WordPress & the GDPR: Important measures
Many use WordPress for their website, because it is versatile and runs stable. However, to keep WordPress compliant with DSGVO, [...]
November 16, 2018
Many use WordPress for their website, because it is versatile and runs stable. However, to keep WordPress compliant with the GDPR, a few adjustments and changes are required. WordPress itself has already reacted before the GDPR became binding, but also as a site operator you have to consider some things. The topic DSGVO has certainly already crossed your path. The last few months you hardly got around it as a website operator, but if you are not yet so familiar with the topic, here is a brief overview. If you have any further questions, please do not hesitate to contact us. But now from the beginning.
Important: This blog post is not legal advice and is not intended to replace such advice. I am neither a lawyer nor a data protection expert. This post is only intended to provide general information and illustrate that there is extensive need for regulation. I cannot assume any liability for the completeness, timeliness and accuracy of the information provided here. Use of this information is expressly at your own risk. Status 09.11.2018
The GDPR is the General Data Protection Regulation for the processing of personal data. Since 25.5.2018, the regulation regulates the handling of data binding for all European member states. A violation can be punished with high fines, so it is important to find out exactly what obligations you have as a website operator from now on and how to properly bring your website up to date. Parts of the regulation were already mandatory before, but the DGSVO has made everything a bit more concrete and binding since the end of May. However, the DGSVO will certainly be further adapted and tightened in the future, as parts are still somewhat unclearly formulated.
Anyone who collects personal data via the website is affected. Therefore, it does not matter whether you do this commercially, for example in the context of an online store, or privately as a blogger who likes to share recipes and allows comments on his blog. Personal data are, for example, name, address, email address, but also IP addresses, which are automatically stored when someone visits your website. As you can see, the regulation basically affects everyone who has a website online and collects data in one way or another, whether through contact forms or analysis tools like Google Analytics, to name just two things.
The General Data Protection Regulation was created to give individual consumers more control over their own data. He gets more opportunities to object to the collection of his data and gets more access to information about when and how his data is collected. The operator of a website or online store is held more accountable and must handle the data in a certain way.
First of all, he needs the permission of the person whose data he wants to collect. He must make sure that he only collects data that he really needs and does not simply ask for all kinds of information in a scattergun approach. The data must be stored securely and everything must be neatly documented. For example, is there consent there for the newsletter? Did the customer agree to the collection of his data when he ordered in the store and much more.
In short, the customer must know at all times what happens to his data, where it is stored and he must have the option to have his data deleted. You must be able to provide information about all of this and you must only store the data for as long as is really necessary. The customer must be informed before his data is transferred.
Newsletters, for example, may only be sent after a double opt-in. This means that he must agree twice that he really wants to receive promotional content in the form of a newsletter. First, he must agree that his data is transferred to you and in the second step he must confirm his e-mail address and thus give binding approval that the data is correct and he really wants to receive the newsletter. Spambots then have no chance to simply enter your email address everywhere, because you will receive an email with a confirmation link. Modern newsletter providers do not automatically save your data if you do not confirm the address and you do not receive unwanted newsletters.
Then you have to be especially careful here and check things quickly to avoid possible fines. As already mentioned, WordPress has released a new version with features specifically for data protection before the GDPR came into force, but also the plugins must not be forgotten. Depending on how your WordPress website is built, you will surely use some plugins. Maybe some are no longer DSGVO compliant and need to be replaced or updated.
To help you get an overview, we have compiled a few of the most important measures here. Some things were already valid before 25.5.2018, but were often only partially implemented or not at all. Although the wording of the regulation is still somewhat unclear here and there and some passages can be interpreted in several ways, the following 8 points are particularly important in our opinion.
Encryption of collected data is one of the cornerstones of secure handling of personal data. If you use contact forms or people can register on your WordPress website, the data entered must be transferred securely. This happens for example via SSL encryption. You can get a certificate from your web hoster for little money. Once the certificate is installed, all data that is collected is encrypted and can be transferred securely.
You must always make sure that you keep your WordPress website and plugins up to date. Regular updates and checks for compliance with the GDPR are therefore a must. Set an appointment in your calendar or a reminder in your cell phone so that you don't forget. Updates usually close existing security gaps, so it is very important to do them. This way you minimize the risk that your website can be attacked and data can be stolen.
Every website needs a privacy policy that states exactly what happens to the visitor's or customer's data and how it is collected. It must be easy to find and formulated in an understandable and clear manner. Again, this statement must be subject to regular review. For example, you must state whether certain plugins collect data and why. If you use new or fall old way at some point, the declaration must also be adjusted.
Each of the plugins you use must be checked to see whether it transmits data to external servers. Social media plugins, for example, usually establish an automatic connection to the servers of Facebook and others. In doing so, they collect data about the visitor virtually unnoticed. This is no longer permitted since the DSGVO. Such plugins should be integrated using a so-called Shariff solution. So far, this is considered the safest alternative, as personal data is not automatically transferred without the visitor's consent. A good list, which shows DSGVO-problematic WordPress plugins, you can find on blogmojo.com.
We have already mentioned data encryption during transmission at the beginning, but for contact forms of any kind it is recommended to adjust a few small things. The visitor must agree to the transmission of his data via checkbox and at least be referred to the privacy policy. It is even better to briefly mention how the sender's data will be used, to be on the safe side. This way, the sender can decide whether he really wants to transfer the data or whether he would rather not.
By default, WordPress stores in its database the IP addresses of people who leave comments on your website. However, with various plugins you can set that the commenter must give his consent before he can post a comment, or his IP address is not recorded at all by a small snippet of code. Depending on the plugin, you can also set that IP addresses are automatically deleted from the database at regular intervals. The same applies to Google Analytics, for example. In order to use Google Analytics in compliance with the GDPR, you must set the plugin to anonymize IP addresses, because IP addresses are also considered personal data and are protected under the GDPR.
Cookies are a thing of their own and you really need to limit their use so as not to violate the regulation. It is advisable to only set cookies that are necessary for the operation of the website or for which you can credibly justify a legitimate interest - such as for storing the shopping cart content or for member areas. It is also recommended that you display a cookie banner that informs about the use of cookies and gives visitors the opportunity to object to the setting of cookies (strictly speaking, according to the current legal situation, even before any cookie is set). Your privacy policy must also explain exactly what the cookies are for and what they are used for on your website.
If the collected data is processed by another provider, you must conclude an AV contract with them. This applies, for example, to providers, your newsletter provider or large corporations such as Google, if you use Google Analytics, for example. But this regulation also applies to service providers who alone have the possibility of accessing personal data, such as your web designer. You are also obliged to document how and for what purpose you collect and store data. Upon request, you must have this information at hand and be able to comprehensibly show what is stored and for what purpose the data is processed. You can use a directory of processing activities to present this information in a collected and sorted manner. In addition to legal advice from a specialist lawyer, there are also various free templates online with which you could theoretically create such a directory. The AV contracts must also be stored securely and be able to be presented upon request.
This is not an exhaustive list, but is merely intended to highlight possible stumbling blocks in terms of the GDPR. In individual cases, each website must of course be checked individually. We are happy to help you update your website so that it complies with the DSGVO requirements. We take over the implementation of all measures, which are specified, for example, by your specialist lawyer or data protection officer. Thus, you can ensure that your WordPress website is up to date and you minimize the risk of expensive warnings or even high fines. You are welcome to book an appointment at our agency and we will discuss the details with you over a delicious coffee without any obligation. We are an agency with many years of experience in the field of WordPress, Web design and Marketing and can advise and support you in many ways. We look forward to Your message!
Sebastian Lochbronner
86830 Schwabmünchen
Germany