The GDPR is an acronym that has been plaguing website developers and data users ever since its implementation in 2018. In the course of your browsing, you've probably come across it under its English name GDPR. If you specialise in Wordpress platform design, you should definitely learn more about this acronym. What does it mean? In what context is it used? How do you use it when creating Wordpress sites? These are some of the questions you will get answers to by reading this article.
Overview of the RGPD or GDPR
Before discussing the relationship between the RGPD and Wordpress, it is important to understand what it is really about. What is the RGPD in concrete terms?
What is the RGPD?
The GDPR is an acronym that stands for General Data Protection Regulation. It is a European law that came into being on 25 May 2018. Previously passed in parliament in 2016, this regulation has been applied worldwide. In France, the body responsible for its optimal implementation and compliance is the Commission Nationale de l'Informatique et des Libertés (CNIL).
The rationale behind this law, which has had the effect of shaking up the practices of companies and individuals on the Internet, is simple. The purpose of its creation is to ensure the security of people who surf the Internet by protecting the information they leave on the Internet while surfing.
What is personal data?
Personal data is information that is used to put a name to an individual or a company. For example, it is possible to determine the identity of an Internet user using his or her surname, first name, telephone number or e-mail address. Other elements such as geographical data and demographic data are also concerned.
Apart from these elements, there is digital information that web users leave behind during their various sessions. This includes their IP address, their actions on the web and clicks and visits to sites. Personal data also includes photos, likes and data that the user publishes of their own free will.
What does the legislation say?
If you have never read about the implications of the GDPR, you should know that it has three important elements that you need to know about. Firstly, there is user consent. When a user visits a platform, it has the possibility to use their personal data for various purposes. However, the site must inform the user that they are sharing their information and explain what it will be used for.
Secondly, the data must be secured to avoid unpleasant situations. Legislation is very strict about security breaches that can lead to data leakage. When important data is leaked, the company collecting it is held responsible. As a service provider, you must ensure that the data is protected and secure.
Thirdly, you must give the Internet user the right to collect his or her own data whenever he or she wishes. They can also perform other actions such as deleting, correcting and modifying their personal information. These are all elements you need to take into consideration when designing and perfecting the management of an internet platform.
Who is affected by the RGPD?
The GDPR affects natural and legal persons who handle the personal data of Internet users in the European Union in the course of their business. Therefore, if you collect, store or use user information, you are affected by the legislation. Whatever your field of activity and the size of your company, you are in the sights of the CNIL. You must therefore be very careful.
What some people don't know is that the GDPR or RGPD also applies to information within organisations. In other words, when you collect information about your employees, you are affected by the GDPR. Finally, the legislation applies to you regardless of the country in which you carry out your various activities. This is because data protection is from the point of view of internet users residing in the 28 EU countries.
RGPD, Wordpress agencies and developers: what should you know?
Some readers think that they are not concerned by the RGPD because they process data collected by their customers. What they need to know is that even if they are a processor, they are involved. In other words, if your handling of the information at your fingertips does not comply with the requirements of the RGPD, you may be subject to sanctions. Moreover, there are many clients who point to the specific rules of the RGPD when choosing their service providers. Therefore, if you do not adapt to the current realities, you risk losing your clients and going out of business.
Therefore, you need to quickly master the different elements of GDPR in order to win contracts with future clients. When you want to win contracts, you need to mention some essential information in your contracts in order to convince the customer. Among the specific elements related to data exploitation, we can mention for example :
- Information about the identity of your Data Protection Officer (DPO);
- The technique used to obtain, store and use the information;
- Methods for data protection ;
- Relationships with data processors;
- The method used to find security holes.
What are the possible sanctions for non-compliance?
Prior to the GDPR, French law had provided for criminal penalties for companies that would use personal data fraudulently. However, in practice, the sanctions were not effective and the fines were almost negligible.
Fortunately, the General Data Protection Regulation has come to support the existing sanctions. Indeed, the administrative fines it brings are quite convincing. Depending on the seriousness of the offence committed, the penalties can be as high as 2% or 4% of the turnover of the guilty individual or establishment. In other cases, a fine of 20 million euros is foreseen.
WordPress and the General Data Protection Regulation
When you create your company or e-commerce website, you must avoid situations that will jeopardise your business. This is why you need to make your platform compliant with the new regulations. So what should you do with your Wordpress site?
The implementation of a privacy policy
The first essential rule is to include precise and transparent information for all Internet users. In addition to working on the privacy policy of your platform, you must act on the general terms and conditions of sale when you have an e-commerce site.
The privacy policy page is located at the foot of your website. It should detail how you use the data you collect from customers. The privacy policy should contain some essential elements. These include, for example
- Contact details of the company or site owner;
- The publisher and host of the site ;
- The type of data collected when registering or ordering on the website;
- The purpose of collecting information (analysis of user behaviour, invoicing of services, sending of offers by newsletters);
- The duration of data storage (3 years for marketing and 6 years for order billing);
- The safeguards in place to prevent disclosure of the personal information collected.
