What is the GDPR and what should you do to be prepared?

GDPR, or General Data Protection Regulation, is a regulation protecting personal data of citizens of the European Union. Adopted in April 2016, it becomes enforceable on May 25, 2018. As the owner of a WordPress website, here’s what you need to know to prepare for the May 25 GDPR enforcement date.

What does the GDPR do?

The GDPR creates a single data protection law for the European Union, making it easier for non-European companies to comply with these regulations. It also establishes a set of digital rights for citizens of EU countries and restricts how data on EU citizens can be collected and stored.

How does the GDPR affect WordPress site owners?

Perhaps the biggest change coming to website owners is a shakeup to ICANN’s Whois database. Currently, the database stores names, addresses, and telephone numbers of website owners in a publicly-visible database, but ICANN has been notified that the database is not GDPR-compliant. ICANN’s response to the GDPR warning states that the database will become fragmented without an extension that was denied. The situation is not yet resolved, but it could lead to massive changes to the Whois database, at least for the short term, meaning that information on website owners might not be available for some time after May 25.

The law applies to any company collecting data from citizens in the European Union, regardless of whether the company is based in the EU or not, so even companies based outside the EU need to pay attention and ensure compliance. WordPress is addressing the GDPR through four initiatives: adding functionality to assist site owners in creating comprehensive privacy policies for their websites, creating guidelines for plugins to become GDPR-ready, adding administration tools to facilitate compliance and encourage user privacy, and adding documentation to educate site owners on privacy and compliance.

You can also expect an influx of emails from services you use updating their privacy policies. The GDPR’s main requirements revolve around privacy, so companies that collect data have to update their privacy policies to ensure they’re GDPR-compliant. If you use services that collect data on your site, you’ll want to create a privacy policy of your own so you’re not in violation of the GDPR requirements.

What should you do to prepare for the GDPR’s May 25 enforcement date?

Site owners should take two important steps to ensure GDPR compliance. First, evaluate the data your site is collecting from users. Do you collect unnecessary data? Do you collect data without users’ consent? The GDPR requires data to be collected with at least one “lawful basis” for doing so — either the consent of your users or a necessary reason. As long as the data you collect fits one of their criteria, you’re in good shape.

Second, create a privacy policy in which you outline what data you collect and what you do with it. In our privacy policy, we discuss what data we collect from you if you visit our site, if you comment on our site, if you subscribe to our email list, and if you hire us to do custom work. We reveal more information than the GDPR requires, but we believe it is important to be transparent when it comes to data collection.

Comments