A Quick Guide to Data Protection Regulations in 2018

Posted on March 1, 2018 by in Resources | 20 comments

A Quick Guide to Data Protection Regulations in 2018

Every day, it becomes more normal for us to share personal information online. Right now, chances are high that multiple websites and online services have access to sensitive data about you. This can include your address, contact data, and even credit card numbers. As a website owner, you need to ensure that you’re treating your users’ data with the care you would want for your own information.

Data protection regulations are essential if we want to enforce higher security standards and transparency, both as customers and administrators. This article will give you a crash course on the two most important pieces of data privacy regulation in 2018. We’ll explain what they mean for you, and how to enforce them on your website. Let’s take a look!

What Data Protection Regulations Are (And Why You Should Care About Them)

Data protection regulations set rules for how and when you can collect personal information from your website’s users. Details such as email addresses, names, and IP addresses all fall under the category of personal data, and most websites collect at least some of this information.

For example, even if you’re running a very basic WordPress website, chances are it still uses cookies. These fall under the jurisdiction of some data protection legislation. This goes to show that you don’t need to enable user registration on your website to collect data from visitors. If you’re using a modern Content Management System (CMS), you’re already gathering this data whether you know it or not, so you need to inform yourself about the latest developments in data protection regulation.

As an internet user, it’s easy to see why such regulations are essential. Let’s break down the main reasons:

  • You probably share more information than you realize online. Most of us are signed up to dozens of services and websites, some of which ask for more personal information than others. Social networks are an example of this tendency taken to the extreme.
  • At the same time, it’s important for you to protect your privacy. Ideally, you should be able to check out how each website treats your data, and take that information into account when deciding whether to use it or not.

Once your information is out there, websites can share or sell it to third-party services. Those with malicious intent can even gain access to it after a data breach, which often results in massive databases of stolen information circulating around the web. All of this means that if you run a website, you may need to step up your game when it comes to security and transparency. Users have a right to know what happens with their information, and you may even have a legal obligation to inform them.

2 Data Protection Regulations You Should Become Familiar With

Before we dive into specifics, it’s important to note that we are not lawyers. If at any point you’re unsure whether certain legislation applies to you, or you think you may be liable for a breach of any of these regulations, you should consult with a professional.

To be fair, you probably don’t need to worry about fines for breaching these regulations unless you’re running a massive website. However, you should still take the time to read through them and understand how they work. That way, you can ensure that your website is always fully compliant with any applicable legislation.

1. The General Data Protection Regulation (GDPR)

An informative page concerning the GDPR.

The The General Data Protection Regulation (GDPR) was created in December 2015, and designed to ensure the right of EU citizens to basic data protection standards. It was ratified in early 2016, replacing the erstwhile Data Protection Directive (1995-2018), and it will become enforceable on May 25th, 2018. That means you still have a little time to acquaint yourself with this regulation, and figure out what you need to do in order to comply with it.

Lately, the GDPR has generated a considerable buzz online, since it’s the most comprehensive set of rules for data privacy drafted so far. This legislation’s primary goal is to create a set of easy-to-follow rules for the entire EU, which uphold the highest standards of data privacy.

Why You Should Care About the GDPR

Despite being an EU regulation, the GDPR will apply to any site that collects data from EU citizens. This means that if you’re running a WordPress website with registration enabled, and some of your users reside in the EU, the GDPR technically applies to you.

You might still be tempted to ignore this legislation if you operate elsewhere, but remember that its main goal is to protect EU citizens. Since non-EU businesses also need to comply with the GDPR, it stands to reason that you could get fined for breaching its rules, no matter where you’re based.

The GDPR can impose several types of penalties. For example, you could get fined 2% of your worldwide annual revenue for failing to disclose a data breach, or up to 4% for failing to ask for user consent when storing data. These are steep fines. However, the good news is that complying with the GDPR is relatively simple.

What You Need to Do to Comply With the GDPR

The GDPR is a massive piece of legislation, but we can ultimately boil down its contents to the six fundamental rights it grants to users. Here’s what they are and how to comply with each of them:

  1. Breach notification. Under the GDPR, you must inform your users within 72 hours if any breach occurs that might compromise their data.
  2. Right to access. Users have a right to access the information you have about them.
  3. Right to be forgotten. Your users have the right to ask you to delete their accounts and all personal information you have. You may also need to cease sharing that information with third-party services.
  4. Right to portability. Users will be able to request that you forward their records to other ‘controllers’ or services if need be.
  5. Privacy by design. You may be held liable for data breaches if your system isn’t secure by design. In other words, you can be held responsible for failing to take precautions to protect user information.
  6. Data protection officers. If you handle massive amounts of user information or sensitive data, such as criminal records, you’ll need to work with a Data Protection Officer (DPO).

