GDPR and data protection for WordPress and WooCommerce

All companies that do business in Europe in one way or another, are obliged to comply with the GDPR, EU data legislation. The question is, what does it mean, and what do you need to do?

The GDPR is designed to protect European citizens’ right to privacy. There has long been corresponding legislation in Sweden (PuL), but this has been more or less impactless as there have been no major incentives to follow it. GDPR standardizes legislation throughout the EU, and, unlike with previous legislation, breaches of the law can involve a penalty fee of up to 20M Euro or 4% of the company’s total turnover.

All suspected violations of the GDPR can be reported by all European individuals and companies. It is then up to them to investigate the suspected crime. In this way, the GDPR can be used as a weapon to set the bar for companies that have not adapted to the companies that have. Having time to ensure compliance with the law will therefore be of the highest interest to all companies.

GDPR is about personal data

All information that could lead to the identification of people living today is to be regarded as personal information. Sometimes the data is stored for legal reasons (employment contract, accounting) and sometimes it is stored for marketing purposes(marketing automation, CRM, email lists). The GDPR also includes things that are not directly linked to personal data such as;

• Location data.
• Online identifiers (for example, a username).

Sensitive personal data

In addition to regular personal information, there is also something that is considered sensitive personal information. These may include:

• Race, ethnicity, and origin.
• Genetic data.
• Biometric data.
• Political opinions.
• Religious or philosophical views.
• Union affiliation.
• Health data.
• Sexual orientation & inclination.
• Past crime (convictions).

Managing sensitive personal data requires that you have special consent and that you have made an effort to have a higher level of security.

GDPR is implemented throughout the whole company

GDPR is not something that can be implemented as a “quick fix”. It is a way of thinking that must be implemented to protect all customers and citizens. The GDPR consists of 99 articles and is supplemented with codes of conduct, but for simplicity, the GDPR can be summarized into three broader fields;

1. Documentation, information, communication, and consent.
2. Protection of the individual’s rights (eg personal data).
3. Incorporation of GDPR (eg. Data protection) in workflows, also called “Privacy by design”.

Documentation, information, communication, and consent

Documentation

One of the most important things in the GDPR is documentation. Quite frankly, it can be said that very few automated tools and IT projects are required to be able to comply with the GDPR, the most important thing is that the approach is documented.

GDPR is about knowing what you have, knowing what you do with it, knowing where it is stored, knowing who has access to it and knowing how to manage the security around it. All conceivable aspects must be reviewed; from old e-mail configuration to lists in excel stored on USB memory.

Everything needs to be documented. Some will be internal documentation, other information will be external documentation that is published on, for example, your website.

Communication

The most basic step is to make sure that everyone in the organization, hired and employed, is aware of how the GDPR affects their work. Everything from the person who fixes the fruit basket to the CEO and board members.

This also means that policies must be established. That these policies have been presented and reviewed must then be documented and archived. Not everyone will become an expert in data protection overnight, but everyone on staff should be aware of;

• What personal data is.
• What to do with personal data.
• How to incorporate data protection into product design.
• How to obtain consent.
• Their own rights.
• What a “personal data incident” means.
• What internal reporting mechanisms exist for reporting an incident.

Privacy information

GDPR requires the organization to be more transparent about how to use its data. Therefore, privacy information will be content that will be available on all companies’ websites. The text must be written in such a way that it is easy to understand for the intended target audience. If you have a website with different games aimed at children, you need a language that children can understand.

It is also required that there is a possibility for the person visiting the website to withdraw their consent, including tracking as cookies that identify a specific device or person can be counted as collecting personal data. For example, if you have a Marketing Automation tool (eg Hubspot) that saves personal data in different ways, the user must be able to say in an automated way that they do not want these cookies.

This granularity is not necessarily part of the GDPR but rather previous legislation around cookies, but the GDPR creates a need for better tools as modern marketing tools are inherently designed to track users’ behaviors.

Data Protection Officer (DPO)

Under the GDPR, companies should have a designated data protection officer. The Data Protection Officer does not need to have any special knowledge or training but is the one who is internally responsible for the company satisfactorily implementing data protection. For this to work well, the person needs to be comfortable with raising difficult issues and be able to challenge all processes and approaches within the company without the risk of retaliation. The data protection officer must be independent (for example, it is not appropriate for the IT manager to be a DPO) and have direct collaboration with the management.

In the end, however, the company is responsible for complying with the GDPR, and the data protection officer is primarily an internal function that ensures that the requirements are met.

Consent

In the GDPR, all collection of personal data must take place with the person’s consent.

