GDPR and data protection for WordPress and WooCommerce

All companies that do business in Europe in one way or another are required to comply with the GDPR, the EU’s data protection law. What does it mean and what do you need to do in practice?

The GDPR is designed to protect European citizens’ right to privacy. There has long been equivalent legislation in Sweden (PuL), but this has been more or less toothless as there has been little incentive to comply with it. The GDPR standardises the legislation across the EU and, unlike previous legislation, breaches of the law can result in a penalty of up to €20m or 4% of the company’s total turnover.

Any suspected breach of the GDPR can be reported by any European individual or company to their country’s equivalent of the Data Protection Authority. It is then up to them to investigate the suspected offence. In this way, the GDPR could be used as a weapon to put the squeeze on companies that have not adapted by those that have. Ensuring compliance with the legislation will therefore be of utmost importance for all companies.

What will I learn?

What personal data is.
What requirements are imposed on companies.
What you need to do in your company.
What you need to do on your website.

Take me to the GDPR checklist directly

Quick guide to the GDPR:

You must not collect more personal data than necessary.
You can only collect data for pre-defined purposes.
Data must not be kept longer than necessary.
Data should not be stored in more places than necessary, and as few people as possible should have access to it.
Data must not be stored outside EU countries or countries with equivalent data protection legislation or voluntary agreements, for example https://www.privacyshield.gov.
Users have the right to know what data you have stored about them.
Users have the right to be forgotten.
Data leaks must be reported to the Data Inspectorate.
There must be documentation on how you handle personal data.
All suppliers who process personal data for you must comply with the GDPR, and you must have a data processing agreement with each supplier.
You should appoint a data controller.

The GDPR is about personal data

All data that could lead to the identification of persons alive today is considered personal data. Sometimes the data is stored for legal reasons (employment contracts, accounting) and sometimes it is stored for marketing purposes (marketing automation, CRM, email lists). The GDPR also covers things that are not directly linked to personal data such as

Location data.
Online identifiers (for example a username).

Sensitive personal data

In addition to ordinary personal data, there is also what is considered sensitive personal data. These can include:

Race, ethnicity and origin.
Genetic data.
Biometric data.
Political opinions.
Religious or philosophical beliefs.
Trade union membership
Health data.
Sexual orientation & proclivity.
Previous criminal offences (convictions).

Sensitive personal data requires special consent for handling and efforts have been made to have a higher level of security around, and in the event of a breach of the GDPR give significantly higher penalties than a “regular” violation.

GDPR is implemented throughout the company

GDPR is not something that can be implemented as a “quick fix”. It is a mindset that must be implemented to protect all customers and citizens. The GDPR consists of 99 articles and is complemented by codes of conduct, but to simplify, the GDPR can be summarised into three broad fields;

Documentation, information, communication and consent.
Protection of the rights of the individual (eg. personal data).
Incorporation of GDPR (eg. data protection) in workflows, also called “Privacy by design”.

Documentation, information, communication and consent

Documentation

One of the most important things in the GDPR is documentation. To put it bluntly, very few automated tools and IT projects are required to comply with the GDPR, the most important thing is that the approach is documented.

GDPR is about knowing what you have, knowing what you do with it, knowing where it is stored, knowing who has access to it and knowing how to manage the security around it. Every possible aspect needs to be covered; from old email configuration to lists in excel stored on a USB stick.

As many people as possible in the organisation need to know, but everything needs to be documented. Some will be internal documentation, other information will be external documentation published on your website for example.

Communication

The most basic step is to make sure that everyone in the organisation, contractors and employees, is aware of how the GDPR affects their work. From the person who fixes the fruit basket to the CEO and board.

This also means that policies must be established. The fact that these policies have been reviewed must then be documented and archived. Not everyone will become an expert in data protection overnight, but all staff should be made aware of

What personal data is.
What you can do with personal data.
How they incorporate data protection into product design.
How they obtain consent.
Their own rights.
What a ‘personal data breach’ means.
What internal reporting mechanisms are in place to report a breach.

Privacy information

The GDPR requires organisations to be more transparent about how they use their data. Therefore, the privacy notice will be a text that will be available on all company websites. The text should be written in such a way that it is easily understood by the intended audience. If you have a website with various games aimed at children, you need a language that children can understand.

There also needs to be a way for the person visiting the website to withdraw their consent, including tracking, as unique cookies that identify a specific device or person can be considered as collecting personal data. For example, if you have a marketing automation tool (e.g. Hubspot) that saves personal data in various ways, the user must be able to say in an automated way that they do not want these cookies – and then these should not be given to the user either.

This granularity is not necessarily related to the GDPR but rather to previous legislation around cookies, but the GDPR creates a need for better tools as modern marketing tools are designed to track user behaviour to be on the safe side.