That’s a lot of information to process. However, as you can see, most of those rights are relatively simple to enforce. We’ve already talked about how to comply with user account deletion requests in the past, as well as how to create privacy policies. Other clauses, such as informing your users about data breaches, simply require you to send an email notification. Complying fully with the GDPR may take a little work, but it’s very achievable for nearly any website.

2. The ePrivacy Regulation

The ePrivacy Regulation is a piece of legislation that is still in the middle of its approval process. It should be approved during the 2018-2019 period, however. Its main goal is to complement the GDPR. To put it another way, the GDPR’s primary focus is on protecting your personal data. The ePrivacy Regulation, on the other hand, is all about your right to privacy as an individual.

Just as the GDPR supersedes the Data Protection Directive, the ePrivacy Regulation will act as a replacement to the Cookie Law (also known as the 2002 ePrivacy Directive). In case you haven’t heard of it, the Cookie Law requires you to inform users if you intend to collect private information via cookies. It also gives visitors the right to refuse cookies when you notify them.

Before we move on, let’s briefly discuss the difference between a regulation and a directive within the EU. Regulations approved by the EU automatically become enforceable within all member states. However, directives simply specify a goal, and members are free to use to use the methods they want to achieve it. In other words, replacing the ePrivacy Directive with the ePrivacy Regulation is meant to make things easier for regulatory bodies.

Why You Should Care About the ePrivacy Regulation

The new ePrivacy Regulation is a complement to the GDPR in more ways than one. For example, the regulation will share the same fine system outlined for the GDPR.

Also, if you have users or customers located within the EU, you can be held liable for breaches. This means that you will almost certainly need to adapt to it, no matter where you’re located.

What You Need to Do to Comply With the ePrivacy Regulation

Keep in mind that the ePrivacy Regulation is still not in effect. That means it could be subject to change before it actually passes. However, as it stands now, here are the main stipulations you’ll need to adjust to:

  • Consent for cookies. You will still need to ask users to consent to accept the use of cookies. It doesn’t make a difference if the cookies originate from your website or third-party services.
  • Consent for online marketing. You will now need to ask users for their consent before you contact them with any online marketing.
  • Cross-platform ad targeting is out. Under the new ePrivacy Regulation, you will need to ask for users’ consent to use their private data across platforms. In other words, cross-platform ad targeting will become a lot more complicated.

When you boil it down, the ePrivacy regulation is all about consent. Users have a right to online privacy until they specify otherwise, and you can’t take consent for granted. If a lot of your business comes from online marketing, you’ll have to stay away from avenues such as cold emails, for example. We recommend keeping an eye on the latest news about this regulation as it becomes finalized.


A lot of people play fast and loose with the information users entrust to their websites. However, this can be a dangerous game to play. Something as simple as not including a privacy policy on your site is often enough to breach existing regulation.

In other words, you need to be aware of what the latest data privacy regulations are. Otherwise, you won’t be able to keep your users’ information secure. These two recent pieces of legislation are a great place to start:

  1. The General Data Protection Regulation (GDPR)This regulation focuses on the protection of EU citizens’ private data.
  2. The ePrivacy RegulationThis related law is all about the right to privacy itself.

Do you have any questions about how these data protection regulations affect you? We’re not lawyers, but let’s talk about it in the comments section below!

Article image thumbnail by Chris Bain / shutterstock.com.


  1. So I develop a website for a customer who wants to gather data with an application form on the site. The site stores that data in the database on a shared hosting server. With the GDPR looming, I suggest the customer might want to get aligned with new regulations and pay me to add a privacy statement to the form, maybe an opt in check box, and an SSL certificate. What do I do if she refuses? Who is responsible for that data, the client, the developer or even the hosting service?

    • Because a lot about GDPR isn’t 100% clear yet, I’ve put a number of website jobs on hold. As I understand it, both you and the client are responsible for a lot of things.

      For example, as long as you’re responsible for maintaining the site, you’re accountable for any breaches that occur because you didn’t keep the site up-to-date and secure, but the client will be equally accountable.

      For you, this boils down to installing updates for any and all themes and plugins as well as WordPress core as soon as possible after release.

      Also, the hosting party will need to sign an agreement with your client and/or you on how they handle the data that’s submitted via the site (stored on and/or transferred through their servers) and their data protection policy (also regarding breaches).
      You will need to sign a similar agreement with your client. This means more paperwork, and you can’t just draft something yourself as you need to be sure your behind is covered.

      The way I see it, to answer your question, is that if a client doesn’t want to comply with GDPR, you might want to err on the side of caution and let that client go. It’s simply a big risk you’re taking, especially as long as it’s unclear how strictly the GDPR will be enforced.

