What to Look For in a WordPress GDPR Plugin (To Stay Compliant)

On the 25th of May 2018, the European Union (EU) started regulating the General Data Protection Regulation (GDPR). As you likely know by now, the aim of this regulation is to protect the data and privacy of all individuals within the European Union and the European Economic Area.

For those in the EU that serve the EU, a failure to comply with this regulation can result in a fine that can go as high as €20 million.

Any website serving EU residents must be GDPR compliant. Many consider the GDPR to be the new global data policy standard, meaning that even if it doesn’t directly impact you yet, it likely will in the future. As such, every website administrator would be smart to create changes around how they handle people’s data now.

GDPR Features Built-In to WordPress

The core WordPress software has been updated to include GDPR enhancements that make websites compliant on a basic level.

Here are the major new updates to the core WordPress software to assist with GDPR compliance:

  • Privacy policy creation tool: While you’ve always had the opportunity to create your own privacy policy, you now have a built-in template from which to build from. This feature automatically creates a privacy policy based on the themes and plugins you have installed. You can access this functionality under Settings in the WordPress dashboard.
  • Comment consent: By default, WordPress collects and stores commenter names, emails, and website URLs as a cookie. Because of GDPR consent requirement, WordPress added a checkbox for people to consent to the collection of this information.
  • Data handling: Users can now request to export and delete their personal data stored within WordPress. You can access this functionality under Tools in the WordPress dashboard.

All of this said, not all WordPress plugins are inherently GDPR-compliant. For those directly impacted by GDPR, you’ll want to consult a specialist or internet law attorney while considering and implementing compliance solutions.

Past that, there are several things to consider when choosing a WordPress GDPR plugin to assist your efforts:

Erase and data export feature

Most websites collect, process, and store user data to some extent. Under GDPR, you must respect these three elements in order to stay compliant:

  • Right to Access: The users should be aware of what data is being collected, what data is being processed, and what data is being stored. As a result, the website must be transparent about how it handles each of these tenets.
  • Right to be Forgotten: Users should have the option to successfully request the deletion of any personal information that they have provided to a website. This should also include the prevention of collecting and processing of the same type of data from taking place again, if requested. This can be accomplished by creating a process that allows users to withdraw their consent for the use of their data.
  • Data Portability: Users should be able to download the personal data that they have previously shared with a website in order to have the ability to manage off-site data.

In order to comply with these data handling requirements introduced by GDPR, your WordPress website and relevant plugins should invoke features that allow users to handle and control their data. It should also fulfill any request by the user to delete or export personal data — ideally, without needing your personal input.

WordPress GDPR plugin Privacy WP plays well with the new built-in data erasure and export features offered by the core WordPress software.

Consent Management

Under GDPR, it is stated that natural persons may leave traces which can be combined with unique identifiers that may be used to create profiles and identify them.

You may be familiar with the most common personal internet identifiers: cookies. Under GDPR, cookies are also treated as personal data and their use is regulated as part of GDPR.

In order to stay GDPR compliant, users must be informed about the usage of cookies. Popups (or another related deployment mechanism) must be used to allow users to give or deny their consent (or reverse their consent).

As a result, good WordPress GDPR plugins must include the feature of adding some type of cookie consent banner, popup, or notification on the website.

Privacy Policy Configuration

Those who created GDPR want websites to disclose everything that they do with the user’s personal data, including processing and storage. This is why a privacy policy page with complete information is necessary. Furthermore, this is also mandatory for compliance with many global privacy laws, which also makes it one of the most important company documents you can create to comply with GDPR. Having a privacy policy allows websites to be more transparent with the users who visit the site.

Of course, it’s no longer necessary to install a plugin for this task alone, as the functionality is now built into the core WordPress software.

Data Security Measures

Under GDPR, all data collected, processed, and stored must involve good security measures — regardless of whether the website is for a large or small business. With respect to this, security measures must include proper monitoring and user activity logging.

Under the GDPR (Article 32), in order to protect the freedoms and rights of users, website owners should implement appropriate technical and organizational measures to ensure a level of security with respect to the risk. Security monitoring allows you to prevent any data breach or identify a culprit if someone was able to break into your website and access user data.

Having the ability to see user activity logs will allow website owners to understand who was on the website during a data breach. This can be useful for providing information to assist a related investigation.

Works in Tandem with Third-Party Services

Being able to integrate with other third-party services allows users to easily get one comprehensive report regarding all the data collected by a particular website (including off-site data). Related functionality also allows users to manage their data shared with other services.

While WordPress now offers the built-in ability to export or erase data from your website, it does not provide the ability to handle related data stored somewhere else. Under GDPR, users who want to export and erase data should have access to ALL data that the business or the website gathers. This includes any data collected by all the third-party services integrated with your WordPress website.

For example, if your website is integrated with MailChimp, users should have the ability to remove their accounts from your mailing list or manage the personal data they’ve provided.

Privacy WP allows you to complete this process. It allows you to properly interact with these third-party sites, assembling all the data collected into a single location. You can then manage all of this stored data in one location, as needed. Using a WordPress GDPR plugin like Privacy WP improves data handling management that corresponds to GDPR.


Final Thoughts: What to Look For in a WordPress GDPR Plugin (To Stay Compliant)

At this point in time, no WordPress GDPR plugin can provide 100% compliance with the requirements set forth by this new data regulation. As a result, it’s not enough to download and activate a plugin the handle GDPR compliance — you’ll have to do some due diligence in ensuring that you’re compliant across every medium where your company collects or uses personal data.

Take most of the guesswork off your plate when it comes to handling third-party integrations with Privacy WP by Amplify Plugins.

Posted in

Maddy Osman

Maddy Osman is an SEO Content Strategist who works with clients like AAA, Automattic, Kinsta, and Sprout Social. Her background in WordPress web design contributes to a well-rounded understanding of SEO and how to connect brands to relevant search prospects.