As May 25th, the enforcement date for the General Data Protection Regulation (GDPR) draws near, individuals and businesses are scrambling to make sure they’re compliant. I’ve read a number of blog posts throughout the WordPress community explaining the GDPR and what needs to be done for compliance and it’s a tough thing to grasp.
The EU GDPR was designed to harmonize data privacy laws across Europe, protect and empower European citizens data privacy, and reshape the way organizations across the region approach data privacy. In reading the regulation and various blog posts, the terminology makes it appear that the changes are geared towards large, international businesses that process personal data.
However, according to Heather Burns, a digital law specialist in Glasgow, Scotland, the GDPR affects sites large and small.
GDPR applies to all businesses, organizations, sectors, situations, and scenarios, regardless of a business’s size, head count, or financial turnover. A small app studio is every bit as beholden to these rules as a large corporation.
Determining if your site needs to be compliant and how to accomplish it can be overwhelming. If you do business in Europe or collect data from European users, you must protect that data in accordance with the GDPR as if you were in Europe. For example, if you operate a blog with a contact form that saves entries to the database from people who live in Europe, you must make your site GDPR compliant.
There are a lot of aspects to the GDPR and while an excerpt can not fully explain it at a glance, there are a few themes that stick out to me.
- Be upfront and concise about what data is stored, sent, and used on the site or form.
- Give the user a chance to consent without automatically opting them in.
- Collect the least amount of data possible for legitimate business purposes.
- Provide a way for users to download or access their data and remove it.
Many of these are common sense practices that are not implemented on many sites, WP Tavern included. How often do you visit a site’s contact form and see an explanation as to why those fields are required, where the data is stored, where it goes, and what is done with it? This is something I’ll be working on in the next few weeks.
Making WordPress Core GDPR Compliant
Earlier this month, a number of volunteers gathered to discuss GDPR compliance in WordPress core. The meeting took place in a newly created channel #gdpr-compliance that’s accessible to anyone with a SlackHQ account.
The team created a proposed roadmap to add privacy tools to core. The plan includes the following ideas:
- Add notices for registered users and commenters on what data is collected in core by default and explain why.
- Create guidelines for plugins on how to become GDPR compliant.
- Create and add tools to facilitate compliance and privacy in general.
- Add documentation and help for site owners to learn how to use these tools.
Earlier today, the team met and created a GitHub folder that houses the roadmap, knowledge base, trac ticket list, and other items associated with the project. There was also some discussion on whether the interface provided by the GDPR for WordPress project is a good foundation for core and plugins to report personal data. The GDPR Compliance Slack channel is also a good place to ask questions and discuss data privacy in general.
Popular form plugins such as GravityForms and NinjaForms have documentation available that explains GDPR compliance and how it applies to their products. For those who use the Contact Form module in Jetpack which saves entries to the database by default, you’ll need to wait for further updates. WooCommerce and Automattic have announced that they expect their products will be GDPR compliant by the time it goes into effect later this year.
If you’re like me, reading about the GDPR and its policies can make your head spin. It’s important to keep in mind that at the heart of the GDPR are common sense behaviors for handling personal data. If you’d like to learn more about the GDPR, check out the following resources.
Jeff, note that this is EU (European Union) regulation and EU is not whole of Europe, there are countries outside of it. Which means that for some European countries and some European citizens EU rules don’t apply, and thus GDPR.
I am not surprised that this EU regulation sounds complicated and hard to understand. Most (if not every) EU regulation (not just for digital) are like that. Problem is that EU has become to big, bureaucratic, out of touch with real life, that doesn’t solve but introduces new problems and has way to many regulations. While in some cases intentions might sound noble, execution is poor and awful. Take for example two well known cases for digital: cookie law and VAT MOSS.
My bet is that this is how it will end with GDPR. Privacy would be improved only on paper, not in real life.