A GDPR Compliance Guide for WordPress Websites

If you are a WordPress website owner, then you’re likely going to learn about GDPR eventually or you may have already heard of the term and are working on being compliant.

GDPR, General Data Protection Regulation, is a European Union law that tends to confuse some. With that in mind, this guide is going to explain some of the ways you can make your WordPress site GDPR compliant without causing undue frustration.

One of the things to keep in mind, though, is that none of this has to be a frustrating process. Because WordPress offers many tools and features, it’s possible to navigate through the GDPR process smoothly. Don’t take for granted, though, that WordPress is going to do all the work for you. Otherwise, you’re going to face fines and other consequences that could have been avoided.

Disclaimer: This article is not legal advice. You should consult a lawyer if you have any questions or concerns.

Understanding GDPR

Effective May 25, 2015, The General Data Protection Regulation (GDPR) took effect under European Union (EU) law. GDPR’s goal is to allow EU citizens to keep personal data control, as well as to change how organizations approach data privacy worldwide.

Companies that are not in compliance will receive a hefty penalty. Therefore, it isn’t uncommon for companies to receive numerous emails from corporations like Google to ensure websites comply GDPR. The purpose of these notices is to give the companies a warning and time to bring their websites up to the standards associated with GDPR law.

What Are the Fines?

Following May 25, 2018, companies not complying with the requirements under GDPR will face fines up to 4% of the annual global revenue of the company or €20 million, whichever is higher of the two. Businesses around the world are experiencing some doubts over this reality. Not only are they worried they’re going to lose their business because they aren’t compliant, but they’re worried they won’t be able to afford to pay the fine.

FREE GDPR Compliance Email Course
Work towards compliance in 7 Days

In this free email course, I will show you how to work towards GDPR compliance

  • Essential WordPress Settings
  • Useful WordPress plugins
  • How to create a Privacy policy


Join now!

Therefore, it brings us to the next compliance question:

How does the GDPR apply to a WordPress website?

Every business worldwide must comply, no matter its size, with GDPR regulations. The business does not have to have its location in the European Union. The law applies to the business if the website has visitors from the European Union. It’s not cause for panic, however. The EU wants to provide protection to consumers worldwide.

Even though GDPR could result in hefty fines, businesses will receive a warning first. Another notice will come through, but it will be sterner (a reprimand), and it will be followed by a data processing suspension if compliance doesn’t occur. For those who continue to remain in-compliant, they will receive the massive fine.

The purpose of ensuring compliance isn’t because the government wants to exert its power. Instead, the ultimate goal is consumer protection. They believe that data breaches, as well as the handling of data have gotten out of control. When multiple data breaches and the mishandling of data regularly occurs, consumers don’t feel confident using digital commerce. However, through the use of GDPR, the EU hopes that this will change.

It’s the opinion of many that the purpose of the extreme fines is to keep large corporations aware of what they’re doing and prevent the regulation from becoming ignored. The goal is also to help encourage companies to protect people’s rights and privacy.

As more people understand the requirements under GDPR and the laws, it seems more reasonable when developing a WordPress site that’s compliant. This guide will share tips and tools for how to ensure your WordPress website meets these compliance rules.

Understanding GDPR Requirements

The user’s personally identifying information (PII) is protected under GDPR. GDPR also has the goal of holding businesses to a higher standard regarding how it collects, uses, and stores user data. Personal data websites could collect includes an individual’s name, address, IP address, physical address, income, health information, and so on.

For those who haven’t seen the GDPR regulation, it consists of 200 pages. While there’s a lot of legal jargon within those pages, it would behoove website owners to read through them. That way they have a firm understanding about the standards they’re being held to and why. Here are some of the most critical pieces of information and how it pertains to your WordPress website:

1: Notifications of Breaches

All sites that are experiencing a breach of any kind, under GDPR, must communicate this information to all users. Data breaches could result in risking the freedoms and rights of users. Therefore, such notifications become necessary promptly. It’s required that such notifications under GDPR be sent within 72 hours of the breach making itself known. It’s also the responsibility of data collectors and data processors to notify users following knowledge of the breach.

Those using a WordPress site, upon noticing the breach, must notify all parties affected within this same designated time frame. The term “user” could mean those using the website regularly, contact form participants, and possibly commenters.

