Even if your WordPress does not have other user accounts exept yours (and ours too, if you are a recurrent customer), YOU ARE STILL COLLECTING your visitors personal data, with tools like: analytics, comments, reviews and any kinds of form submissions, social media integrations, wp plugins, etc. Starting from May 25, your website visitors have certain new rights. GDPR regulations require WordPress owners to inform visitors about:
- which personal data is being collected
- what the data is being used for
- who is handling the data
- how the data was obtained
- how and where the data is stored
GDPR grants individuals many new rights regarding their personal data. From the perspective of your WordPress website, the most important rights, that YOUR visitors can request are:
- to access any personal data you’ve gathered about them.
- GDPR Art. 15: to export their personal data (even if it's in machine-readable format only).
- GDPR Art. 17: to delete their personal data.
- GDPR Art. 20: to take all their personal data from you and go somewhere else with it.
Unless you have a good, legally backed reason, you are obliged to comply in 30 days.
What is personal data? Personal data is almost any data about a person. For example, it can by any of the following typically gathered and stored data: name (full name, first name, last name), email (personal or company owned), age, gender, location info, appearance description, information about hobbies or business niche, income, cultural preferences, etc.
Anonymous data: Personal data is personal as long as you have a way to tie it to an actual person. This means that if the data contains someone’s name, address, email, IP address etc, it’s personal data. However, if you remove everything that ties to a person, the data is effectively anonymized and no longer counts as personal data.
Secure processing: You and all your data processors have to ensure the safety and security of any personal data. Examples of these measures would be conducting a security audit on your website, site-wide SSL encryption, pseudonymising or encrypting personal data or deleting data once you no longer need to store it.
GDPR Art. 4 (1): Personal data is any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive data: called “special categories of data” by GDPR. Sensitive data is data about a person’s: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic data, biometric data.
YOU ARE NOT ALLOWED TO PROCESS sensitive data without an explicit consent from the data subject (unless exceptions listed under GDPR Art. 9 (2) apply). Sensitive data also requires more strict safety and security measures. If you’re dealing with sensitive data, we recommend getting legal advice to ensure compliance.
GDPR also sets some new rules for your business in general. You need to keep a registry of all data processing activities. You need to have contracts with everyone you share customer data with. You cannot transfer customer data to someone who does not comply with GDPR. Should a data breach occur (example a hacked WordPress or a stolen employee’s laptop), you need to notify your local supervisory authority and possibly your customers. If you store a lot of data or work with sensitive data, you might be obliged to make a Data Protection Impact Assessment. And you are responsible for demonstrating that you’re GDPR-compliant to your supervisory authority.
GDPR Art. 6(1)(b): Processing is lawful if processing is necessary for the performance of a contract to which the data subject is the party or in order to take steps at the request of the data subject prior to entering into a contract.
You don’t need to track each consent separately. For example, if your visitors sign up to your newsletter through your website, you’ll probably want them to use the “unsubscribe” button at the bottom of each email to opt-out instead. In that case, there’s no reason for you to track the newsletter consent or allow visitors to withdraw it from the Privacy Tools page.
E-commerce, online payments, invoices and other legally required info, that contains personal data, but forced by individual governments to be gathered and supplied to them - under GDPR is a very complicated topic. We’re taking some additional time to research this.