If you have a WordPress or a WooCommerce website, you will surely have heard of GDPR. This sweeping EU regulation, which came into force back in 2018, sets out several requirements that anyone who handles data of EU customers and visitors needs to abide by. Failure to comply with this legislation can lead to harsh penalties.
In this post, we look at GDPR – General Data Protection Regulation, and how it relates to the personal data of site visitors and customers. We’ll discuss the business implications for website owners and administrators and which plugins can support your efforts in achieving GDPR compliance. We’ll also look at some immediate actions you can take to get started.
Disclaimer: This blog post does not constitute legal advice. Penalties for non-compliance are significant, reaching 20 million Euros or 4% of your total revenue, whichever is highest. You should always seek professional guidance from a legal expert who has experience in your industry and in the geographical context in which you intend to operate.
Table of contents
- What is the EU’s GDPR?
- Does GDPR apply to you?
- Who does GDPR cover?
- Are WordPress and WooCommerce GDPR compliant?
- How do plugins help me comply with the GDPR legislation?
- Technical measures you need to take to comply with GDPR
- Operational measures you need to take to comply with GDPR
- Is there anything else I need to consider?
What is the EU’s GDPR?
The GDPR is the most important and substantial European Union privacy law concerning the treatment of personal data. It is applicable to anyone who does business in the EU. In a nutshell, it is there to protect users’ personal data. As the one collecting the data, you have a number of responsibilities that you must fulfill. Failure to do so within the requirements of the law can see you getting fined (and it’s not a trivial fine).
While some aspects of GDPR are universally applicable, others will depend on your area of implementation and business. As an example, if you run a WooCommerce/eCommerce website, you need to take security measures such as adding 2FA for WordPress. This might not apply if you’re running a simple blog with no users.
GDPR has a reputation for strictness throughout the world. It requires legal pages and policies to be written in Plain English instead of what is known as legalese. This means that policies should be able to be read and understood by the average person without requiring a team of lawyers by their side.
GDPR has seven principles that guide how data should be handled to be GDPR-compliant. We will cover these next.
The seven principles of the GDPR
These are the seven GDPR governing principles and practical implications for your customers’ personal data. Together, they provide a framework that helps you comply with the GDPR.
Principle 1: Lawful, fair, and transparent processing
You must process data per the provisions laid down by the law and fairly and transparently to the data subject. This means that you must be clear and upfront about what data you’re collecting, why you need it, and how you will use it. It is equally important to ensure all information is in plain English.
Principle 2: Legitimate processing
You must process data in line with the data subject’s consent. As previously discussed, you must obtain consent from the user/visitor before collecting and processing their data.
Principle 3: Minimal data collection
Only data that is directly required for processing and for which the user has given their consent should be collected. This is good practice even outside of GDPR since it follows the principle of reducing moving parts.
Principle 4: Accuracy of data
You must keep up collected personal data to date. Any data subject can request to have their data erased or updated – and you’ll need to complete this request within 30 days. In such cases, you must take “every reasonable step” to comply with the data subject’s wishes.
Principle 5: Storage of data
You should only keep data for as long as it is needed. As this can be very subjective (when does a customer stop being a customer?), professional legal advice is highly encouraged to ensure you do not fall foul of this principle.
Principle 6: Data security, confidentiality, and integrity
This principle is the most technical out of all seven. It puts the onus on the data controller to ensure that protections against unauthorized access, theft, loss, destruction, or damage are put in place to ensure the integrity and confidentiality of personal data.
Principle 7: Accountability
Accountability is critical to ensuring that you always meet GDPR’s requirements. This means having the necessary GDPR-compliant process documentation, procedures, notices, records, and assessments in place. GDPR stipulates that the data controller must be able to prove that they are complying with GDPR.
Key GDPR roles
Before we delve deeper into GDPR, it is worth taking a few minutes to understand who the actors are. Think of actors as roles that GDPR identifies as critical to its implementation. There are four actors that we need to know about. Understanding these roles will help us better understand who is responsible for what and makes understanding the regulation much more accessible.
The data subject
In the case of WordPress websites, data subjects are our website visitors and users who originate from the European Union. The term data subject directly refers to the person to whom the data we are collecting belongs.
The data controller
As the website owner that is collecting data, this is you. Data controllers have several responsibilities. We will go through these when looking at the seven principles of GDPR.
As the data controller, you need to be able to demonstrate that you are GDPR compliant. Failure to do so classifies you as non-compliant. To this end, it is beneficial to understand what data controllers are held accountable for in the eyes of the law.
