Making your WordPress website DSGVO aka GDPR compliant

For all the German folks out there, this is a DSGVO article in Englisch. To read the summary of GDPR by Original Consilium Europa Regulation Document click this link DSGVO aka GDPR pdf Englisch.

DSGVO aka GDPR is General Data Protection Regulation is a law on data protection and privacy for people within the European Union (EU). It applies to any data collected from the citizens of EU from anywhere in the world. GDPR aims to give EU citizens control over their personal data and to regulate the approach of international business.

As a consequence of this new law, all websites which have EU visitors or customers must comply with the GDPR, which means practically all businesses that want to sell products or services to the European market. It also applies to WordPress websites that have European customers or visitors.

If your website is not GDPR compliant, series of actions which could lead in to fine of €20 million is possible. Don’t need to be afraid of this news, GDPR is clearly explained in this article. You can understand what GDPR is  and how to make your WordPress website GDPR complaint.

Legal Disclaimer: The contents of this articles should not be considered as legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney.

GDPR Summary (DSGVO Zusammenfassung)

Let us see a simple summary of GDPR. There are two main aspects of the GDPR: “personal data” and “processing of personal data.” Here’s how it relates to running a WordPress site:

  • personal data pertains to “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address; it is better to think that any piece of data can be considered personal data,
  • whereas processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user.

Standard WordPress sites collect user data such as:

  • user registrations
  • Comments
  • contact form entries
  • analytics and traffic log solutions
  • any other logging tools and plugins
  • security tools and plugins

 

GDPR Law (DSGVO Gesetz)

GDPR empowers data subjects with certain rights. Any request related to those rights, then you have to respond to the request within 30 days.

1. The right to be informed: Users have the right to know what and why personal data is collected, how it be saved and how long it is saved.

2. The right of access: Users have the right to access the data that has been recorded by the data controller upon request.

3. The right to rectification: Users have the right to have their inaccurate or incomplete data updated or rectified.

4. The right to be forgotten: Users have the right to have their personal data completely erased, and also prevent further collection of their data.

5. The right to restrict: Under certain circumstances, users can request to restrict or suppress the use and processing of their data.

6. The right to portability: Users have the right to request their data and may use this data in any way they see fit and even transfer it to another data controller.

7. The right to object: Users have the right to object to the use of personal data that includes personal interests.

8. The right not to be subject to automated decision-making: Users have the right to opt out of automated decision making when it can produce an adverse legal impact or anything similar.

 

GDPR Checklist (DSGVO Checkliste)

GDPR lays out responsibilities for organizations to ensure the privacy and protection of personal data, provides data subjects with certain rights. These responsibilities are listed in the checklist below. Failure to comply assigns the regulators to impose fines on organizations.

1) Lawful, fair and transparent processing

The companies that process personal data are asked to process the personal data in a lawful, fair and transparent manner.

2) Limitation of purpose, data, and storage

The companies are forbidden from the processing of personal data outside the legitimate purpose and that no personal data, other than what is necessary, be requested, and data should be deleted once the purpose is fulfilled.

3) Data subject rights

A data subject has the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data.

4) Consent

When the data collected is intended to be used beyond the legitimate purpose, a consent which is withdrawable any moment, from the data subject (parents/guardian if under 16) is required.

5) Personal data breaches

A Personal Data Breach Register has to be maintained, and when there is a data breach, the data subject should be informed within 72 hours of identifying the breach.

6) Privacy by Design

Privacy and protection aspects should be ensured by default in organisational and technical mechanisms of the companies.

7) Data Protection Impact Assessment

To estimate the impact of changes or new actions, a Data Protection Impact Assessment should be conducted when initiating a new project, change, or product.

8) Data transfers

The controller of personal data has the obligation to ensure the protection and privacy of personal data when that data is being transferred outside the company, to a third party or other entity within the same company.

9) Data Protection Officer

When there is significant processing of personal data in an organization, a Data Protection Officer who advises the company about compliance with EU GDPR requirements should be assigned.

10) Awareness and training

Awareness must be created among employees about key GDPR requirements to protect personal data and data breaches.

 

Ultimate GDPR

The good news is that all these above-said rights and checklists can be managed using Ultimate GDPR Plugin which is an all-in-one GDPR solution for your website. It is a complete GDPR compliance toolkit plugin for WordPress. It can meet all your GDPR requirements such as:

Personal Data Access – Dedicated form for Users to access currently stored personal data.

Right to be Forgotten – Dedicated form for Users to request deletion of stored data.

Privacy Policy Pages – Set up redirects for your Terms and Conditions and Privacy Policy pages until consent is given.

Cookie Consents – create a customizable box for Cookie Consent and block all cookies until cookie consent is given.

Automatically add consent boxes for various forms on your website.

Data Breach – send global email notifications about data breach.

Pseudonymisation – pseudonymize some of the user data stored in the database and make all of the user’s information safe even in case of a breach.

More features: There are features like Browse user requests for data access/deletion, Cookie detector, Advanced Cookies Management Panel and it has even got integrations with leading WordPress plugins like WooCommerce and many other plugins. To make your WordPress website GDPR complaint and to make use of all these features buy Ultimate GDPR now!

GDPR for Photographers (DSGVO Fotografie)

For Photographers GDPR is much different. The GDPR does not apply “in the course of a purely personal or household activity.” If you are just clicking the pictures of your family and posting it on Instagram, it is considered as a household activity. GDPR applies to the same picture when you are an enthusiast or a professional. This post is mainly for WordPress website if you are, a photographer read more about GDPR for Photographers to know in detail.

Spread the love

Leave a Comment

Your email address will not be published. Required fields are marked *