Quick Answer Section on GDPR
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a regulation, enforced by the EU on the 25th of May 2018.
Whom does GDPR apply to?
Any business entity or public service that handles personal and/or sensitive data of European citizens.
Does GDPR apply to bloggers and content website owners?
Blogs and content websites can fall under the groups governed by GDPR, when they collect or use personal and sensitive data of European citizens in connection to marketing, advertising, or other activities of profitable character.
Is WordPress GDPR-compliant?
WordPress was recently updated to provide you with tools that can help you become GDPR-compliant. However, neither WordPress, nor any plugin or theme can guarantee you 100% compliance. It is your job to make sure that you are GDPR-compliant.
What should I do to become GDPR-compliant?
This post is a good starting point, giving you the basics of GDPR and ways to become compliant. However, you are advised to consult a lawyer, when you want to implement GDPR, especially if you run a company of a certain size (above 250 employees) or work with personal data processing. This is your best shot at getting compliant and avoiding troubles.
GDPR is short for General Data Protection Regulation and is a legislation act that became effective on the 25th of May 2018. Its primary goal is to limit and protect personal data used, processed or stored by companies or others in the process of their work or as their core activity. The idea is to give European citizens control of their personal data and make it more difficult for criminals to misuse such data.
This is without a doubt great and unique initiative to protect consumers. However, the implications of GDPR turned out to be much greater than initially anticipated and hit a much wider group, including bloggers and owners of large and small content websites.
Whom GDPR Applies to?
GDPR applies to the following groups:
- European companies processing data as a core activity or as a vital part of their activities, for example: companies working with statistics, analysis, etc. or companies collecting personal data as a part of HR, sales or marketing activities.
- Companies, residing outside the EU, that target EU consumers.
- Companies that received personal data of EU citizens from another company as a part of the normal work process or for specific purpose.
With the following exemptions:
- Companies with less than 250 employees aren’t required to document their GDPR-compliance practices. Likewise, they aren’t required to appoint a special data protection officer that is responsible for GDPR’s implementation.
- Companies, residing outside the EU, that don’t target EU citizens, even though they make their services available for their users in Europe, are exempted from GDPR.
- Individuals, who collect data for home use only, where no commercial purpose is involved, are also exempted.
It is important to point out that running a blog or a content website quite often falls under the group, to which GDPR applies due to the fact that bloggers and content website owners use advertising and other forms for marketing as an income source.
When is Your Blog or Content Website a Subject of GDPR?
It isn’t always that a stand-alone blog or website is a subject of regulations, such as GDPR. However, there are certain conditions that turn the owner into a data processor/controller under GDPR. Most common among these are:
- Using contact forms/application forms: When using a contact form or application form on your website, you are collecting data, some of which may be personal or sensitive.
- Newsletter subscriptions: You are collecting personal data for a marketing purpose, which is an activity that falls under GDPR and existing marketing regulations in the EU.
- Marketing: If you collect data in connection to, for example competitions, lottery or other marketing campaigns, you are a subject of GDPR, no matter the core or scope of your activity.
- Remarketing: If you engage in remarketing, you gather data that can be used to identify a person and track their activity online. Therefore, remarketing is subject of GDPR.
- AdSense: Using AdSense on your website results in user data being collected and transferred, including remarketing data. Therefore, all blogs and content websites, using AdSense are a subject of GDPR, even though they aren’t collecting or using the user data directly.
- Forums or social features: If you let users register on your site in order to comment/participate, etc., where registration requires personal data, then you are a subject of GDPR.
- E-commerce: If you facilitate an online store on your website or blog, where order data, such as name, address, and credit card, is collected, you are a subject of GDPR.
The list here isn’t complete, as the diversity of websites makes it impossible to cover all cases, where GDPR will apply. If you are in doubt, whether or not GDPR applies to you, it is best to consult an attorney, as the fines, defined by the European Commission aren’t easy to swallow.
Main Principles of GDPR
GDPR focuses on minimizing the amount of data companies collect and securing it in a best possible way. The main principles are as follows (the bullets below are direct quotation from the European Commission’s website):
- personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you’re processing (‘lawfulness, fairness and transparency’).
- you must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You can’t simply collect personal data for undefined purposes (‘purpose limitation’).
- you must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’).
- you must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it’s processed, and correct it if not (‘accuracy’).
- you can’t further use the personal data for other purposes that aren’t compatible with the original purpose of collection.
- you must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’).
- you must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).
Shortly put, you can only collect personal data, if you have a legitimate (lawful) reason to do so; you must always inform citizens, what their data precisely will be used for – and only use it for that purpose; you must also inform them, how the data will be processed, stored, possibly shared, and when it will be deleted; data must never be stored for longer than necessary (defined by a law, regulation or the purpose) and citizens must be informed about their rights to receive a copy of, update, delete their data, and file a complaint with a data protection authority.