The data processor
Data processors are those people or companies which process data on behalf of the data controller (you).
Side note: At this stage, it is essential to understand what GDPR views as data processing since the entity that processes data has certain obligations. To this end, GDPR considers any action taken on data as data processing, from simple collection and storage to usage, organization, and any other form of processing.
The data protection officer (DPO)
The data protection officer, known as DPO for short, is a person who assumes responsibility for GDPR compliance on collected personal data. While not all data controllers and processors require a DPO, you can always appoint one within your organization to ensure compliance with GDPR.
Does GDPR apply to you?
GDPR compliance is a must for all entities collecting information about EU citizens, whether they’re website visitors, users, or customers. Even if you are not from the EU, if you are selling your products internationally, especially in the EU region, your website should comply with GDPR. It is recommended that you follow the GDPR guidelines, such as keeping an activity log on your WordPress website.
GDPR goes beyond users’ personal information. While users’ data is at the center of it all, there are other tasks that need to be undertaken in order to comply. These include:
- Collecting, storing, processing, and transferring (sharing or selling) data, including personal information belonging to EU resident citizens
- Creating and documenting technical measures that demonstrate you have taken measures to secure personal data
- Monitoring and logging security issues, attacks, and breaches
- Announcing any breaches, including telling users what they need to do
- Informing people how they can ask for a copy of their data or for it to be erased or updated
Who does GDPR cover?
GDPR covers the personal data of those who reside in any member state of the EU. To this end, personal data includes any data that can directly or indirectly identify an individual. As the definition of personal data is quite open, erring on the side of caution is the recommended strategy.
What about citizens living in countries outside of the EU?
If you comply with the EU’s GDPR, then you’ll be already working toward compliance with similar regulations around the world. Other countries and jurisdictions have taken inspiration from the GDPR, including the UK, Japan, Brazil, Turkey, and others. Depending on which markets you’re targeting, we recommend you make yourself familiar with the relevant regulations that relate to securing the personal data of citizens in those areas.
What rights do data subjects have under the GDPR?
The rights of data subjects are covered in Chapter 3, which spans from Article 12 to Article 23. This makes it quite extensive and impossible to cover in its entirety here. Reading the entire GDPR Chapter 3 is highly recommended.
The first three chapters, Art. 12 – 14) as well as articles 19, 22, and 23, deal with definitions, controller obligations, as well as exceptions, among other things. In this section, we will be looking at data subjects’ rights
- Right of access – The data subject has the right to confirm if any personal data is being processed and, if so, access to that data, including the purpose of processing, among other things.
- Right of rectification – The data subject has the right to request rectification of any inaccuracies in their data – which must be done “without undue delay”
- Right to erasure – Also known as the right to be forgotten, the data subject has the right to ask for personal information to be erased – when certain conditions are met
- Right to restriction – The data subject has the right to request restrictions as to how their data is processed.
- Right to data portability – The data subject has the right to receive their personal data in a machine-readable, commonly used format and to send that data to another controller without hindrance
- Right to object – The data subject has the right to object to their personal data being processed
Are WordPress and WooCommerce GDPR compliant?
WordPress has put in place several measures to help you to make your WordPress websites GDPR compliant. However, installing WordPress on your website alone is insufficient. It is only your organization itself that can be GDPR compliant. It must be clear to website users what Personal Data your organization collects on them and how it is subsequently used or transferred.
WordPress introduced several features in version 4.9.6 that make complying with GDPR much easier. While these features do not necessarily make you GDPR compliant (more on this later), they will help ensure you have the basics covered.
Personal data export
You can easily export all of a user’s data should they file a data request. To export a user’s personal data, simply navigate to Tools > Export Personal Data and enter the user’s username or email address in the provided text box.
You can also send a confirmation email by checking the Confirmation Email checkbox.
Personal data erasure
WordPress also offers a personal data erasure feature to comply with the right to be forgotten. You can access this feature by navigating to Tools > Erase Personal Data. Like the personal data export feature, there is also an option to send a confirmation email.
You can access this feature by navigating to Settings > Privacy and following the provided instructions.
To help with GDPR cookie compliance, WordPress comes with a built-in cookie consent checkbox, which is enabled by default. Keep in mind that this is only valid for commenting users – you need to take care of the rest should you configure anything else that drops a cookie.
You can enable this setting by navigating to Settings > Discussions.