You’re required legally under this clause of the GDPR to monitor and assess your website’s security. Ideally, this goal can be achieved by monitoring web server logs and web traffic. However, it may be practical to use the Wordfence plugin and turn on notifications. The purpose of this clause is to encourage website owners to use the best security and prevent data breaches.

Personally I am using Cyber Scanner to perform a regular audit of my website – Cyber Scanner scans your website for hundreds of known website vulnerabilities and sends a report to you to fix them.  This also gives you an audit trail that you are trying to maintain a secure and safe website.

It is also a good idea to read through my guide on WordPress Security to check your site isn’t vulnerable to hackers.

2: Collecting, Processing, and Storing Data

This section is comprised of three elements, and they include the Right to Access, Right to be Forgotten, and Data Portability—each of which is a requirement of the GDPR.

(a) The Right to Access: Users have complete transparency regarding data processing and storage. What this means is they know what is being collected, what is being processed, what is being stored, and why all of this information is being collected, processed, and stored. Copies of all of this data will also be provided to each user.

(b) The Right to be Forgotten: Every user has the option to erase their personal data, as well as prevent the collection and processing of data from occurring again. To accomplish this, the user withdraws their consent for the use of their personal data during this process.

(c) Data Portability: This clause of the GDPR allows users the right to create a download of the personal data they’ve previously consented to so they can transmit it to another party.

The purpose of privacy is to ensure controllers are enforcing that data policy enabling the processing and storage of only data that is critical. When site owners limit the number of data access points, as well as adopt safer policies for data, their site becomes safer.

It’s your responsibility as a WordPress site owner to publish a privacy policy and cookie policy detailing which personal data points you’re using, as well as how you’re processing them and storage.

For this I currently use Iubenda which creates a Cookie Policy and Privacy Policy for you and makes it very easy to highlight which tools you are using which may collect personal data.

The next step is setting up a means for providing users with copies of their data. Many site owners find this step the most challenging. However, tools and plugins are available to help provide solutions.

Some WordPress site owners avoid the use of data storage completely. Under some circumstances, for example, it may be a better option to set up contact forms so they forward directly to your email, rather than storing communications on the website server.

Another thing you need to make sure is that your web hosting provider is offering a GDPR compliant service – to date I know the following web hosts have confirmed their compliance:

WP Engine (review)- a premium WordPress hosting company

BlueHost (review)- a reliable US hosting company with affordable pricing

SiteGround (review)- a web hosting provider with data centres all over the world

Implications of Using WordPress Plugins and GDPR Compliance

When using WordPress plugins, it’s critical that you ensure they’re GDPR compliant. Because you’re the WordPress site owner you have the responsibility of ensuring everything you use for your site, including its plugins, comply with GDPR rules regarding exporting, providing, and erasing user data.

Because it’s the nature of the development of some plugins to collect user data, this reality could make it tough to use some on your WordPress site. It raises the question, how do these plugins become GDPR compliant?

When using a WordPress plugin in, even when approaching their use from the perspective of a WordPress site owner, the same rules apply. Every plugin must provide information about how it processes data, as well as show how it establishes its data flow. Developers can help make the plugins GDPR compliant by adding an addendum that site owners can add to their terms of service.

Currently only a handful of plugin providers have published their GDPR compliance like Jetpack have. WordPress’s other popular plugin developers haven’t commented with updates concerning their work toward becoming GDPR compliant.

Be careful when utilizing what seems like a simple tool sitting outside of the WordPress website like, for example, email marketing tools. Previously, we would commonly integrate these tools into our WordPress websites and send out promotional emails based on email lists. Sometimes these email addresses, depending on how you operate your newsletters and directories, may not have been obtained by obtaining explicit user consent.

An example of not receiving user consent is having a default checkbox because it’s a violation of GDPR. When it comes to GDPR, everything concerning your online business must include the collection of explicit consent and providing a detailed privacy policy. Other implications include the fact that you may be sending out emails to recipients illegally if there’s a default checkbox because no one explicitly requested to receive these messages from you.

Does WordPress Follow GDPR Compliancy Regulations?

The simple answer is, “yes.” With the WordPress 4.9.6 update, the core software is compliant. The core team took steps to ensure they added many GDPR enhancements to ensure GDPR compliancy for WordPress. When we talk about WordPress, we’re discussing the self-hosted sites, and it’s important to have that understanding.