Data Protection Officer (DPO)

Under the GDPR, companies should have a designated data protection officer. The DPO does not need to have any specialised knowledge or training, but is the person who is internally responsible for ensuring that the company implements data protection adequately. To do this well, the DPO needs to be comfortable raising difficult issues and be able to challenge all processes and practices within the company without risk of reprisal. The DPO should be independent (e.g. it is not appropriate for the IT manager to be the DPO) and liaise directly with management.

Ultimately, however, it is the company that is responsible for complying with the GDPR, and the DPO is primarily an internal function that ensures compliance. Appointing a person just for the sake of it is therefore counterproductive – the most important thing is that the company complies with the GDPR.

Consent

In the GDPR, all collection of personal data must be done with the consent of the individual.

Consent must be Active. Consent must be freely given and initiated by the user. It must not be a default option.

Consent must be Granular. “All or nothing” options are not allowed. For example, it must be possible to refuse tracking cookies, but accept cookies for the website to function. Another example is that consent to receive a newsletter must not be automatic when creating a user account.

Consent must be unconditional. Users cannot be forced to give consent in order to receive something in return. For example, it will no longer be allowed to give away a white paper in exchange for an email address and then bombard them with newsletters. However, what will be allowed is to sell a white paper for SEK 0 – and this includes a subscription to a newsletter that you agree to. Defining it as a business transaction will be of utmost importance for marketers.

Consent must be transparent. The user must be told in detail about all the parties that will process their data and why they are doing so.

Consent must be Fair. Consent cannot create an unfair relationship between the user and the data processor. For example, forcing employees to use an internal application that monitors the employees’ geographical location even outside their working hours would constitute grounds for an unfair relationship.

Consent must be verifiable and documented. It must be possible to prove that the user gave their consent, how the consent was given, what information was given, what they agreed to, when they agreed and whether they have withdrawn their consent.

The exception: legal grounds

Personal data can be stored without consent, but only when there is a legal basis.

Legislation sometimes obliges companies to record personal data. For example, all businesses must fulfil the accounting obligations of the Accounting Act. This includes, for example, lists of people who have attended events and been invited to things.

Contracts are another example where businesses must record and manage personal data. However, this requires storing only the data needed to fulfil the contract. No more and no less.

Balancing of interests is a grey area that can be used to balance between the rights of the individual and the needs of the company. For example, a list of potential customers with a certain title in a certain segment could be an authorised list, while a list of people who have been to events and not been invited to things might not be an authorised list.

Protection of individual rights

One of the important pillars of the GDPR is the individual’s right over their data. Europeans have always had more rights than others over how their information is used.
For businesses, this means that these rights must be respected, they must be implemented in workflows, and if a request to withdraw or to know what data is held is responded to. The response must also be handled in a transparent manner and completed within a reasonable time.

Users’ rights are:

The right to be informed through privacy notices.
The right to access the data you hold on them (known as ‘Requesting a record extract’).
The right to be able to download their data and take it to another provider.
The right to correct errors in your data.
The right to have certain types of data removed (known as the ‘Right to be forgotten’).
The right to restrict data processing (that is, how you use their data).
The right to contest your data processing (for example, for use in automated processes).

Requesting a record extract

Requesting a record extract (or Subject Access Request) is a right that all European citizens have had for a long time.
You can expect to receive subject access requests from individuals who want them:

Confirmation that you are processing their data.
A copy of any data you hold on the individual.
Information about which third parties you have passed their data on to.

A data subject access request must be completed within a reasonable time. Also, as it is a right, you cannot charge a fee for providing the information. Therefore, it can be a very costly affair for a company if it receives a lot of requests if the process is handled manually.
All companies must have a documented process for handling a request for a register extract.

“The ‘right’ to be forgotten

A right to be forgotten can easily be misinterpreted by many as a way to censor and remove compromising information about oneself online. Of course, this is not how it works.

The right to be forgotten can only be used if:

The personal data is no longer necessary.
The individual withdraws consent for data processing.
Data processing is not necessary.
Personal data was collected illegally.
The deletion of the personal data does not violate any law.
The data concerns a child who is not of age.

This means that it is not possible to remove oneself completely from a customer database at any time, but it is possible to remove oneself from a lead list.

The right to download your data

If your company uses WordPress, WooCommerce, you already have good opportunities for data portability. WordPress is built to be easy to migrate to and from in a simple way, unlike proprietary solutions or rental solutions, which makes Open Source the primary choice in a CMS or e-commerce procurement.

If a person makes a record request, you must be prepared to provide them with all their details. Different WordPress and WooCommerce implementations may store personal data in different ways, so a standardised solution can solve a lot – but often needs to be adapted to your unique needs.

Profiling, aggregation and marketing

Using systems to link different data sources can be extremely powerful for both employers and marketers. These systems can be used to map, for example:

Employee performance.
People’s health.
Personal preferences.
Reliability.
Behaviour.
Location or movements.

Today, many people use Marketing Automation systems, which aggregate data from multiple sources to provide a holistic view of customers and their needs. In order to do this, users must be allowed to opt out (for example, by not accepting marketing cookies), but there must also be detailed information about how their data will be used.