As a reminder, all of these essential elements must be available on a page integrated into your footer. With these, you will be impeccable.
Revision of the Wordpress site forms
The elements that are affected by the GDPR on the internet are forms. Indeed, these are pages that serve as a contact between you and the Internet user. Through them, users share personal information with your company.
On your site, you probably put forms to help download a document or to encourage subscription to a newsletter. With this contact point, customers will share their data with you. This includes their email, name and surname. Forms can be created by yourself or you can outsource the task to a Wordpress plugin. Whichever option you choose, there are a few things you need to check. These include the following:
- The possibility of adding a transparency statement notifying the person responsible for the processing;
- The possibility of specifying the purpose of the collection of information;
- The possibility of presenting the user's rights (access to data, rectification and unsubscription);
- The possibility to refer the user to the privacy policy.
In case you plan to share the information with some partners, you must necessarily obtain the approval of the Internet users. To do this, you must put checkboxes in the form for the consents you need. In addition, you cannot ask a customer to provide you with information that has nothing to do with the service they want. When offering them the opportunity to subscribe to your newsletter, you do not need to know their age or gender.
Wordpress extensions
What you need to know is that not all Wordpress extensions are GDPR compliant. Therefore, you need to do a little investigation to avoid unpleasant situations. Of course, this is a time-consuming process. To start with, you need to make a list of extensions that are related to the collection of consent and personal information of Internet users. These include comment plug-ins, retargeting plug-ins and form plug-ins. Also list the plug-ins related to the exploitation of information. These include :
- Automated marketing plug-ins ;
- Content customization plug-ins ;
- Plug-ins for tracking user habits;
- Newsletter plug-ins...
The next step in your process will be to go to the websites of these extensions to find out what efforts their developers are making to comply with the GDPR. In case the plug-ins you want to use are not compatible with the General Data Protection Regulation, you have to replace them. This is a difficult step, but necessary to avoid trouble.
The implementation of a relentless data security system
When you are responsible for the data you hold, you must necessarily take care of it. To do this, you need to protect it from security breaches and allow access to it by the relevant people. To do this, you need to follow a few steps.
The creation of a system for deleting or rectifying information
Data has a specific legal retention period under the GDPR. Therefore, you cannot hold information about your customers without a specific reason. The General Data Protection Regulation therefore obliges you to keep in your database contacts who do not open your emails for a maximum of 36 months. It also requires you to re-display the cookie acceptance banner after 13 months.
Under the GDPR, you must also tell users that they can withdraw their consent at any time. This must be done before they agree to share their personal information with you. Regardless of the type of site you have, you must ensure that the user is able to withdraw consent, access, modify, delete or transfer their information.
On your website, all you need to do is create a specific page that will be used to follow this procedure.
Preparing for a possible security breach
As a data handler, you need to ensure the security of the data in order to give the user confidence. To do this, there are things you need to consider. You need to use appropriate solutions and methods to ensure that your users' information is safe. Pseudonymisation and encryption of data are options you can consider.
Furthermore, you must inform the CNIL of the existence of a security breach within a maximum of 72 hours. Depending on the situation, you must necessarily inform the individual to whom the data belongs. This is necessary especially when the security breach may jeopardise their rights and freedoms.
The establishment of an internal data processing register
Before the RGPD rules were put into practice, companies that use the personal data of Internet users had to report this. To do so, they used an authorisation or declaration system. Fortunately, with the arrival of the GDPR, this is no longer an important procedure. Instead, companies must have a data processing register. What is its purpose?
Usefulness of the data processing register
The purpose of this document is to put in place documentation within your organisation that proves that you comply with data protection regulations. In other words, it is an idea to show that you are fully compliant.
The creation of the data processing register
If you are the person responsible for the use of your company's information, you have the possibility to create the data processing register. For this purpose, you can use the model proposed by the CNIL. In any case, your document must answer three main questions relating to the management of user data. These include the "Who", the "What" and the "How".
With the 'Who', the idea is to list the internal people who will be using the data. If applicable, you should mention the subcontractors who may process the information and make sure that they comply with the RGPD rules.
In answering the "What" question, you should detail the processing of information carried out by your institution. The idea here is to talk about the purpose of the processing, to provide proof of consents and to mention the type of data collected.
The "How" concerns the way in which the data is processed and the security measures chosen internally.
Do not forget to keep the register up to date so that you can present it if necessary. This is a must for compliance. If you have an online shop, there are some things you should consider to ensure the security of user data.
RGPD and Wordpress: in summary
Ultimately, the General Data Protection Regulation is very strict. In order to avoid fines and heavy penalties, remember to comply with its recommendations when creating your Wordpress site. If you already own a business, have you updated your data processing register recently?
