GDPR and WordPress: Become GDPR compliant

Make your WordPress backup plugin GDPR compliant with BackWPup.

Since May 25th, 2018, the GDPR to protect personal data is in force. Meanwhile, nearly everyone heard of that – the first warning letters have been sent. We take a look at GDPR and WordPress: What do you have to take care of?


About two years ago, the EU announced the changes coming because of the General Data Protection Regulation (short: GDPR). Starting in May, 2018, it should be implemented. But what exactly does GDPR change? What about GDPR and WordPress? We as a German WordPress VIP agency have to deal with GDPR a lot – as you have to do, too, in case you work with WordPress and personal data. That’s why we sum up the most important facts of GDPR and the changes of WordPress due to GDPR. Moreover we show how you can find out whether a WordPress plugin is GDPR compliant or not.


Table of Content:

Part 1: The Overview: The most important Facts about GDPR
1) Well, what exactly are personal data?
2) What about the Scope of GDPR?
3) Who’s affected by GDPR?
4) GDPR main Goals
5) GDPR purpose
6) What do I have to do to become GDPR compliant?
Conclusion Part 1

Part 2: GDPR and WordPress
1) WordPress reactions on GDPR
2) GDPR Audit: How do I check whether a WordPress Plugin is GDPR compliant?
Zero Level: Widespread, half done
1st Level: Check out Documentation
2nd Level: Use It!
3rd Level: Inspect the Code
Summary Part 2


The Overview: The most important Facts about GDPR

First of all a short overview about GDPR and the changes coming along with the new law.

1) Well, what exactly are personal data?

According to the GDPR, personal data are:

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data

Back to the Top

2) What about the Scope of GDPR?

The GDPR is in force as soon as somebody collects or processes personal data. For example, the simple IP address storing process on web servers is a personal data process.
Back to the Top

3) Who’s affected by GDPR?

GDPR affects all companies with head office in EU. Moreover, all companies working with EU citizens’ personal data to offer goods or services have to adhere to the new law.  Besides that, the GDPR affects all companies who observe the behavior of people living in the EU as well as all authorities of EU countries.

Smaller or medium-sized companies are sometimes excluded from some of the GDPR regulations. More information

But beware: It is not only companies that are affected. According to Art. 2 GDPR the only exception is natural persons collecting data for merely personal or familial activities. In other words: GDPR also affects associations and other organizations.
Back to the Top

4) GDPR main Goals

GDPR aims at unifying the data protection law all over EU. So, all EU countries have to align  to GDPR. However, aligning means: GDPR has a couple of flexibility clauses. For example, media and press law is regulated by each individual country. (see Art. 85 GDPR).

So, on the one hand the unification guarantees that all personal data in the EU are protected. And on the other hand, the free data traffic inside EU will be ensured, too.
Back to the Top

5)  GDPR Purpose:

GDPR strengthens:

  • the right for information of users about the collected data
  • the right of objection
  • right of rectification, erasure and restriction
  • right of data migration

Back to the Top

6) What do I have to do to become GDPR compliant?

Briefly summarized, organizations need to:

  • tell users who they are, why they collect data, how long they collect these data and who has access to these data.
  • Moreover they always need to have clear permission before collecting data.
  • Additionally users need to have the possibility to get access to their data, to take it away and to delete it.
  • Finally, organizations need to inform users in case there is a data breach.

So, organizations need to implement both technical and organizational measures to protect personal data (see also privacy by design and privacy by default). Depending on the type, the amount of collected data, the process and the reasons for this collection, organizations have to show different levels of security measures. One measure is, for example, to collect as little personal data as possible. And particularly they have to be very careful when collecting and transmitting the personal data.

Unfortunately, we cannot list all or more detailed measures to become GDPR compliant as we’re no legal consultation. But many others have already given good insights into what to do to become GDPR compliant. For example, take a look at the EU website about the most important changes due to GDPR  or the overview about rules for businesses and organizations.
Back to the Top

Conclusion Part 1

For EU citizens the GDPR offers a couple of benefits. The new regulation is a guarantee for their rights when it comes to collecting and working with their personal data. Moreover, EU citizens have more codetermination about how their data are used. However, there are many unclear aspects about the new regulations’ implementation. Especially the technical practicability is an open question in some points.

A sustainable and long-term GDPR impact is that all who collect and work with personal data start thinking about where they collect which data for which cause. This way they fulfill their due diligence which is, in our opinion, necessary and desirable. Take a look at another GDPR summary made by EU.
Back to the Top


GDPR and WordPress

The second part of our blog post gives an overview about how the WordPress makers implement GDPR into the most popular CMS.

1) WordPress reactions on GDPR

In April 2018, people announced on the WordPress.com blog that there will be some adjustments to help implement GDPR on WordPress websites. So there is a GDPR Compliance Team whose aim is to help WordPress based websites become GDPR compliant. The team focuses on creating a comprehensive core policy, plugin guidelines, privacy tools, and documentations.

More precisely it means that functionalities are added to help website owners create a comprehensive data policy. Furthermore website owners get new administration tools which simplifies GDPR compliance and supports the users’ privacy in general. In new documentation website owners will get all information about data protection, the basic GDPR requirements and they can use the new data protection tools.

Besides the assistance for website owners, developers also get help to implement the GDPR requirements. For example, there is a new section in the plugin handbook about privacy with general information about users’ privacy and what a plugin should (and shouldn’t) do to be GDPR compliant. Moreover it contains tips and examples of the correct usage of the new WordPress data protection functionalities. In the GDPR roadmap, you can find an overview about all changes.

