There’s A New Kid On The Block
And one that you perhaps shouldn’t ignore!Who Is It? GDPR
Data protection and privacy isn’t necessarily considered or discussed as part of WordPress development or implementation. But, there’s a new piece of legislation being enforced from May 2018 that may change all that.What Is It?
General Data Protection Regulations or GDPR for short. They are an update of existing data protection and in part, privacy legislation, but takes current technologies into account and the way we work with them both now and in the future. wPUPdate.co.uk was formulated in the knowledge that the legislation was pending and are here to help, guide and assist organisations with the transition.Who Will Be Affected?
It applies to EU citizen’s personal data regardless of where the controlling or processing of that data takes place. This means that countries outside of the EU (including the US and an independent UK) would have to apply GDPR for client data where the client is in the EU.
WordPress
It surely can’t affect me or my organisation, it’s just a website! Let’s look in a little more detail. In order for the legislation to apply the information firstly needs to be ‘data’. In the case of WordPress it is data because it’s information processed, or intended to be processed, wholly or partly by automatic means (e.g. on computerised system, by software). Secondly it needs to be personal data. Any information that relates to or identifies us as living individuals (‘natural person’ under GDPR). So think beyond just name, addresses and phone numbers. To add to the mix, there is also an additional ‘classification’ of sensitive personal data which is used for what could be determined as even more private information about us for example; religion, ethnic or racial origin etc. (not the full list). Having established that WordPress is likely to be storing personal data and therefore subject to the legislation, let’s determine who is responsible for deciding the way in which data is to be stored? Or to put it in a more formal way:- A “person” recognised in law i.e., a. an individual; or b. an organisation; or c. a corporate or unincorporated body of persons who makes that decision is known as the ‘Data Controller’ and being such comes with legal obligations and a set of principles (articles in GDPR) that need to be adhered to. Not complying with the legislation can have massive implications. If you are using, or propose using a third party (anyone that does not work for the data controller) for processing the personal data; perhaps for content updates, email campaigns, e-commerce payment processing, then they are the ‘Data Processor’ under the legislation. Yes, you’ve guessed it – the controller/processor arrangements are also covered in both the current legislation and GDPR. Oh, and you cannot simply just collect personal data (whichever classification) just because WordPress let’s you – you have to be able to demonstrate and document your reasons for doing so.If your website processes personal data and it is registered by a UK organisation or individual then it is bound by the data protection and privacy legislation.
It’s Not Until 2018 – I Can Wait!
Can you really?
Although there may be 11 calendar months to go, as I update this post on 25th June 2017, you’ll find it is more likely less than 234 business days away, less any holiday allowance. More here. Please remember that the legislation doesn’t just cover WordPress websites, it covers your whole organisation.GDPR – Don’t
- Assume that it will not affect you or your business
- Wait until 2018 to act
- Do nothing
- Believe that it will just go away – it won’t!