The Plain Language Guide to the GDPR

If you run a website and have been near the internet during the last few months, you’ve seen that the EU’s General Data Protection Regulation (GDPR) comes into effect 25 May 2018. But if you’re not located in the EU and you’re busy — and aren’t we all? — you may not have paid any attention.

Completely understandable.

You probably have perked up at the mention of fines for noncompliance, though — up to 4% of annual global turnover or €20 million (whichever is greater). Yikes.

That’s why we’ve put together this quick and painless guide to what you need to know about the GDPR.

(That said, this is a surface-level look and we’re not lawyers. So please talk to a legal professional if you need specific legal advice. And if you want to dig in deeper, there will be plenty of links throughout.)

Let’s get started at Square 1:

What is the GDPR?

The GDPR will regulate the way companies in the European Union — and those who do business within the EU — collect, store and use customer data. Under the GDPR, this means everything from photos and social media posts to sensitive personally identifying data such as SSNs.

In its most elemental form, it can be boiled down to this:

All customer data must be obtained and used with the customer’s consent, and securely stored.

It also provides EU citizens and residents a “right to erasure” and “data portability,” which means that person has a right to have their data permanently erased or transferred to another data controller. That means you need to be aware of what data you’re collecting and where it’s being stored so that you can comply with such requests.

My company isn’t in the EU. Why should I care?

The GDPR is designed to protect EU citizens, no matter who they’re doing business with. If you’re selling products or services to a citizen of an EU country, you need to be in compliance with the regulations or risk the fines.

Fortunately, for most small e-commerce businesses, becoming GDPR-compliant isn’t as scary as it sounds.

The GDPR distinguishes between three profiles:

  • Data Subject: Anyone providing identifying personal data — customer, employee, or user.
  • Data Controller: Any business offering services or goods that collects, uses, and stores data.
  • Data Processor: Third-party vendors such as WordPress, MailChimp, or WooCommerce. This also includes WordPress plugins.

If you run an e-commerce business, you’re a data controller. And you probably work with multiple data processors as part of your business.

Your responsibility as a data controller under the GDPR:

  1. Ensure that you obtain consent from customers about how you use, collect, and store their data
  2. Store that data securely
  3. Make sure you are only working with data processors who are GDPR complaint

What does customer consent and secure storage actually mean?

It means that you need a customer’s permission to gather, store, and use any bit of data: their name, address, IP address, demographic information, social media profiles — anything.

Your WordPress site is already collecting user data through user registrations, comments, contact form entries, analytics, security tools, and plugins. Make sure all visitors to your site understand what is being collected, what you’re doing with it, and that it’s being securely stored.

Then, take every precaution you can to ensure that data can’t be easily breached.

Learn more: 6 Simple Ways to Increase WordPress Security

How to handle data consent under the GDPR:

  • Request the explicit consent of every user before collecting their data. This request for consent must be easy to understand and not buried — that means no pre-checked “I consent” boxes or murky terms of service.
  • Inform users how you’ll collect and store data with a clear and accessible privacy policy. (Examples here.)
  • Make it easy for users to request access and view the data you have collected on them.
  • Make it easy for users to withdraw consent and purge personal data.

How do I know if my third-party vendors are GDPR compliant?

Third-party vendors have the same obligations you do under the GDPR, but that doesn’t mean you’re off the hook. You’re still responsible to ensure the themes, plugins, and other vendors you’re using are all GDPR-compliant.

How do you know?

The short answer is to do a search for the vendor + GDPR compliance and see if they’ve posted any documentation.

Here are some you may already be using:

This seems pretty basic. Where can I learn more?

We’re glad you asked!


OK. For those of you who just skimmed to the end:

Here’s what you need to do before May 27th in order to avoid fines under the GDPR:

  1. Understand how you’re collecting data and where it’s being stored.
  2. Make sure you’re only collecting the data you need to do business.
  3. Provide crystal-clear terms of service and consent forms to tell your customers how you use their data.
  4. Check with all your third-party vendors to make sure they’re GDPR-compliant.

Questions? Get in touch!