If you pay attention to the news, you've probably seen this strange four-letter acronym increasingly popping up among webmasters (perhaps with a sense of panic attached):
What does it mean? And do you need to care about it as a regular webmaster?
In this post, I'll give you a general overview of what the GDPR is and how it might affect your WordPress site.
I'm definitely not a lawyer (though I did take a Gen-ed class in college!), so don't take anything that I say as legal advice. But if you just want a good general understanding of what GDPR is, as well as how you should address it on your WordPress site, give this one a read.
What Is The GDPR?
The GDPR, short for General Data Protection Regulation, is an EU law that focuses on data protection and user privacy. It's an update to the 1995 Data Protection Directive. While the law was originally passed in 2016, it included a 2-year grace period to allow for compliance. That grace period is almost up and the GDPR will go into effect for real on May 25th, 2018.
So what is it?
Well, It's sort of like those cookie notifications that you've seen pop up everywhere...but on steroids.
- Storage of personal data
- Processing of personal data
Personal data is defined pretty broadly. It's "any information relating to an identified or identifiable natural person". That's...like everything. Name, email, IP address...that, and lots more, could all be defined as personal data.
Processing of personal data, on the other hand, is "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means". So even if you manually process that personal data, it still falls under the GDPR.
You can view the full text for these portions here.
So...that wording is pretty broad, right?
In general, the GDPR requires you to:
- Get consent for many actions, like storing someone's email when they leave a comment on your site
- Give users access to the data that you have on them, as well as an option to remove that data (the "right to be forgotten")
- Notify users of any data breaches (this one is especially hard because many small webmasters might not even realize when a breach has occurred on their site)
Does GDPR Matter For You As A Regular WordPress User?
Yes. At least according to the law. GDPR applies to all websites that handle data from EU citizens (which is pretty much every single website in the modern world).
Of course, it's not really possible to monitor every single website on the Internet, and I'm sure millions of unaware webmasters will continue on without making any changes (ignorance is bliss).
But by the letter of the law, GDPR almost certainly applies to you.
What Happens If You Ignore GDPR?
While I'm not a lawyer, I think it's unlikely that the EU knocks down your door because of your hobby recipe blog that lets users comment without requiring consent (more on this in a second!)…
But the GDPR definitely does have teeth...
The potential fines are up to €20 million. Or, alternatively, 4% of your global revenue (though I think that the first number is scarier for most of us).
How Does GDPR Protect WordPress Sites?
The GDPR has implications for the core WordPress software. And most WordPress sites are probably going to use some plugins or functions that fall under the GDPR.
If you don't allow public registrations, you might not think that you collect data from your visitors, but I bet that you do…
- Comments on your site (WordPress logs the email address, IP, and name - remember?)
- User registrations (obviously)
- Contact form entries (especially if you're storing this information in your database)
- Any analytics tools that you're using
Basically, it affects you if you collect any type of data, even unintentionally (like with comments - when's the last time you actually looked at the data?).
Is WordPress Doing Anything About The GDPR?
As you can see from the list above, some of the things that might put you in violation of the GDPR are actually core WordPress functions.
That is - short of disabling comments, it's hard not to run afoul of the GDPR just by running WordPress.
To address this, the WordPress core team has a #gdpr-compliance tag going on and is working on how to build GDPR compliance into the core WordPress software.
Discussions involve adding tools to the core to help webmasters comply with GDPR, as well as documentation on what WordPress webmasters need to do to comply with GDPR.
You can see a rough roadmap of these ideas on this GitHub page.
Additionally, it's not just the core team who needs to pay attention to GDPR. Plugin developers also need to shoulder some responsibility for making their plugins compliant.
Responsive plugin developers are already doing this. For example, many contact form plugins have pages on GDPR compliance. You can see two examples below for:
WordPress Plugins To Help With GDPR Compliance
Beyond changes to the WordPress core software and existing plugins, some developers have also created plugins to help webmasters with GDPR compliance.
So far, the most popular option seems to be the WP GDPR Compliance plugin from Van Ons.
In addition to giving you a handy checklist for changes that you should manually make, it also offers integrations for:
- Contact Form 7
- WordPress Comments
With these integrations, you can enable compliance with the click of a toggle:
A second option is the WP GDPR plugin from AppSaloon.
It gives users a page where they can ask for their user data. Users can then view all of their data and ask to remove it if desired. It also includes add-ons for:
- Gravity Forms
- The Events Calendar
- Events Manager
What Does The Average WordPress User Need To Do About GDPR?
Again, I am not a lawyer. This is not legal advice.
As an average WordPress user, the situation isn't quite as dire as a global digital business that's going to attract attention for any compliance issues.
If you're in the EU, or if you get a lot of traffic from the EU, you should:
- Keep an eye on what the core team does so that you know when/if to enable certain features on your site.
- See if any of your plugins that collect user information have provided documentation for how to comply with GDPR. As I showed you above, many of the popular plugins have already done this.
- Consider using a plugin like WP GDPR Compliance if you're worried.
Have any other tips or thoughts on complying with GDPR? Leave a comment and let's get the think tank going...