Just as many small businesses have gotten their heads around the EU’s Cookie Law, along comes the General Data Protection Regulation (GDPR), which gives users the option to delete their information that you store. And it’s a serious responsibility to comply with the GDPR.
In fact, fines can be up to €20 million or 4 percent of your annual turnover.
When you initially look at the details of this initiative, they’ll probably appear complex — and quite frankly, too much of a hassle to comply with. However, it’s important to understand the key concepts of the GDPR.
What’s more, there are some specific things you can do to get the ball rolling that aren’t too difficult.
In this piece, we’ll discuss what it means for you to comply with the GDPR directive, and how to make sure you stay on the right side of it. Let’s get started!
Explaining the GDPR (and those important penalties)
Let’s start at the very beginning. The GDPR is a new initiative from the European Union (EU), which comes into force May 2018. It gives visitors to and users of your website a way to control how their data is used, handled, and stored. It’s a natural progression from the EU Cookie Law, which provides users with a way to opt in or out of having cookies active when browsing the web.
This might surprise you if you’re outside the jurisdiction — especially if you’ve dismissed the Cookie Law as something not applicable to your business. With the GDPR, there’s no opt-out. Every site will need to comply, and unlike the Cookie Law, requirements for complying with the GDPR will be more strict.
While details on the exact methods of policing are sketchy at this point, it looks as though each state or area will have staff dedicated to rooting out non-compliers. If you’re wondering about the penalties that will be imposed for major failure to comply with the GDPR, they’ll be among the following:
- A €20 million fine
- 4 percent of your annual turnover
Make no mistake — this law is serious business, and it’s worth reiterating that compliance is mandatory. With that in mind, you’ll need to quickly figure out how to begin the process of ensuring that your business complies with GDPR directives.
3 steps to comply with the GDPR
Actually complying with the GDPR will be easier than you might think. There are three key steps you’ll want to take:
- Find out how data is collected on your website.
- Consider the three elements that are key to the GDPR.
- Have a system in place to notify users of data breaches.
Next, it’s important to look into the three aspects central to the GDPR initiative:
Right to Access
Users can request their data freely, and you’ll need to deliver it within 40 days. Therefore, transparency on how and why you collect data is crucial.
Right to Be Forgotten
This acts essentially as a withdrawal of consent, and means you’ll need to completely erase any data collected on a specific user if they request it.
While this sounds complex, it simply means that data will need to be downloadable, and transportable elsewhere.
Finally, you’ll need to let users know if and when a data breach occurs. While we’ll discuss this a little more in the next section, you’ll first want to read up on the process of reporting breaches to the government.
A postscript for WordPress website owners
If you hadn’t already guessed, your data isn’t the only aspect of your site that will be under new scrutiny. WordPress itself – along with any associated themes or plugins – also will need to comply with the GDPR.
In short, you’ll need to show how plugins and themes collect data, just as you would with the rest of your website.
Using a plugin such as WP Security Audit Log will help you here:
You’ll also need a method of notifying users about any data breaches that occur. While the exact methodology here is in your hands, a plugin such as Wordfence can help by notifying you immediately if there are any security issues.
Finally, the WordPress community isn’t leaving its users out in the cold. In fact, they’re working incredibly hard to make sure everyone is complying with the GDPR, in part through the GDPR for WordPress initiative. While there’s been little movement in public so far, we suspect that come May 2018 the developers’ plans will become much clearer.
The GDPR will be here sooner rather than later, so making sure you’re one step ahead is going to be important. The potential financial hit of doing nothing is severe, especially when compared to similar initiatives such as the EU Cookie Law.
Fortunately, considering the GDRP’s three key aspects – the right to access data, the right to be forgotten, and data portability – is a strong first step on the road to compliance. What’s more, WordPress itself will be helping to make compliance easier.
With this in mind, making sure you know how data is collected on your website (and what to do in case it’s compromised) will be your plan of action. Come May 2018, you’ll be well-equipped to handle anything GDPR-related that comes your way!
The above content should not be construed as legal or tax advice. Always consult an attorney or tax professional regarding your specific legal or tax situation.
Also published on Medium.