With that in mind, because of how dynamic every website is, no single plugin, solution, or platform can provide 100% GDPR compliance. Based on the type of website you’re operating, the GDPR process is going to vary. This includes how you process the data on your site, as well as what kind of date you’re storing and collecting.

By default, the following GDPR enhancement tools are available on WordPress 4.9.6 and later versions:

1: Comments Consent:

Previously, by default, WordPress would store a commenter’s name, email address, and website URL as a cookie on the browser of the user. That way, the user could easily navigate their favorite blogs and leave comments because the fields would remain pre-populated for them. Many users loved this feature because it allowed them to freely surf their favorite blogs and easily communicate similarly to using social media. However, other users took issue with this tactic and viewed the use of cookies as a privacy issue that took away from their ability to be anonymous.

However, now that GDPR requires consent, there’s a consent checkbox available on comments. This allows users to leave a comment without checking the box if they choose. When the user returns to the comment section on that blog, this means they’ll have to manually re-enter this information each time they would like to make a comment. Users can input as much or as little information as they would like and, if they would like to save the information, it’s their choice.

For those who are unable to see this checkbox on the comment areas of their WordPress themes, it’s essential to make sure you’re using WordPress 4.9.6 or a later version, as well as the most up-to-date version of your theme. When testing the theme, make sure you are logged out to see if the check-box is present. Continue troubleshooting the issue until you can see the checkbox in the comments area.

2: Erase and Data Export Feature

It’s possible for the WordPress site owner to comply with the data handling requirements set by GDPR, as well as honor a user’s personal data export request. A request for personal data removal is also possible. When you go to the Tools Menu in the WordPress Admin area, you can accomplish these data handling goals.

For those who are unable to see this feature you must, again, ensure you’re using WordPress 4.9.6. This update will allow you to export data, email it to users upon request, and delete personal data right from the admin area.

3: Generating a Privacy Policy

A built-in privacy policy generator is available through WordPress. For those who are unsure how to write a privacy policy, a pre-made template is available. The template will provide you with guidance regarding additional information you should include. This effort will allow you to become more transparent with users visiting your site regarding the storage and handling of their data.

Keep a copy of the privacy policy linked to the bottom of every page of your WordPress website, in the FAQ section of your site, as well as linked to your Terms of Service. When users have multiple areas to find your privacy policy, you are less likely not to be held in compliance. Keep a .pdf copy on your hard drive, as well, so it can be emailed to users upon request. You can also have a printable copy available on your site, as well, as an added convenience for your users.

The combination of these three elements is enough to ensure your WordPress site is GDPR compliant. There are additional features, however, that you will also need to ensure compliance. Again I highly recommend iubenda for this.

How GDPR Impacts Other Areas of Your Website

Depending on what type of website you’re operating, you may by using a host of WordPress plugins to process or store data like analytics, contact forms, email marketing, memberships, an online store, and more. Not only does this help your website run more smoothly, but the use of these plugins could also help your business operate more efficiently as well.

Figuring out which areas of your website are GDPR compliant is a challenge, but it isn’t impossible. Some of the tools you’re using are already GDPR compliant, so there’s no need to worry. We’re going to look at some of the most common tools that need addressing on your WordPress website:

1: Google Analytics

Collecting website stats is common for most website owners through the use of Google Analytics. Under most circumstances, this means you’re also collecting data like cookies, IP addresses, user IDs, and other information. You must do the following to ensure you’re GDPR compliant:

(a) Before processing and storage occur, anonymize the data. When you anonymize data, it means you’re undergoing an encryption process as a means of establishing privacy for your users. This process removes all personally identifiable information found on data sets.

(b) An overlay can be added to the site asking all site users to consent to the use of cookies before any tracking occurs. It will automatically alert users to the use of cookies.

It’s easier to achieve these goals if you use a WordPress plugin called MonsterInsights, one of the most popular Google Analytic plugins available for WordPress. Otherwise, it could become difficult for those who are manually pasting Google Analytics code into their site.

2: Opt-in Forms for Email Marketing

These forms have similarities to contact forms whereby you must collect explicitly consent from site users. If a pop-up form is being used, in-line form, a floating bar, or any other type of opt-in form, you cannot add anyone to your list without explicit consent. Without explicit consent, your website is not GDPR compliant.

