sort out these types of attacks. In practical terms, this can be done on your WordPress site, but your chosen hosting platform should also be able to help you with this - as many already do. However, check to make sure you don't have an open hole on your site that a firewall would have covered. Firewalls are essential to protecting your website from cyber attacks and are vital to keeping your data safe. To ensure this, WordPress owners need to install a firewall on their website.

3. Get an SSL certificate
SSL certificates are essential for WordPress websites as they encrypt data in transit between a user's browser and your server. This means that if someone sends you personal information, such as credit card details, it remains secure. This also means that you should be sure that data sent from the site is also using a secure connection, including emails sent, and any data handed over to third parties.

4. Make sure you have external backups
Remote backups are essential if your website or server goes down and you need to restore it quickly. But from a GDPR perspective, you need to make sure that the backup itself is secure, as it contains a copy of all the personal data you hold.

5. Make sure data is safe
When it comes to securing your data, you need to make sure that the data you collect and store is protected until it is securely deleted. In fact, you have an obligation to protect the sensitive information you collect. Also, make sure employees are trained to handle the personal data and keep it safe.

 

6. Improve login security for your WordPress
Poor login security makes it easier for hackers to break into your website and steal personal data. One of the most obvious methods is to use a secure password, and here we recommend using the so-called "passphrase" method to create a new password, as they are more often more secure than short codes with random characters.

7. Update your privacy policy
One of the things you need to do under GDPR in WordPress is inform your users:

  • What types of data your website collects
  • Why you collect this data and how you use it
  • How this data is used and stored
  • How data is shared
  • How users can get a copy of personal information you have on them
  • How to ask for the data to be deleted or moved
  • All this information should be collected in your privacy policy and a privacy page. In the latest version of WordPress (v 4.9.6), a new privacy policy has been created that allows you to create and view your privacy policy.
  • Any third parties with whom you cooperate in connection with the collected personal data.
  • The lifetime of the data collected, as it must have an expiry date related to the end of the purpose of collection.

8. Install a GDPR plugin
To meet some of the most basic GDPR requirements, we suggest downloading and installing a GDPR plugin, such as the GDPR WordPress Control Center Plugin. This plugin is useful because it performs a number of tasks you must comply with. These include:

  • Cookie overview which can be divided and described
  • Get user consent for the privacy policy when they visit your website
  • Obtain user consent for contact via contact form, e.g. using Contactform 7.
  • Overview of acceptors and personal data collected with IP
  • Processing of requests for erasure of data
  • Handling users' requests for access to their data
  • Contact the controller

9. Make sure your WordPress hosting is GDPR compliant
If your website is hosted on a service provider's server, you should also ensure that appropriate security measures are in place on that server. You should have a 'Data Processor Agreement' with your host that explains how they handle any data you store on their systems. If you have a data processor based outside the EU, there are specific requirements you need to meet. You should therefore ask your data processors if they process your customers' data outside the EU.

10. Consent for marketing
If you want to use personal information to send your customers marketing materials, such as promotional emails, it is important that you have their consent. However, remember that when people sign up or use a form, the tick for "acceptance of privacy policies" not be pre-filled and an active approval must be made.

Conclusion

The GDPR will affect everyone who collects personal data, so it's important that you comply with the regulation. For WordPress users, there are many things you need to do to ensure that personal data is kept secure and that you allow users to exercise their rights over their data. Hopefully the advice given here will help you on your way to complying with the legislation.