    • If you’re creating an application form then presumably it’s for someone to sign up for a service so the lawful basis for collecting information would be based on contractual obligations not on the basis of consent so you wouldn’t need to have positive affirmation to collect someone’s data in that manner. There’s a full guide to the law on the U.K’s information regulator website:

      Obviously someone would still need to be responsible for deciding who is responsible for storing the information in a way that ensures it’s safety but that would be for you and your client to decide who is responsible for that. As long as you’ve informed them of their obligations, if they don’t take you up on the offer of compliance, that’s on them.

  2. This is quite useful information for sure but to come to specifics. what does this mean as far as I am concerned and my site. What am I required to do?

    • John Hughes

      Hello, Ngobesing. Thanks for your comment. That would depend entirely on how your site is configured and what content it contains. We won’t be able to provide specifics unless we know more specific details of your site. This article presents a general overview of data regulations. Hope this helps 🙂

  3. Great, thanks for putting it together. Are there already example texts or even plugins around that can be used?

  4. This was a very well written article, everything in a nutshell. Thanks for the info.

    • John Hughes

      Thanks, Denver. You’re very welcome. 🙂

  5. One problem I have with blogs on ET is that people ask very good questions in their replies and often there are NO answers to their questions. There is not even a semi-polite response to tell them where to go or how to fill out a support request. So, if the information is good but not complete, what do we do?

    • John Hughes

      Hello Randy. Thanks for your comment. Is there a specific question we can help you with? If you wish to lodge a support ticket, you can do so via the following link:


  6. Thanks for summing up the Data Protection Regulations in 2018.
    At many sites I visit there is a popup informing me that the site uses cookies and asking for me to accept. My sites are built on WordPress. Do you know of a way to add that popup?

    • Just search for “Cookie Law” in the Plugins section of WordPress, there are loads of plugins that are quite customisable. CivicUK have a popular one on their website.

    • John Hughes

      Hello Neil. You’re welcome, and thanks for the question. You could notify visitors to your WordPress site of the use of cookies by using the Cookie Notice by dFactory plugin. You can find out more and download the plugin via the following link:


  7. This is a very informative post by John, considering that even though the deadline is fast approaching, there are many aspects of GDPR that haven’t been clarified or addressed. I’m based in the UK and in my industry – virtual assistant – this is a nightmare scenario as we could be data owners or processors dependent on circumstances. The dots are nowhere near being joined up. And don’t forget, it’s not just the websites you build or client work, it’s the data you hold in your personal email lists which has to be compliant.However, if I may suggest, the website for the The Information Commissioner’s Office in the United Kingdom https://ico.org.uk/ has a great checklist detailing what you need to be doing to be compliant. The Direct Marketing Association is also excellent on this topic https://dma.org.uk/gdpr. This is the UK based organisation, but they are also based worldwide. Also, a lot of the big US based organisations who handle data and have an interest in being compliant also have useful non-EU relevant information. I’m talking about the likes of Mailchimp, Hubspot, Buffer, Dropbox and Google.
    From these resources, you should be able to put together a good case/explanation for your clients as to why GDPR DOES apply to them whether they’re based in Massachusetts or Manchester.
    I will not work with anyone now who does not accept the principles of GDPR and comply with them. This is coming to the internet of things in all respects – not just GDPR and now is as good a time as any to get yourself ahead of the game. I, and many of my colleagues, are taking the view that as long as you are seen to be doing your best to meet the criteria and have a good data protection policy adhering to the known knowns, I will deal with the unknown unknowns as they arise and try to get guidance.

    You might also want to consider reassessing your cyber insurance too – a breach of data could be very expensive.

    • John Hughes

      Hello Debby. Thanks very much for your comment and the additional resources. Taking the time to ensure your site is GDPR compliant is critical, especially with the deadline fast approaching! 🙂

  8. Great post! I had no idea this was a thing. I learn so much from this blog.

    • John Hughes

      Thanks Paul. You’re very welcome.

  9. Divi for example does not meet the requirements of GDPR (for example how Google wenfonts are implemented). Will the theme be updated? Or has the whole stuff to be done manually with child themes and custom functions etc.?

    • Hi Edi,

      We are currently working on making sure our products and service are fully compliant with GDPR according to the compliance regulation enforcement date. We have no time frame on when this will be done at this time, however, it will be reflected in our terms of service once this has been done.

  10. One thing I’m solely focused on as an internet marketer dedicated to the side hustle is keeping my content backed up. It’s a good thing to know that MySQL offers database backup options through phpmyadmin. I hate to wake up one day and find out that my site is knocked offline and content going and haven’t start everything over again fresh from scratch.

Leave a Reply

Comments are reviewed and must adhere to our comments policy.

488,929 Customers Are Already Building Amazing Websites With Divi. Join The Most Empowered WordPress Community On The Web

We offer a 30 Day Money Back Guarantee, so joining is Risk-Free!

Sign Up Today

Pin It on Pinterest