GDPR has been quite the buzz on the internet for some time now and has left several people scratching their heads not really knowing what it is and why is it crucial. This is especially true for website small website owners.

The global reach of the GDPR has and the chances of potentially hefty fines has prompted several websites to make the necessary changes in order to make their website GDPR compliant.

What is GDPR and Why Should You Comply?

GDPR or General Data Protection Regulation is a law that has come into effect on 25th May 2018. This law was designed for the sole purpose of protecting both the privacy and safety of European citizens. Even though the law aims to protect the privacy of only the citizens of the EU, an organization that has a user base in the EU has to comply with the law, regardless if they are based in the EU or not.

GDPR came into effect replacing the Data Protection Directive 1995 to protect the data privacy of the citizens of the EU. The law was introduced to address how the user behavior and the data collection processes have changed and the need for better regulations to protect the privacy of the users.

So, Why is GDPR important?

GDPR had come into effect amidst news about data security breaches and misuse of user’s online data by many tech giants. People have been concerned about their privacy online. GDPR gives the users total control over their data.

For businesses, an important reason to comply with the law is to secure the trust of the users. An organization that values and protects the privacy of it users is sure to gain the trust of its users which is pretty important for a business.

What Does it Mean for Websites?

Different websites collect data from users in multiple ways and for multiple purposes. With GDPR, the website cannot collect information about the users as they did before.

It is important to understand that the GDPR doesn’t prevent websites from using or collecting the data of website visitors. However, GDPR strictly advice websites to provide great control to users on how they use or collect their data.

Before GDPR, the practice was to collect and process user data and their consent was not always informed and explicit.

Now, websites that collect or use any personal information of site visitors will have to obtain their explicit consent through a checkbox or other means. In addition to that, websites will have to provide details on how the personal information of site visitors will be used.

Where do Websites Start?

The first step to ensure compliance is to understand the data collection process in the organization. Determine where the data are collected, how they are stored and processed, and what purposes they are stored for.

Make a list of all the third-party services that are used on your website and for what purpose are they used. Determine the personal data that are collected by these services and how they are collected and processed. Information regarding such data collection should be provided to the users.

Ensure that the data is stored in a secure manner. Put proper security measures, like encryption, in place to ensure that the data are stored in a secure manner. And implement proper mechanisms to inform the users if and when there is a data breach, as soon as possible.

The important aspect of the GDPR is the well informed consent of the users. So, whatever data that you are collecting, users should be well aware of it and they should give their explicit consent before the website can collect and use the data. The websites should make sure that they honor the rights of the users, which are the following:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object to data processing
  • The rights in relation to automated decision making and profiling.

GDPR can be hard to wrap your head around. In case you are struggling with the compliance, it is always recommended to hire a lawyer to guide you the right way.

What Steps Has WordPress Taken to Help Websites Comply with the Law?

There are millions of websites that have been created using WordPress. So it is unavoidable that the popular CMS take steps to help website owners comply with the law.

WordPress 4.9.6 is equipped with several handy built-in privacy settings. So, if you are using an outdated or older version of WordPress, you will need to upgrade to avail all these features. Some of the key features included in WordPress 4.9.6 that are useful for making your website GDPR compliant are discussed below.

Policy Generator

The right to be informed is a key part of GDPR. This requires that the website have a privacy policy. Here, it is important to construct the privacy policy with simple and understandable language.

If you already have an existing privacy policy, you should consider updating it to meet the requirements of the law. With WordPress 4.9.6, you can designate a Privacy Policy page that will be displayed on the login and registration page.

However, if you don’t have a privacy policy page, then you can also create one. To do that click on Settings followed by Privacy from you WordPress dashboard. Now, you will be able to see a Create New page option.

Privacy Settings page in WordPress

This will generate a privacy policy page for you with suggestions for the privacy policy. It will make creating the privacy policy page easier, but it is the website owners responsibility to review and update according to their requirements.

Data Export and Erase

WordPress now makes it easier for website owners to honor user requests for access to their personal information and requests to delete their personal data.

For this, you will be able to find two new features under the Tools option in the WordPress –  Erase Personal data and Export Personal data.

