WordPress has made some important changes in relation to the GDPR. The changes are part of WordPress’s effort to make it easier for their users to be GDPR compliant, however simply utilizing these tools in and of themselves do not guarantee GDPR compliance.
Below we’ll go through the important GDPR features, how they can benefit you, their limitations, and how to address them. Let’s dive in.
While a full analysis of the provided starter text may require a separate article, at a quick glance, it’s clear that some sections (e.g the one under the user’s rights over their data) are either incorrect or incomplete, if you’re processing personal data under the provisions of the GDPR.
After that, select the services that apply to you:
Customize as needed, save and you’re done. You can read the dedicated guide, How to Generate a Policy, here.
The new comment feature now allows logged out commenters to set preferences for which personal details (name, email, website) are stored in a cookie on their browser.
You can find the option to enable this under Settings > Discussion.
Regardless of if you decide to use the new comment feature or not, in order to be compliant, you must ensure that you still have an active cookie management solution in place that meets legal requirements.
iubenda’s Cookie Solution meets all the provisions of the law while giving you the ability to extensively customize, optimize for consent acquisition, view site metrics and more. Setting up with the Cookie Solution is made even easier with our dedicated WordPress plugin. For more information on how to integrate the Cookie Solution with your WordPress site, see the plugin installation guide.
The new data handling features allow you to easily export a ZIP file containing a particular user’s personal data, and to fully erase a particular user’s data, including the data collected by participating plugins.
The export feature sends a zip folder with a “mini website” with an index HTML page containing the user’s personal data segmented into groups and both features also make a new email-based method available to site owners for confirming personal data requests for both registered users and commenters.
While the Data Handling updates are easily one of the most valuable and time-saving updates, it does have certain critical limitations that you should be aware of. The first is that it only automatically exports the data collected by participating plugins. This means that the workability of these depends entirely on if the plugins you’re using have hooked into the new export/erasure feature. This means that this feature will not work with plugins that have not been modified to do this, or with old (non-updated) versions of plugins that might be in use on your site (in this case of course, you can simply update those particular plugins to the latest version).
The truly problematic thing here is that (at the time of writing this post) no central repository exists that shows specifically which plugins have this feature integrated. Furthermore, no incentives were created to encourage plugin creators to implement the feature, meaning that likely, very few plugins have gone through the trouble to re-work their code and add these features.
It’s worth noting here though, that even if every single plugin on the WordPress site supported these features, not all of the user data you process is necessarily handled by plugins. For example, if you use a cloud service or external mailing list management system, the data handled by these will not be automatically pulled into WordPress’ new Data Handling system. This is a very important point to note as the Rights to Access and Erasure apply to ALL the applicable user data, not some. So relying on an incomplete mechanism, or only providing some of the data simply means that you’re non-compliant.
With that said, these new features will likely be sufficient if you’re the only one processing users’ personal data via the functionalities built into the WordPress platform itself, as in this way your compliance will not be dependant on whether or not various third-party plugins have integrated with the new feature.
Currently, the best option for addressing these issues are two-fold and involve mostly preliminary measures and manual effort.
Under the current system, if you use any third-party services to process personal data, outside of what’s covered by the WordPress Data Handling tools, you’ll need to apply some manual effort in identifying, exporting from relevant databases and making the data available, or erasing the data if so requested by the user. Generally, you’ll have an average of one month to comply (with some exceptions).
Take note that if fulfilling an access request, the data will need to be provided to the user in a common and easy to access format (e.g. a spreadsheet).
Additionally if fulfilling an erasure request, it’s useful to preemptively inform the user that fully erasing their data will mean that your systems will no longer recognize them as a user (unless they somehow again add their data to your systems) and therefore you will be unable to fulfill any requests regarding that data subsequent to its deletion.
For more information on these WordPress features, read the Privacy section of the WordPress Plugin Handbook here.
These newest additions by WordPress indicate an acknowledgment of the importance of compliance and a willingness by the company to assist their users in meeting requirements. Ultimately, however, compliance is a custom venture and the responsibility (and liability) falls on you, the data controller, to properly assess your data processing activities and ensure that your systems and processes are compliant.
For this reason, based on our work surrounding the GDPR in the last few months, we’ve compiled the following list of GDPR related resources and articles to further help you with compliance.