This will place demands on, for example, the digital agency you use to guide you through the implementation of your digital solutions. It is no longer possible to assume that you can use data from a form in any way you want. Ad-hoc solutions and post-construction will no longer be acceptable. If you buy a Marketing Automation system, you need to have a clear plan of why and how you will use it, and this needs to be reflected in your company’s privacy notice.

Report data leaks

The GDPR requires companies to prepare for data breaches. Most data breaches are avoidable, and therefore much of the ‘preparation’ is to be seen as GDPR securing the business, but it is also about preparing for the worst case scenario.

All data breaches must be reported to the Data Protection Authority within 72 hours of discovery. Any leak that risks resulting in the rights and freedoms of individuals being compromised must be reported. If the leak affects a large number of people or contains sensitive personal data, this leak must also be reported immediately to the affected individuals.

A report must include the following information:

The type of user data that has been leaked.
How many individuals have been affected.
How many data fields are involved.
Information on how the leak was discovered, and by whom (For example, via internal reporting or via customer complaint).
Information on who was responsible for the leak.
Information on how the leak happened.
What were the consequences of the leak (for example, credit card details were leaked and customer accounts were debited).
What actions have been taken to address the leak (e.g. contacting customers, resetting all passwords, etc.)
What measures will be taken to deal with the consequences of the leak.
Name and contact details of your Data Protection Officer.

Please note that information that may harm or affect the investigation of the data breach does not need to be shared in the initial reporting of the data breach.

Hosting of data within the EU

Under the GDPR, personal data cannot be transferred and stored outside the EU unless these countries can guarantee the same level of data protection.

This means, for example, that companies using companies outside the EU to host their websites may need to review their choice of provider.

For US companies, there is the Privacy Shield, which is a voluntary initiative to achieve the same level as EU legislation. Privacy Shield is not a perfect system and has a history of being challenged, and has been challenged for some time by both European interests and the US administration. Privacy Shield is therefore considered a dead project that companies that want to avoid unnecessary risks should avoid.

GDPR secure your suppliers

It will be your company’s responsibility to ensure that your suppliers are GDPR secure. You need to ensure that your suppliers can handle personal data in a secure way.

GDPR secure your web/advertising/content/digital agency

When sourcing marketing services, it’s important to scrutinise their processes. For those of us working with code, for example, this means we need to anonymise personal data when moving it from a production environment to a test environment in an automated way.
In addition to this, the supplier needs to have processes and documentation in place to ensure that they handle personal data correctly. In addition to this, you also need to sign a data processing agreement for your supplier.

Incorporating the GDPR into workflows

The GDPR must be implemented both in the long and short term. In the long term, it’s in how you do everything from designing your IT systems to how your marketing department works, but in the short term there are a few things you need to address.

We would like to point out that this list may not always be complete for all types of organisations. We therefore recommend that you contact a company like System Strategists to guide you as you conduct a broader GDPR review within your company. Wondering how GDPR affects your marketing? Learn more about what it means for your strategies and how you can adapt on our page on what GDPR means for your marketing.

Checklist for the GDPR:

What	Description of what	Actioned
Data review	Do a full review of all the data you have and where you have it, whether it’s Online, Offline, Internal, External, Active Projects or Inactive Projects.
Data storage	Review where you store your data. All data storage must be within the EU, for example at our hosting company Synotio
Data protection	Review your data protection and who has access to what. (Tip: ISO 27001 provides good support for meeting GDPR data protection requirements)
Information	Create privacy notices for all services and products. Inform on the website why you collect data and how it will be used.
Data protection officer	Appoint a Data Protection Officer to ensure you are GDPR compliant.
Consent processes	Review your consent processes. How do the forms on your website work? Does the website have the option to granularly opt-out of cookies? Make sure to review your existing lists and ensure that all individuals in your databases have given consent.
Register extracts	Establish a written process for when someone requests a record extract. If possible, automate this on the website
Forget users	Establish a written process for when someone requests to be removed or wants to change their data. If possible, automate this on the website
Portability	Implement data portability. If possible, automate this on the website
Profiling	Review any processes that handle personal data that tracks behaviour for marketing purposes.
Data leaks	Establish a written process for data leaks.
Suppliers	Ensure that all your suppliers who handle personal data for you handle your personal data correctly.
Data processors	Sign data processing agreements with all suppliers that can handle personal data(a template can be found here)

GDPR secure WordPress & WooCommerce

For WooCommerce and WordPress, we run projects for clients to GDPR secure their websites. We can help review your site to ensure you are not storing data that could cause you problems in the future, but we can also produce the software needed to make your site GDPR compliant

Installation and database review to ensure that data that should not be stored is not stored
GDPR secured hosting with SSL
Review of data collection to ensure consent
Add-ons to ensure granularity in what cookies you as a user receive
Customised plugins to automate record extractions and ensure data portability

Are you sure your website complies with EU cookie law? Find out what’s required and how you can ensure compliance on our WordPress and EU Cookie Law page.

Get in touch with us