In addition, data should always be protected “by design and by default”. This means that, whenever collecting, transferring, and/or storing personal or sensitive information, you must make sure that data is collected, transferred, and stored in a secure manner. In addition, are there security settings users can choose from in connection to creating an account on a website, the default settings must always be the ones providing best protection of user data.
What is Personal Data and What is Sensitive Data?
The EU differentiates between two types of data that GDPR applies to: personally identifiable information (PII) and sensitive personal information (SPI). While both are covered by GDPR, SPI is considered more critical and requiring more protection.
The following is considered PII:
- IP address
- browsing history
The following is considered SPI (quotation from the European Commission’s website):
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
- trade-union membership;
- genetic data, biometric data processed solely to identify a human being;
- health-related data;
- data concerning a person’s sex life or sexual orientation.
While collecting personal data needs legitimate reason and purpose, collecting sensitive data requires that it is absolutely essential to use such information and there is no other way. For example, it is okay, when an insurance company collects health data to process your health insurance-application. It is, however, not okay, when an employer enquires an employee about their health (with the exception of workplaces, where certain disabilities or illnesses can bring the employee’s or others’ life and health in danger).
Compliance with GDPR: Bloggers and Content Websites
Even though it is rare that bloggers and content websites have personal data collection as a core activity, these types of sites are still used for data collection for different purposes. This means that they need to comply with GDPR, as long as they target European citizens.
Compliance with GDPR can be segmented into four major areas: security, process, information, and consent. All of these areas must be covered by a complete personal data policy that is in turn made available on the website – or communicated in another appropriate way – to the site’s users. The most common and convenient way to inform site visitors about your personal data policy is via an extended Cookie notice that informs not only about what kind of information is gathered through cookies but also through any other channel, such as contact form, mail, submitted order, registration, subscription, etc.
You must inform site visitors about the following:
- Who is your company (if you have a registered company), how it can be contacted, and who is your data protection officer, if you have one appointed;
- What is the purpose of collecting personal data. If we are talking about multiple personal data collection methods and purposes, you must describe them all in a transparent and easy to grasp manner;
- What kind of personal data is collected;
- What are the legal grounds for collecting personal data;
- For how long the data will be stored;
- Who else (if any) will get access to the personal data;
- Specifically: Are you going to transfer the data outside the EU
- Is there automated decision-making in place, how is it applied, and what are the consequences of using it;
- What rights do European citizen have, including the right to receive a copy, ask for a correction or update of the collected data, as well as demand to be forgotten, that is to demand that you erase all data you have about them, including past orders, downloads, subscriptions, etc.
- That they have the right to lodge a complaint with a Data Protection Authority
- That they have the right to withdraw already given consent at any time
Here you can find the full list of data you must provide in different cases.
OBS! Please keep in mind that when using third party’s services, such as Facebook login or Google Analytics for example, it is YOU that has the responsibility to protect personal data from being misused! This means that you must check the relevant services’ privacy policies and only use them, if they are compliant. Also, you must inform site users that you share their data with third parties, how and why this happens, and how their data is protected.
Under GDPR, security is understood as putting safeguards in place to secure data collection, transfer, and storage. This involves the following, among other, case-specific safeguards:
- Data transfer and storage should be encrypted. Therefore, you should as a minimum install SSL on your website, which secures the data transfer from and to the website, as well as data stored in the website’s database. SSL doesn’t cost a lot and is easy to issue and install, as long as you aren’t aiming at the extended validation level (EV), which is only relevant to corporations and doesn’t provide stronger encryption than simple domain validation certificates. Therefore, if purchasing a SSL certificate for data transfer security reasons, you can save a lot by choosing the right type of SSL certificate, fitting your situation.
- Secure mails are yet another way to protect personal data transfers, however, they are only relevant to those, who regularly and as an important part of their activities receive personal or sensitive data. An example here would be a translation agency, travel agency, public administration, etc. For most companies, bloggers, and content website owners this is only very rarely relevant.
- If data is stored outside the website, it should be secured appropriately, making data leaks unlikely.
- When using WordPress and a combination of plugins to, for example, facilitate job applications, subscriptions, chat, contact forms, surveys, etc., you must check, whether information is accessed by a service provide (for example chat facilitator), whether it is transferred, stored or used in any way by them. If data is being accessed or processed by the service provider, it is your responsibility to read their data protection policy to make sure that it is GDPR compliant. If it isn’t, you must stop using their services, as it is you who is responsible for handling and protecting the data of your site visitors.
- If you collaborate with other companies on processing personal data, all data transfers, as well as the way the data is handled by either you or your partners, must be secured appropriately to make sure that there are no breaches. You must also be able to guarantee that data is only used for its original purpose and stored as declared in your private data protection policy.
It is important to note that while WordPress, as well as many plugin and theme authors are these days working on making their products GDPR-compliant, no plugin, theme or combination of plugins and theme can guarantee 100% GDPR compliance. The reason for that is found both in the fact that GDPR is still quite new and somewhat fluid – and will be until the first many lawsuits have been tried in the courtroom – and that websites are very dynamic and constructed of multiple elements. Therefore, it isn’t wise to rely on GDPR-plugins or believe that everything is as it should, without checking it yourself – or even better, making your lawyers check it for you.