Finally, WordPress version 4.9.6 contains the functionality to simplify the creation of GDPR compliant WordPress websites. Website owners can find them in the admin area under “Tools”.

GDPR and WordPress – The Changes in Detail

For comment fields, site operators can now set a check mark that users can set if they want their data to be saved for their next visit. This way users who are not logged in can decide whether their data should be displayed in the comment field during the next visit or not.

Additionally website owners can now determine a data privacy page which WordPress displays on log in and registry pages automatically.

In WordPress version 4.9.6, the developers integrated a delete function for personal data. This way website owners can delete all personal data that WordPress or plugins have stored.

WordPress helps website owners to create an overview of stored personal data by request. Now there is an export tool which creates a zip archive with all stored information of one person. In case website owners want to make sure that it really was the person who made the request, they can send an email with a confirmation link.
Back to the Top

2) How do I check whether a WordPress plugin is GDPR compliant?

Some plugins are already GDPR compliant, some are not. That’s why it is very important to make a GDPR audit of your plugin – as well as of your theme. So, it’s the GDPR audit’s aim to find answers to the following questions:

  • Are sensible data stored?
  • Does the plugin or theme process sensible data?
  • Does the plugin or theme transfer personal data?
  • Who has access to the data, can edit or delete it?
  • How long is the collected data stored?
  • Does the user have access to their data and can they edit or delete it?
  • Are the stored data safe in case there is unauthorized access?

To make a comprehensive GDPR audit, we recommend four analysis levels with increased complexity. That means with each higher level, the amount of necessary time to make the analysis increases. Sometimes the answers might not be complete, which is why you might need to make an additional analysis on a higher level.

The last level provides a full answer, but the time necessary is usually quite long. So let’s take a look at all levels and find out how we can answer the questions above.
Back to the Top

Level 0: Widespread, half done

The first level (we call it level zero) might not be feasible for some of you, as it requires that you can choose the plugin or theme independently. It simplifies the analysis, because when you can choose a software which is widely spread, the chance is much higher that it fulfills the GDPR requirements. At least you can usually make adjustments or some additions to better comply with the GDPR requirements.

So take your time and search for widely spread plugins and themes carefully.
Back to the Top

Level 1: Check out Documentation

The next level is again about research. Check out the official plugin or theme providers. Usually the authors want to provide all details about the information the software collects and how these data are administered.

It’s possible that comprehensive information in the form of official communication, blog entries, tutorials or similar texts are enough for the purpose of the audit. Sometimes it is possible that the information is not directly given by the author but by other users. However, if the source isn’t reliable enough, you should perform analysis level 2 in order to get a full answer to all questions.
Back to the Top

2 Level: Use It!

The second level means: Install the plugin or theme and make comprehensive tests! Use all features which might be of interest for the administration of personal data.

In particular you need to analyze all settings and therefore all forms both in the backend and frontend to understand the type of required data and how they are used. The use analysis aims at understanding the nature of involved data. But moreover it’s about the workflow, so, how these data are administrated and processed.

Take a careful look at all options the software offers. In some cases they are decisive in order to administrate the users’ personal data GDPR compliant. That’s why the knowledge of all functionality is of fundamental importance to avoid possible infringements. Specific settings could make an incompatible software a GDPR compliant one.

However, in some cases the use analysis isn’t enough and another step is required: The code check. Some scripts might act quietly, enable the tracking of personal data and violate against GDPR. In accordance with the information about the type of plugin it might be a good decision to perform the last analysis level in order to identify scripts which enable the transfer of personal data or their storage on the server.
Back to the Top

Level 3: Inspect the Code

The direct code structure analysis reveals the software’s whole functional mechanism, gives hints about the working process and the handling with user privacy when administrating personal data. If users enter data directly, it is possible to analyze how the software processes the data, whether it is transmitted or stored. The data storage can be analyzed immediately by checking the tables which have been created ad hoc in the database.

But the filesystem on the server can contain personal data, too. Depending on the task the software executes it can be useful to check whether personal data are stored in filesystems like log files.

Finally, to complete the audit, you need to check whether personal data are transmitted to external servers.

3.1 Check database/filesystem

The review of the database and tables the software installs allows a quick overview about the data the software stores. This way it is possible to take a look at the nature of the data and its storage modalities. This includes for example to check whether the data are encrypted or not. Similarly, all processes storing files in the filesystem need to be analyzed to understand which data are stored and how it is retrieved.

3.2 Data Transfer

Although the files aren’t stored on the server you need to check whether files are transmitted to external servers. This might happen for example via e-mail, ftp, or scripts. The code review is of huge importance in this context, too, to identify processes of that kind.

3.2.1 Use Tools

To analyze script activities and prevent them it is possible to use several monitoring tools. One of them is the NoScript for Firefox (https://noscript.net/). The software monitoring needs to aim at revealing the transfer of personal data.

3.2.2 Safety

Data safety is another important aspect – it depends on many factors. In the case of an audit it aims at analyzing the plugin or theme code to check how the processes are implemented and whether the best practices and safety issues of the language are followed and fixed correctly. This step can be time intensive, too. So if you follow the steps of level 0 and the level 1 requirements are answered satisfactorily, you can finish the audit faster.
Back to the Top

Summary

With version 4.9.6 WordPress offers important basics to create a GDPR compliant WordPress website. Nevertheless it’s the website owner’s task to adjust his website to the new legal regulations. Therefore GDPR audits are an important step with which you find out where your website asks for personal data.

Of course, it might be difficult for the one or the other to make a whole GDPR audit. That’s why we recommend plugin lists where you find comprehensive overviews about the GDPR compliance of popular WordPress plugins.
Back to the Top