Recently, the European Union enacted the General Data Protection Regulation, or GDPR. While the law is out of the EU, it can potentially impact businesses all over the world.
You might think that if you aren’t physically in the EU, GDPR shouldn’t apply to you, right?
However, the way the law is written, collecting any personal information on citizens of the EU can trigger GDPR rules regardless of where your business is. It doesn’t matter if you and your business are physically located in Germany, Spain, United States, Canada, or floating on a boat in the middle of the ocean. The rules still apply if you collect personal information on any EU citizen.
Disclaimer: I am not a lawyer, and nothing in this article should be considered legal advice. While I am not a lawyer, I have researched the topic rather extensively while developing my plugin, Privacy WP. Information in this post is only intended to be informational to help you decide what your business may need to do in order to be in compliance with GDPR. Always consult with a knowledgeable attorney for any legal advice.
Under GDPR, personally identifiable information is generally anything that can identify someone on it’s own, or in combination with other information.
Obviously things like names and addresses are personally identifiable. There are other things that may not be as obvious that they are considered personally identifiable. These include information such as phone numbers, email addresses, photographs, government identification numbers, IP addresses, financial data, religious or political views, race, sexual orientation, health information, and behavioral data.
If your website collects any of this type of personally identifiable information, GDPR rules can apply to you.
The short answer is no.
Even if you block traffic coming from the EU, it is still possible for EU citizens to access your website. For example, a German who is vacationing in the United States can access your website from their hotel’s Wi-Fi. Or someone who is physically located in the EU can use a Virtual Private Network (VPN) to make it appear as if they are in a different country.
Financial penalties for non-compliance can be significant, but GDPR does not require financial penalties immediately for non-compliance.
Penalties are up to the discretion of each country’s data protection authorities. They can issue warnings, which may help you understand what went wrong. Ultimately that may be what’s best for everyone, so I would suspect that the authorities might lead with warnings. However, they can also issue fines, which by law is a maximum of €20 million or 4% of a company’s prior year annual turnover, whichever is greater.
There is no single plugin that will automatically make your WordPress website GDPR compliant. GDPR compliance is more about how you handle data that you are being trusted with.
The next thing to consider is whether or not your website visitors consented to providing personally identifiable information.
Once you have collected personally identifiable information, you also need to consider how your site’s visitors can access that data.
GDPR requires that individuals be able to view the personally identifiable information that your business has collected. So, your business should have a plan in place for generating a report containing all of the personally identifiable information that you collect on your site’s visitors.
Your visitors can also request changes to this information and request that it be deleted altogether.
I use the word “request” here because it may not be possible to delete all of the information that you have collected. For example, your e-commerce site may need to retain certain sales data for a period of time for tax purposes. Certain industries, like insurance, have data retention policies that require some information be kept for a certain time period.
When it isn’t possible to delete this information you should attempt to anonymize it to the extent possible.
In WordPress version 4.9.6, a series of privacy related tools were introduced.
The other two privacy related tools are focused around allowing visitors to view their personally identifiable information, and have that information deleted. These tools also have hooks for plugin developers to extract all of the information they collect on your site’s visitors.
By using these tools, you will be able to provide an accurate report of any personally identifiable information that is stored on your site, and delete it if it is deemed appropriate to do so.
The personally identifiable information your business collects doesn’t stop with your website. You likely have some of this data stored offsite in email lists, CRMs, customer support tools, and even payment gateways. Technically, this information should be included in the data export that you provide to your site’s visitors as well. Unfortunately, WordPress doesn’t automatically connect to any of these services, which means you have to figure out how to export it on your own.
Privacy WP is a GDPR plugin for WordPress, which allows you to connect those third-party services to the export and erase tools that are built into WordPress. This makes it effortless for your visitors to retrieve data stored offsite, and delete it if necessary.0
Press 💚 below and join the other 13,000+ getting valuable updates from this blog.
Want us to analyze your site first and then use our services? No worries. Just fill out the form to the right and we will be happy to send you a free report about your current website.