Consent must be given voluntarily and is initiated by the user. It must not be a default option.

Consent must be Granular. “All or nothing” option is not allowed. For example, you must be able to say no to tracking cookies, but accept cookies for the website to work. Another example is that consent to receive a newsletter may not be automatically given when creating a user account.

Consent must be Unconditional. Users can not be forced to give consent to receive anything in return. For example, it will no longer be allowed to give away a whitepaper in exchange for an email address and then bombard the recipient with newsletters. On the other hand, there is a workaround, as what will be allowed is to sell a whitepaper for £0 – and then have a subscription to a newsletter included, which you give consent to. Defining the whole thing as a business transaction will be of utmost importance to marketers.

Consent must be Transparent. The user must be able to find out in detail all the parties who will process their data and why they do so.

Consent must be Fair. Consent cannot create an unfair relationship between the user and the data processor. For example, forcing employees to use an internal application that monitors employees’ geographical location even outside of their working hours would constitute grounds for an unfair relationship.

Consent must be Verifiable and documented. It must be possible to prove that the user gave their consent, how the consent was given, what information was given, what they agreed to when they consented, and whether they withdrew their consent or not.

The exception: Legal grounds

Personal data may be stored without consent, but only when you have a legal basis.

Legislation can sometimes mean that companies are obliged to register personal data. For example, all companies must comply with the accounting obligation in the Accounting Act. This includes, for example, lists of people who have been to events and been offered things.

Agreements are another example where companies must register and handle personal data. However, it requires that you only store the information needed to fulfill the agreement. No more. no less.

Balancing of interests is a gray area that can be used to balance the individual’s rights and the company’s needs. For example, a list of potential customers with a certain title within a certain segment could be an approved list, while a list of people who have been to events and not been offered things may not be an approved list.

Protecting the rights of the individual

One of the important pillars of the GDPR is the individuals’ right over their data. Europeans have always had more rights than others about how their information is used. For companies, this means that these rights must be respected. 

The users’ rights are:

• The right to be informed through confidential information.
• The right to access the data you have about them (known as “Request Registry Extract”).
• The right to be able to download their data and take it to another provider.
• The right to correct errors in your data.
• The right to have certain types of data deleted (known as the “Right to be forgotten”).
• The right to restrict data processing (that is, how you use their data).
• The right to dispute your data processing (for example for use in automated processes).

Subject Access Request

Requesting a Subject Access Request is a right that all European citizens have had for a long time. You can expect to receive Subject Access Requestextracts from individuals who want:

• Confirmation that you are processing their data.
• A copy of all the data you have about the individual.
• Information about which third parties you have passed on their data to.

A Subject Access Request must be completed within a reasonable time. Since it is a legal right, you may not charge a fee for providing the information. Therefore, it can be costly for a company if it receives multiple requests, and the process is handled manually. All companies must have a documented process for how a Subject Access Request should be handled.

The “right” to be forgotten

A right to be allowed to be forgotten can easily be misinterpreted by many as a way to be able to censor and remove compromising information about oneself online. Of course, that’s not how it works.

The right to be forgotten may only be used if:

• The personal data is no longer necessary.
• The individual withdraws his consent for data processing.
• Data processing is not necessary.
• Personal data was obtained illegally.
• The deletion of personal data does not violate any law.
• The data concerns a child.

This means that it is not possible to delete oneself completely from a customer database, but that it is possible to delete oneself from a lead list.

The right to be able to download data

If your company uses WordPress, WooCommerce, you already have good opportunities for data portability. WordPress is built to be able to easily migrate to and from in a simple way, unlike proprietary solutions or rental solutions. This is what makes Open Source the primary choice in a CMS and E-commerce procurement.

If a person makes a Subject Access Request, you must be prepared to be able to provide all the relevant information. Different WordPress and WooCommerce implementations can store personal data in different ways, and therefore a standardized solution can solve a lot – but often has to be adapted to your unique needs.

Profiling, aggregation, and marketing

Using systems to connect different data sources can be extremely powerful for both employers and marketers. These systems can be used to map, for example:

• Employee work performance.
• Human health.
• Personal preferences.
• Reliability.
• Behavior.
• Places and movements.

Today, many people use Marketing Automation system. In these systems, data from several different sources are aggregated to provide an overall picture of customers and their needs. In order to be allowed to do this, users must be allowed to say no (by, for example, not accepting marketing cookies), but there must also be detailed information on how their data will be used.