WooCommerce introduced a number of GDPR compliance-related features back in version 3.4. Although you should have a much, much more recent version installed (WooCommerce is in version 8.2.2 at the time of writing), you need to make sure you have a recent version installed. Updating plugins such as WooCommerce is also critical for strong WordPress security.
WooCommerce supplements WordPress GDPR compliance features to ensure cohesiveness throughout your website.
Personal data export and erasure
WooCommerce adds fields to the WordPress personal data exporter that we discussed in the previous section. This ensures that any user data in WooCommerce is included in the export.
Similarly, WooCommerce works with the ‘Personal data erasure’ feature when it comes to erasing personal information. The only difference here is that WooCommerce offers a number of Account erasure request options. These include an option to remove personal data from orders and a separate option to remove access to downloads. You’ll also find enhanced cleanup functions when deleting a user manually. You can also anonymize orders in bulk should this be required.
You can also define how long you want to retain data. Settings can be accessed by navigating to WooCommerce > Settings > Accounts and Privacy. Here, you need to keep in mind that not all data will be deleted.
- Inactive accounts – Inactive accounts will be deleted once the retention period expires
- Pending orders – Pending orders will be moved to trash once the retention period expires.
- Failed orders – Failed orders will be moved to trash once the retention period expires.
- Cancelled orders – Cancelled orders will be moved to trash once the retention period expires.
- Completed orders – Completed orders will be anonymized once the retention period expires.
You can also customize elements of your WooCommerce store checkout page to comply with GDPR. The plugin allows you to change which fields are required and which ones are optional so that you do not collect more personal information than is required. You can also change the T&Cs checkbox to meet your requirements.
How do plugins help me comply with the GDPR legislation?
Plugins can help you achieve GDPR compliance by facilitating compliance with different GDPR requirements. Indeed, some of the requirements can be quite difficult to comply with unless you install a plugin.
Needless to say, it is always important to choose plugins that come from reputable vendors. GDPR being as sensitive as it is, it is important to ensure that you do not assume additional risks – as may be the case when installing nulled plugins.
In this section, we will be looking at some of the best plugins that can help you achieve GDPR compliance.
WP Activity Log plugin
The GDPR states that website owners must create and document technical and security measures, including a log of everything that happens on their websites. This helps to ensure that only legitimate users with a legitimate purpose have access to data subjects’ personal data.
WP Activity Log excels at keeping a record of what happens on your WordPress website. It monitors user and system activity, including activity related to a number of third-party plugins, including WooCommerce.
The plugin comes with a number of GDPR-ready features, including:
- Option to store log data in an external database, Log Management System, Log file, and a number of other options
- Configurable retention policies
- Data erasure options
- Log-in logging notification
WP Activity Log is the most comprehensive activity log plugin, with new activities added to its log on a regular basis. This ensures that you have a very broad record of what happens on your WordPress and WooCommerce websites.
What other plugins can help me achieve GDPR compliance?
There are several plugins that help you create GDPR-compliant popups and policies:
- MonsterInsights gets a mention on all the best blog posts. Since collecting personal data requires explicit consent under the GDPR, it offers features that allow you to anonymize and even switch off personal data tracking tools
- WP Forms, a very popular plugin used by WordPress administrators to create contact, consent, and other data collection forms across their websites, can be set to not collect user IP addresses, browsers, or operating systems, for example
- Popupsmart allows you to create popups for cookie notices and consent from templates, for example, depending on the geographical area of the audience
- Complianz is a cookie consent plugin that supports GDPR as well as CCPA and many others
- Cookieyes plugin assists WordPress website owners in achieving GDPR cookie compliance. It also supports compliance with aCCPA, CNIL, and LGDP
Technical measures you need to take to comply with GDPR
Data protection by design and by default
GDPR Chapter IV: Controller and processor, Section 1, Article 25 outlines ‘Data protection by design and by default’. The implication is that website owners must design, build, and deploy websites and web applications for which security is built in from the start.
GDPR.EU gives two examples of the types of technical measures you can use to protect your users’ personal data: 2FA and encryption.
- Two-factor authentication is one GDPR requirement that is very straightforward to implement. We even have our own WP 2FA plugin, which supports multiple authentication channels and is bundled with many other useful features.
- Data encryption, while not explicitly mandated by the GDPR, is one way to satisfy the requirement to secure personal data. WordPress does not encrypt data by default. Encrypting data at rest and data transiting between WordPress and the database is not for the faint of heart and may require experienced developers to implement.
However, you can encrypt data in transit between WordPress and users by using an SSL/TLS certificate on your WordPress website. It’s just as important to encrypt your email and other communication channels.
