Scott DeLuzio is a WordPress plugin developer. He is the developer of Privacy WP, Conditional Checkout Fields, WP-CRM System, WP1099, and Full Screen Background Images. In his free time Scott is an avid exerciser, and loves traveling with his family. July 4, 2018

How to make your WordPress website GDPR Compliant

Recently, the European Union enacted the General Data Protection Regulation, or GDPR. While the law is out of the EU, it can potentially impact businesses all over the world.

You might think that if you aren’t physically in the EU, GDPR shouldn’t apply to you, right?

However, the way the law is written, collecting any personal information on citizens of the EU can trigger GDPR rules regardless of where your business is. It doesn’t matter if you and your business are physically located in Germany, Spain, United States, Canada, or floating on a boat in the middle of the ocean. The rules still apply if you collect personal information on any EU citizen.

Disclaimer: I am not a lawyer, and nothing in this article should be considered legal advice. While I am not a lawyer, I have researched the topic rather extensively while developing my plugin, Privacy WP. Information in this post is only intended to be informational to help you decide what your business may need to do in order to be in compliance with GDPR. Always consult with a knowledgeable attorney for any legal advice.

What is considered personal information under GDPR?

Under GDPR, personally identifiable information is generally anything that can identify someone on it’s own, or in combination with other information.

Obviously things like names and addresses are personally identifiable. There are other things that may not be as obvious that they are considered personally identifiable. These include information such as phone numbers, email addresses, photographs, government identification numbers, IP addresses, financial data, religious or political views, race, sexual orientation, health information, and behavioral data.

If your website collects any of this type of personally identifiable information, GDPR rules can apply to you.

Can I my Website be GDPR Compliant by Blocking European Traffic?

The short answer is no.

Even if you block traffic coming from the EU, it is still possible for EU citizens to access your website. For example, a German who is vacationing in the United States can access your website from their hotel’s Wi-Fi. Or someone who is physically located in the EU can use a Virtual Private Network (VPN) to make it appear as if they are in a different country.

What if my Business is Found to be not GDPR Compliant?

Financial penalties for non-compliance can be significant, but GDPR does not require financial penalties immediately for non-compliance.

Penalties are up to the discretion of each country’s data protection authorities. They can issue warnings, which may help you understand what went wrong. Ultimately that may be what’s best for everyone, so I would suspect that the authorities might lead with warnings. However, they can also issue fines, which by law is a maximum of €20 million or 4% of a company’s prior year annual turnover, whichever is greater.

How to make your WordPress website GDPR Compliant

There is no single plugin that will automatically make your WordPress website GDPR compliant. GDPR compliance is more about how you handle data that you are being trusted with.

The first thing you need to consider is your website’s privacy policy. Your privacy policy should be written in simple language and not be filled with legal jargon that your average visitor may not understand. It should clearly communicate why you are collecting personally identifiable information, who has access to the information, what you are doing with that information, and how long you will keep it.

The next thing to consider is whether or not your website visitors consented to providing personally identifiable information.

According to GDPR, any personally identifiable information should be collected in an “opt-out by default” manner. This means that a website visitor should perform an action that confirms their consent to your collection of their information. For example, your contact form could have a required checkbox that says I agree to the collection and processing of my personal information in accordance to this site’s privacy policy, or something along those lines. Without checking the box (and therefore no consent was given), the form won’t submit and you’ll never collect their information.

Once you have collected personally identifiable information, you also need to consider how your site’s visitors can access that data.

GDPR requires that individuals be able to view the personally identifiable information that your business has collected. So, your business should have a plan in place for generating a report containing all of the personally identifiable information that you collect on your site’s visitors.

Your visitors can also request changes to this information and request that it be deleted altogether.

I use the word “request” here because it may not be possible to delete all of the information that you have collected. For example, your e-commerce site may need to retain certain sales data for a period of time for tax purposes. Certain industries, like insurance, have data retention policies that require some information be kept for a certain time period.

When it isn’t possible to delete this information you should attempt to anonymize it to the extent possible.

What is WordPress doing to help make websites GDPR Compliant?

In WordPress version 4.9.6, a series of privacy related tools were introduced.

One of these privacy tools help site owners generate a privacy policy. Sample text is included that covers the personally identifiable information WordPress core collects, such as names, email addresses, and IP addresses on comment forms. It also provides hooks for plugin developers to include language that covers the data that is collected by their plugins. So, your contact form plugin may indicate that it collects and stores form entry data. This is information that might be important to include in your privacy policy.

The other two privacy related tools are focused around allowing visitors to view their personally identifiable information, and have that information deleted. These tools also have hooks for plugin developers to extract all of the information they collect on your site’s visitors.

By using these tools, you will be able to provide an accurate report of any personally identifiable information that is stored on your site, and delete it if it is deemed appropriate to do so.

Privacy WP, a GDPR Plugin for WordPress

The personally identifiable information your business collects doesn’t stop with your website. You likely have some of this data stored offsite in email lists, CRMs, customer support tools, and even payment gateways. Technically, this information should be included in the data export that you provide to your site’s visitors as well. Unfortunately, WordPress doesn’t automatically connect to any of these services, which means you have to figure out how to export it on your own.

Privacy WP is a GDPR plugin for WordPress, which allows you to connect those third-party services to the export and erase tools that are built into WordPress. This makes it effortless for your visitors to retrieve data stored offsite, and delete it if necessary.


Enjoyed the article?

Press 💚 below and join the other 13,000+ getting valuable updates from this blog.


We ditched ZOPIM for Chatra

April 28, 2018 6:45 AM

Uncategorized wordpress wordpress security wordpress updates

How To Secure Your WordPress website

April 27, 2018 6:33 AM

Uncategorized wordpress

We used AMP For WP and here is what we think about it

January 16, 2018 9:49 AM


How to enable GZIP compression

September 29, 2017 11:42 AM

Get Free Site Analysis

Want us to analyze your site first and then use our services? No worries. Just fill out the form to the right and we will be happy to send you a free report about your current website.