This will place demands on the digital agency you use to guide you around the implementation of your digital solutions. It is no longer possible to assume that you can use data retrieved from a form in exactly the way you want. Ad-hoc solutions and post-construction will no longer be acceptable. If you buy a Marketing Automation system, you must have a clear plan on both why and how to use it, which must be reflected in the company’s privacy information.

Report data leaks

GDPR requires companies to prepare for data leaks. Most data leaks can be avoided, and therefore much of the “preparation” is to be regarded as GDPR securing your operations.

All data leaks must be reported to the Data Inspectorate within 72 hours of the leak being discovered. All leaks that risk individuals’ rights and freedoms being compromised must be reported. If the leak affects a large number of people or contains sensitive personal data, this leak must also be reported immediately to the affected individuals.

A report must contain the following information:

• What type of user data has been leaked.
• How many individuals were affected.
• How many data fields that are involved.
• Information about how the leak was detected, and by whom (For example, via internal reporting or through customer complaints).
• Information about who was responsible for the leak.
• Information about how the leak happened.
• What consequences the leak has had (For example, credit card information being leaked and withdrawals made to customers’ accounts).
• What measures have been taken to deal with the leak (For example, contacted customers, reset all passwords, etc.).
• What measures will be taken to deal with the consequences of the leak.
• Name and contact information for your Data Protection Officer.

Keep in mind that information that may damage or affect the data leak investigation does not need to be disclosed in the data leak’s initial reporting.

Hosting of data within the EU

Under the GDPR, personal data may not be transferred and stored outside the EU unless these countries can guarantee the same level of data protection.

For example, this means that companies that also use companies outside the EU to host their websites may need to review the choice of provider.

For American companies, there is the Privacy Shield, which is a voluntary initiative to achieve the same level as EU legislation. Privacy Shield is not a perfect system and has for a long time been questioned by European interests and the US administration. Privacy Shield is therefore considered a dead project that companies that want to avoid unnecessary risks should avoid.

GDPR secure your suppliers

It will be your company’s responsibility to ensure that your suppliers are GDPR secured. Meaning that you need to ensure that your suppliers can handle personal data in a secure way.

GDPR secure your web / advertising / content / digital agency

When you purchase various marketing services, it is important to review their different work processes. For those of us who work with code, this means, for example, that we have to anonymize personal data when we move it from a production environment to a test environment in an automated way. In addition to this, the supplier needs to have set-up processes and documentation that ensure that they correctly handle personal data. In addition to this, you also need to sign a personal data assistant agreement for your supplier.

Incorporation of GDPR into workflows

GDPR must be implemented both long-term and short-term. In the long term, it is in how you do everything from designing your IT systems to how the marketing department works. However, there are a few more specific things you need to fix in the short term.

We would like to point out that this list may not always be complete for all types of activities.

Checklist for GDPR:

What	Description	Fixed
Data review	Make a full review of all the data you have and where you have it, regardless of whether it is Online, Offline, Internal, External, inactive projects, or Inactive projects.
Data storage	Review where you store your data. All data storage must take place within the EU, for example, at our hosting company Synotio
Data protection	Review your data protection and who has access to what. (Tip: ISO 27001 provides good support for meeting GDPR data protection requirements)
Information	Create privacy information for all services and products. Inform on the website why you collect data and how it will be used.
Data Protection Officer	Appoint a data protection officer to ensure that you are GDPR secured.
Consent	Review your consent processes. How do the forms work on your website? Does the website have the opportunity to refuse Cookies granularly? Make sure to go through your existing lists and make sure that all the people in your databases have given their consent.
Subject Access Request	Establish a written process for when someone requests a register extract. If possible, automate this on the website
Forget users	Establish a written process for when someone requests to be deleted or want to change their data. If possible, automate this on the website
Portability	Implement data portability. If possible, automate this on the website.
Profiling	Review any processes that handle personal data that tracks behavior for marketing purposes.
Data leaks	Establish a written process for data leaks.
Suppliers	Ensure that all your suppliers who handle personal data for you manage your personal data correctly.
Personal assistant	Sign personal data assistant agreements with all suppliers who can handle personal data.

GDPR secure WordPress & WooCommerce

For WooCommerce and WordPress, we carry out projects for customers to GDPR secure their websites. We can help review your website to ensure that you do not save data that may cause you problems in the future, but we can also manufacture the software needed to help your website with:

• Review of installation and database to ensure that data that should not be stored is not stored
• GDPR secured hosting with SSL
• Review of data collection to ensure consent
• Additions to ensure granularity in which cookies that the receive
• Customized plugins to automate Subject Access Requests and secure data portability

Contact us and we will help you to GDPR-secure your WooCommerce or WordPress website.