An important update to WordPress: GDPR and privacy
The latest WordPress release (4.9.6) is described as a privacy and maintenance release. Looking at the details of the release, the emphasis is clearly on the privacy and, basically, getting ready for GDPR.
Here is a summary of the changes and what they mean:
People who leave comments can now decide whether or not they want their details saved
These days, many sites require people to log in to be able to leave comments, essentially so that they can keep comments on point and reasonable (and discourage spammers).
This is fine from the perspective of GDPR, but automatically saving a user’s details without their permission is no longer acceptable, even though a fair percentage of users are probably going to be comfortable with this as it saves them from needing to enter their details again. Because of this, the WordPress comment box now asks users if they want their details saved, which places it in alignment with GDPR’s “opt in rather than opt out” approach.
To make it easier for site managers to comply with requests to see what data they hold for a data subject, WordPress now has a function that allows for the export of data collected by them and participating plugins.
For added security, site managers can now send data subjects an email asking them to confirm the request by clicking on a link, essentially in the same way as people confirm requests to reset passwords.
While this is undoubtedly convenient, site managers should note that if they are using nonparticipating plugins, they will need to see what extra steps, if any, they need to take to provide data subjects with information on the data collected by these plugins.
Requests to be forgotten
WordPress now includes a simple tool to erase data collected by WordPress and participating plugins; again, site managers can send the data subject an email to confirm the request to be forgotten.
As above, this functionality only erases data collected by WordPress and participating plugins so if you are using extra plugins, you will need to ensure that you take appropriate steps to delete any data they hold on a data subject.
Check the plugin’s information pages, check that they have been recently updated (for your security as much as anything) by the creator, and be ready to choose an alternative, compliant plugins if your existing favourites do not comply.