You can achieve this goal by:

(a) Including a check-box so a user can manually check before opting-in

(b) Requiring users to “double” opt-in to your mailing lists to make sure they want to join

To help ensure your email opt-in forms are compliant, lead generation solutions including OptinMonster (review) and Sumo have added GDPR consent checkboxes and many other features.

3: E-commerce

The most popular e-Commerce WordPress plugin is WooCommerce and, if you’re using this, it’s critical that you ensure it’s GDPR compliant. A comprehensive guide is available to those operating a store and need to become GDPR compliant from the WooCommerce Team.

Is One WordPress Plugin Better Than Another?

WordPress plugins are regularly updated and will help you with the GDPR process, while others will automate some aspects of compliance for you. It’s important to understand, however, that because websites differ so significantly from each other, it’s impossible for plugins to offer 100% compliance.

With that in mind, a red flag should go up automatically if you see a plugin stating it can offer 100% GDPR compliance. Under most circumstances, the developers are inexperienced with the laws, and it’s in your best interest to avoid them.

Some plugins will help you facilitate through the GDPR compliance process, though, and these are recommended:

1: Iubenda: This plugin will add an EU cookies notice and Privacy policy to your site

2: Delete Me: users can automatically delete their profile using this free plugin. This plugin is useful for site owners who would like to offer immediate gratification for their users without the worry of stepping outside of GDPR compliance.

3: MonsterInsights: Use this EU compliance add-on if you’re using Google Analytics to streamline the process. It’s much easier to use this plugin than it is to enter the Google Analytics code manually into your WordPress website. You’re less likely to make a mistake, and you can embrace all of the features easier.

4: OptinMonster: Boost conversions with clever targeting features using this advanced lead generating software that is GDPR compliant.

5: Shared Counts: Static share buttons display share counts using this plugin, rather than using tracking cookies on a default share button.

6: Contact Form 7: GDPR fields and features are available on this user-friendly contact form plugin. It’s considered one of the most popular and user-friendly WordPress plugins available.

In Conclusion

Because May 25, 2018 has already gone by, steps must be taken to make your WordPress website GDPR compliant now. If you have already begun taking measures to ensure it’s compliant, it’s your responsibility to make sure your WordPress site and its themes are up-to-date to ensure your site remains compliant moving forward. If you’re worried because you’ve already missed the deadline, this is no cause for panic. It just means that you must be diligent regarding working toward achieving this goal immediately.

The likelihood of receiving a fine immediately from the European Union is low because their website indicates they’re issuing warnings as their first step. It isn’t until the last step that they begin issuing fines because they are certain the website isn’t going to comply with the law.

Keep in mind that the EU isn’t working toward becoming anyone’s enemy. That’s the last thing on anyone’s mind in the European Union. It’s their goal to protect the consumer’s data and help user’s trust online businesses again. These standards are essential as the world continues transitioning towards one that is digital. Because more businesses are turning toward digital commerce and away from brick-and-mortar, it’s critical for them to garner the trust of consumers and harness this.

Retaining consumers, as well as their trust is an on-going challenge for many business and corporations, no matter their size, due to the on-going threat of personal information being stolen, misused, or other breaches occurring. Global adoption of these standards is critical considering the number of data breaches occurring.

Your business will grow as a result of consumers feeling more confident about using sites, the use of their data, and enforcement of privacy terms. When consumers feel this boost in confidence and your business experiences growth, it’s your responsibility to continue acting accordingly. You must still provide them with optimal privacy standards and solutions.

Key Steps to Consider to Maintain GDPR Compliance

• Learn the key articles and concepts regarding GDPR
• Follow the steps for GDPR compliance following May 25, 2018
• Make all the necessary adjustments to your WordPress website
• Know every other GDPR compliance issues that could be an issue
• Audit and monitor your WordPress website each time it updates, including themes

The following two tabs change content below.

Jamie Spencer

My name is Jamie Spencer and I have spent the past 10 years building money making blogs. After growing tired of the 9-5, commuting and never seeing my family I decided that I wanted to make some changes and launched my first blog. Since then I have launched lots of successful niche blogs and after selling my survivalist blog I decided to teach other people how to do the same.

Leave a Comment