There are two other options you can adopt:
- A strong WordPress login and password policy
- An access policy that complies with the principle of least privilege
Regular testing, remediation, and proof
Anyone who builds websites or website applications will know that testing is an essential element of the process. Most vendors will now build regular, automated scanning and manual penetration testing into the website build, configuration, and update processes. There are various parts to this:
- During and after the initial build or update of the website
- After adding, configuring, or removing users and permissions
- After updating your WordPress theme, version, and other integrated software applications deployed on your website
- After installing or activating WordPress plugins
- After deactivating or deleting WordPress plugins
- After (re)configuring WordPress plugins
- After changing the web host or hosting package
Note that simply conducting tests is insufficient; you must also provide proof of testing and any fixes performed.
In addition to the technical measures listed above, there are some basics that will help reinforce your compliance with the GDPR:
- Hardening the WordPress Webserver
- Hardening PHP for WordPress security
- Hardening your WordPress website
- Hardening your MySQL Server
Operational measures you need to take to comply with GDPR
In this section, we will be looking at operational changes you might need to make to achieve GDPR compliance.
In line with the principles we have already mentioned, you should collect the minimum amount of data necessary for the purpose and anonymize it when possible. However, it is still essential to first explain to the Data Subject why you are collecting it and how you will use it, as well as gaining their consent to do so. Policies must be written in clear language, and consent must not be assumed, buried in the small print, or ambiguous. Consent must also be gained separately from other declarations. Data Subjects can withdraw consent at any time.
Analytics tools, such as Google Analytics, collect personal data on your behalf, which makes them a Processor as defined by the GDPR. They may, for example, collect geolocation data. This, in turn, makes you responsible for what happens to the data, so you must take steps to ensure the tool is GDPR compliant. It is very important to have a Data Processing Agreement that is signed by both parties and that sets out the responsibilities of each side.
More about GDPR Cookies consent—ePrivacy directive 2002 & 2009
The EU’s ePrivacy Directive (EPD), or ‘cookie law’, supplements and, in some cases, overrides the GDPR. It is set to be superseded by the ePR or ePrivacy Regulation (still under proposal).
For the purposes of clarity, a ‘directive’ must be incorporated into law by each country’s government within the EU, whilst a ‘regulation’ is an EU-wide law. Regardless, in order to comply, you must:
- Ask users for their explicit consent before using any cookies
- Provide users with information in plain language about each type of data being tracked when they select to opt-in to cookies
- Allow users full-service access—even if they decline certain cookies
- Document user consent
- Allow users to withdraw their consent
Keep a list of the information you store on individuals, where it’s stored, how it’s processed, and how it can be accessed. Users, regulators, and some others are entitled to some key rights with many parts, implications, and permutations. GDPR Chapter 4: Controller and processor, Section 1, Article 30 refers to ‘Records of processing activities,’ so it’s essential information to have available when anyone enacts one or a combination of the rights listed.
- As a clickable popup at the bottom of your website
- Linked from your About, Contact, and Signup pages
- Linked from your email subscription forms and popups
While having a custom policy written for you is best, you can start with a template. To access this feature, start at the WordPress dashboard. Go to Settings > Privacy and follow the instructions.
Should a data breach occur, what activity will you take (GDPR Chapter IV: Controller and Processor, Section 2, Article 33)?
Potential breaches must be assessed in advance by way of a Data Protection Impact Assessment (DPIA). Even if the breach is due to an inadvertent (internal) privilege escalation, you should have a written process so that your team can act immediately to inform users of what you’re doing to rectify the situation and mitigate its effects.
Make yourself aware of the fines and other penalties that may follow data breaches. Assess the financial, legal, and other impacts of a loss of business, loss of reputation, or your business being ‘wound up’ by the relevant tax or other government departments as a result.
Is there anything else I need to consider?
Cybersecurity insurance is an essential part of your security kit. Purchasing insurance in advance will help you manage the situation if you do suffer a data breach. Depending on the kind of data breach you anticipate, you may be able to purchase cybersecurity insurance coverage to help deal with some of the negative consequences of malicious hacks and defamation or other legal claims.
GDPR – General Data Protection Regulation is here to stay. Taking the steps to comply will help you grow your business and website now, and into the future. At the same time, it is important to remember that GDPR compliance is neither a one-time process nor something that can be easily achieved with a single plugin. You must iterate as the legislation and technology evolves in order to meet your legal requirements. If you are unsure of anything, consult with an attorney or lawyer.