GDPR compliance and WordPress

Written by Jonny in Technology

Since GDPR became law in 2018, businesses have continued to navigate its intricacies to ensure compliance. In this updated guide (April, 2024) tailored for WordPress users, we look at the nuances of GDPR compliance within the context of website management, recognising WordPress as a cornerstone platform.

Contents

In a nutshell, GDPR is all about consent – making sure you have explicit permission from people to use their personal data. The whole idea is to keep organisations from misusing sensitive information and push them to be upfront about how they handle data.

Why does GDPR matter for your website? 

Now that the Brexit transition is over, UK businesses have to navigate two versions of this data protection law. First up is the UK GDPR combined with the Data Protection Act 2018 – this covers personal data of UK residents. Then there’s the EU GDPR for handling data of EU citizens. Break the UK rules and you could be hit with fines up to £17.5 million or 4% of your global annual turnover – whichever is higher! The EU isn’t messing around either with potential €20 million (around £18 million) penalties.

But it’s not just about the fines. The data watchdog (ICO) can crack down in other ways too – warnings, bans on processing data, forcing you to fix errors, or blocking data transfers outside the country. Need more convincing? Just look at some of the eye-watering fines companies have had to pay for GDPR breaches.

The message is clear – get compliant or pay the price! Making sure your website follows GDPR isn’t just box-ticking, it’s about respecting people’s privacy and building trust.

So, what is personal data?

According to the Information Commissioner’s Office (ICO), personal data is: “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”

Or, in simpler terms: 

Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data and can also encompass pseudonymised data if a person can be identified.” Wired 

Basically, if it allows someone to be singled out, it’s personal data – including stuff like automated personal data and pseudonymised info.

GDPR also has some super-sensitive categories like trade union membership, religious beliefs, health info, and sexual orientation that come with extra rules, but we won’t get into all that here. You can read more about special category data here.

The key thing is – if you’re collecting ANY personal info through your website, you’re on the hook for protecting that data properly.

GDPR isn’t just a box to tick. It’s about actually respecting privacy and being accountable. At a minimum, you should:

Keeping Your WordPress Site GDPR-Friendly

Here are some practical tips for making sure your WP site follows GDPR best practices:

Privacy Policy

This needs to be crystal clear on what data you collect, how it’s stored/used, for how long, etc. If you want to use existing data for a new purpose, you must get explicit consent again.

You can view our data protection policy here for a real-life example.

TIP. Click here to view guidance from the ICO on creating a privacy policy and what should be included.

WordPress Core

WP has Privacy tools built-in to help with privacy policies, honouring data requests, and getting consent. You can ask your developer to activate and set these up properly.

Forms

The primary method you’ll use to collect personal data on your website is through forms. So it’s time to review any and all forms on your site. Only collect data you truly need, and have an unticked consent box linking to your policy.

Plugins

Many plugins and WordPress itself report telematic data back to their motherships (usually the plugin author or wordpress.org’s servers). This data can include how a plugin is being used (e.g., the number of form entries or visits).

Plugin-enabled sites have the option to install plugins built by third-party services. As a site owner, you are responsible for ensuring that the plugins you install on your site handle data in a way that aligns with the GDPR. If you aren’t sure, you can contact the plugin developers directly to ask about their GDPR compliance.

WooCommerce

Here are our practical tips for WooCommerce site owners:

TLDR; For e-commerce, be careful with things like email marketing opt-ins, only collect order data you need, don’t keep customer data longer than necessary, and be ready to provide/delete personal data if requested.

Gravity Forms

By default, Gravity Forms records all form submissions into the WordPress database. Data retention and security should be your concern here. Who has access to your WordPress site’s dashboard, and do they understand the GDPR requirements for managing that data securely? How long do you store those form entries? Consider using a tool to automatically delete entries after a month or immediately if you do not wish to store submissions on your site.

As mentioned above, review your forms and ensure each relevant form has a tick box linking to your privacy policy.

From Gravity Forms 2.4, you can set a Retention Policy to Retain, Trash, or Delete entries for a set number of days. This is available in the Personal Data tab in the Form Settings.You can read Gravity Form’s approach to GDPR in detail here.