The process of collecting, storing, and working with data under GDPR is defined by the principles of minimalism, fairness, transparency, consent, and law.
This means that you must craft a solid policy, commanding the way your organization – or you as a blogger or content website owner – is going to work with data. Such policy must be transparent, meaning that you must truthfully inform site visitors about what is going to happen with their data – remember to provide an answer to all of the bullets under the Information section above, how their data is being secured, are there any risks involved, and how consent is given in different cases.
Remember that while it is up to you to shape the data protection polity, it is important to base it solidly on GDPR and other relevant data protection policies, local and international.
Once the policy is in place, you must make sure that it’s implemented correctly and fully.
Under GDPR, site users must actively consent to their data being collected and processed by you. The consent can be given in different ways but always involves the citizens being presented with the full data use and protection policy, followed by giving active consent in the form of ticking a box or using digital signature (online), or giving concent in writing by signing a document.
It’s very important to remember that European citizen have also the right to withdraw their consent at any time, no matter when or for what purpose they gave their consent.
Even though bloggers and content website owners rarely fall under the category of big companies that must document their data protection and processing activities, it is quite necessary to be able to document that you do inform site visitors of your policy prior to data collection and that you require explicit consent. This can come in handy, should anyone file a complaint against you.
Specific Steps Bloggers and Content Website Owners Should Take to Comply with GDPR
You can choose, how to communicate your policy to site visitors, it should, however be in an appropriate, clear, and easily accessible way. Here you can see a list of what information you are required to provide in different specific cases. Please note that most websites combine multiple of the items on the list, which means that your data protection policy under GDPR should reflect that as well!
- Contact forms: Inform site visitors, who the (legal) recipient of their information is, why it is necessary to collect the information (purpose), which data categories will be collected, will the data be stored or shared, how and with whom, for how long it be will stored, how it is protected, what rights one has as an European citizen, including getting a copy of, requesting an alteration or deletion of their information, withdrawing their concent, as well as filing a complaint with a data protection authority.
- Newsletters, marketing, competitions, surveys, and similar marketing activities: Inform site visitors, who the (legal) recipient of their information is, why it is necessary to collect the information (purpose), which data categories will be collected, will the data be stored or shared, how and with whom, for how long it be will stored, how it is protected, what rights one has as an European citizen, including getting a copy of, requesting an alteration or deletion of their information, withdrawing their consent, as well as filing a complaint with a data protection authority. In addition, inform site visitors of any expected outcome of submitting their information, such as receiving a newsletter, entering a paid subscription, getting their data shared with partnering companies, being included in marketing lists, etc.
- Forums and social media features: Inform site visitors, who the (legal) recepient of their information is, why it is necessary to collect the information (purpose), which data categories will be collected, will the data be stored or shared, how and with whom, for how long it be will stored, how it is protected, what rights one has as an European citizen, including getting a copy of, requesting an alteration or deletion of their information, withdrawing their concent, as well as filing a complaint with a data protection authority. In addition, remember to provide users with and introduce them to personal data protection controls in their accounts. Such controls must default on the most secure settings.
- E-commerce, remarketing, and AdSense: Inform site visitors, who the (legal) recipient of their information is, why it is necessary to collect the information (purpose), which data categories will be collected, will the data be stored or shared, how and with whom, for how long it be will stored, how it is protected, what rights one has as an European citizen, including getting a copy of, requesting an alteration or deletion of their information, withdrawing their consent, as well as filing a complaint with a data protection authority. In addition, inform site visitors of the data, collected via cookies and shared with third parties in the process of facilitating remarketing, advertising, and sales. The information should include the categories of data that are collected, as well as how they are used, whom they are shared with, and what is the consequence of processing such information for the user (can they be tracked cross-device or identified in another way). The users must actively consent. In most cases, such comprehensive policies are served to site visitors via a cookie warning on session start.
- Cookies: Using cookies to track user data anonymously doesn’t directly fall under GDPR, as long as you aren’t using remarketing features. However, it falls under other data protection regulations and can potentially fall under GDPR, as long as specific features are enabled or you combine cookie data with personal information, obtained in another way. You are therefore required to state, what kind of data you track, for what purposes, and whether it is used in any way to identify users or track their activities cross-device or online-offline. Explicit consent is required.
Disclaimer: The information on this page is a result of thorough study of the original source, the website of the European Commission. Therefore, the information on this page is as accurate as possible. However, we are not lawyers, which is why our understanding of the matter can be insufficient or we might have misinterpreted some elements of the regulation, their meaning or the needed actions, related to their implementation. The intention of this page is to provide you with an overview of GDPR, whom it applies to, as well as when it is necessary to take action. We do recommend that you contact a lawyer, as long as you are in doubt or when you are about to implement GDPR.