Erase Personal Data page in WordPress

As the name indicates, the Erase Personal Data option allows the website administrator to delete the personal data of a user easily. The admin can send an email confirming the request and then delete the user’s personal data. After deletion the user will be sent an email informing the same.

Export Personal Data page in WordPress

The Export Personal Data option honors the request of the users to access the personal data that has been collected by the user. When the user places a request to access their data, the admin can send an email to confirm and then an email to download the data will be sent to the user.

However, these options only helps in honoring these requests. The administrator has to implement a method with which the user can raise a request. For this, a contact form can be added on the website or any other details should be provided on the website for the users to raise such a request.

Comments Cookie Opt-in

The WordPress stores personal data in cookies when a user enters a comment. This is done to help users from retyping their details when they are about to leave a new comment on websites. This was not done with the explicit consent of the user.

Now, WordPress allows to add an opt-in check box to the native comment box for the user when they are posting a comment. This can be be done checking the Show comments cookies opt-in checkbox options.

Add cookie opt-in checkbox for comments

However, the check box might not appear depending on the theme being used. So you might have write additional CSS for that.

What are the Additional Steps Websites Should Take?

Although WordPress gives you all these features that will help you comply with the law, it does not make your website a 100% GDPR compliant. There are still many things that website need to take care of to comply with the law. For example, blocking cookies and data collection prior to user’s consent.

So, what are the next steps that needs to be added to comply with the law?

Update Privacy and Cookie Policies

WordPress now helps create a privacy policy easily. However, it can only be treated as a starting point. The privacy and cookie policies of a website varies a lot depending on the plugins and other third-party services uses.

The cookie policies must now be updated with all the cookies that are used on the website. The policies should now state why these cookies are used and how long they will be in use for. The policy should also provide information on how they can opt-out of the cookies. To know more about cookies, refer to this article.

A Cookie Notice Must Be Added

You will need to provide information on the cookies that your website is using in order to make your website GDPR compliant. It is crucial to note that disclosing information about cookies should not just be restricted to your privacy policy.

Cookies are installed by a website at the time of load. This means that you will need to inform the users about the cookies by adding a cookie notification at the same time when the user first visits. Fortunately, there are plenty of plugins that help you to do so and some of them are the following.

GDPR Cookie Consent: The GDPR Cookie Consent plugin is an excellent plugin that can be used to ensure the GDPR compliance of your website. Location-based cookie notice exclusion, auto block scripts, and scanning websites for cookies are all possible with this plugin.

Cookie Notice: Cookie Notice is a free plugin that can be used to add an excellent cookie notification and opt-in to a website. The plugin also contains settings that will enable you to add a button to refuse or accept cookies, include a custom message, and even add links.

GDPR Cookie Compliance: The GDPR Cookie Compliance will help you with all your GDPR cookie consent compliance. The elegantly designed yet intuitive user interface and other handy features of this plugin is bound to impress you.

Policy Update and Data Breach Notifications

Policy update and data breach notifications are another crucial part of GDPR compliance. These notifications are important for websites that provide user accounts, collect information of customers, and the ones with newsletters.

If you have already made changes to the privacy policy of your website in order to make it compliant with GDPR, then it is best to alert your site visitors about the changes. Most of the GDPR compliance WordPress plugins contains a built-in notification system, which will automatically send alerts to your site visitors.

What are the Consequences of not Complying With GDPR?

Organizations that violate GDPR will have to pay hefty fines. The fines that can be imposed on an organization can be up to €20 million or 4% of the annual turnover of the previous financial year or whichever is higher.

But it is important to note that this is the maximum of the fines that can be imposed on a website. Depending on the nature of infringement the supervisory authority can impose lesser fines or even take other actions like issuing a reprimand. Still, GDPR is not something to be taken lightly. If you are a small business and found not compliant, these fines could prove to be disastrous.

Disclaimer: This content should not be treated as legal advice and the article is not written by a lawyer. The website owners should seek legal advice if needed to know what is best for their website or app depending on which further actions may be required to fully comply with the law.


Safwana is a technical content writer passionate about writing, WordPress, and writing about all things WordPress.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.