Simple History

We use the Simple History plugin on some client sites to record WordPress activity. This tool enables WordPress Administrators to audit activity on a site—it records events such as who’s logged in, who’s editing posts, and who’s activating plugins. It’s a great tool for auditing, but it also retains user data—this is especially important if your customers log in to your site, as it’ll be recording data from them.

By default, it will delete it after 60 days, but this setting can be changed with some code, so it’s worth checking that you’re retaining data only for the period you need it.

Contact Form 7

By default, Contact Form 7 does not record form entries. However, if you have the database extension installed, it will retain data, and you should consider retention and security.

Review your forms and ensure each relevant form has a tick box linking to your privacy policy.

Google Analytics

Google Analytics 4 (GA4) is the latest evolution in Google’s analytics service, designed to track website and app traffic and user engagement. GA4, released back in October 2020 and, officially took over as Google’s default analytics service on July 1, 2023, waving goodbye to the old universal analytics we all knew and loved. 

What sets GA4 apart? Well, it’s all about privacy. Its new privacy features are designed to keep your data safe and sound, making it easier to comply with regulations like GDPR.

Another clever feature is its default IP anonymisation setting. Translation: it doesn’t store users’ IP addresses by default, giving you an extra layer of privacy protection and making GDPR compliance that much easier!

Penetration testing your WordPress site

At 10 Degrees, we understand the importance of safeguarding personal data, particularly for clients in sensitive sectors like education. That’s why some clients opt for penetration testing—it’s the gold standard for making sure your data security is up to scratch.

So, what’s penetration testing all about? Think of it as putting your defences through their paces. Even if your regular vulnerability testing looks squeaky clean, penetration testing digs deeper. It’s like having ethical hackers on your side, using automated tools or good old-fashioned manual testing to simulate cyber threats. The end result? A thorough check-up on your cloud security and web app integrity.

Penetration testing gives us insights into potential weaknesses that we can act upon to strengthen defences against real-world threats.

Considerations of the future

The proposed European AI Act is a big deal for handling technology and data. It splits AI into three groups based on how risky it is. Critical elements, like government-run social scoring, are banned. Things like CV-scanning tools have extra rules to follow because they’re deemed high-risk. Some uses are considered lower risk and, therefore, less regulated.

WordPress developers really need to pay attention and adapt to these new rules as they come out, to make sure we all follow them while using AI technology.

What to do in case of a data breach

if you think there’s been a data breach on your WordPress site it’s important you act quickly! According to guidance from the ICO, any breach that could risk individuals’ rights and freedoms must be reported immediately – that means within 72 hours of finding out about it. And if you miss that deadline? Well, you better have a good excuse handy.

Here’s a step-by-step of what to do:

  1. Assess the Situation: Investigate the breach to understand its scope and impact. Identify what data has been compromised and how it occurred. This may involve reviewing access logs, server records, and user activity.
  2. Containment: Take immediate steps to contain the breach and prevent further unauthorised access. This could involve temporarily shutting down affected systems, resetting compromised passwords, or isolating compromised areas of your website.
  3. Notify Relevant Parties: Depending on the nature and severity of the breach, you may need to notify affected individuals, your website hosting provider and other relevant stakeholders. Be transparent about what happened and provide guidance on steps they can take to protect themselves.
  4. Document Everything: Keep thorough records of the breach, including the initial discovery, investigation findings, actions taken, and communications with relevant parties. This documentation will be valuable for any follow-up inquiries or investigations.
  5. Review and Improve Security Measures: After addressing the immediate aftermath of the breach, conduct a comprehensive review of your website’s security measures. Identify any weaknesses or vulnerabilities contributing to the breach and implement enhancements to prevent future incidents.

By following these steps and adhering to the ICO’s reporting requirements, you can effectively respond to a data breach on your WordPress site, mitigate its impact, and bolster your website’s security for the future.

If you’re looking for reliable support to keep your website secure and compliant, or if you’d like further advice on GDPR compliance with your WordPress site, get in touch for a chat! Further information. Small businesses and charities can telephone the Information Commissioner’s Office for advice.

Footnote

We are not legal experts; this blog post does not constitute legal advice.

The Author

Jonny Vaughan

Founder & Technical Director of 10 Degrees. Jonny's day to day focus is on determining the best technical solutions for our clients, driving technical innovation and leading our sustainability agenda.

The 10 Degrees Team

Want to know more?

Find out more about how 10 Degrees help solve problems for our clients.

Our services