WordPress Update GDPR

An important update to WordPress: GDPR and privacy

The latest WordPress release (4.9.6) is described as a privacy and maintenance release. Looking at the details of the release, the emphasis is clearly on the privacy and, basically, getting ready for GDPR.

Here is a summary of the changes and what they mean:

People who leave comments can now decide whether or not they want their details saved

These days, many sites require people to log in to be able to leave comments, essentially so that they can keep comments on point and reasonable (and discourage spammers).

This is fine from the perspective of GDPR, but automatically saving a user’s details without their permission is no longer acceptable, even though a fair percentage of users are probably going to be comfortable with this as it saves them from needing to enter their details again. Because of this, the WordPress comment box now asks users if they want their details saved, which places it in alignment with GDPR’s “opt in rather than opt out” approach.

Enhancements to the privacy policy page

It’s now strongly recommended that businesses have an easy-to-access link to a page stating their privacy policy on every page of their website and, in order to be GDPR-compliant, that privacy policy must not only be reasonable but also written in terms the average person can understand, so that any consent given can be seen to be informed.

WordPress has included guidance on how they – and participating plugins – handle personal data, which may help to inform your privacy policy. This might also be a good moment to double-check which plugins you are using and make sure that they are all GDPR compliant, particularly if you are using more niche ones.

Data requests

To make it easier for site managers to comply with requests to see what data they hold for a data subject, WordPress now has a function that allows for the export of data collected by them and participating plugins.

For added security, site managers can now send data subjects an email asking them to confirm the request by clicking on a link, essentially in the same way as people confirm requests to reset passwords.

While this is undoubtedly convenient, site managers should note that if they are using nonparticipating plugins, they will need to see what extra steps, if any, they need to take to provide data subjects with information on the data collected by these plugins.

Requests to be forgotten

WordPress now includes a simple tool to erase data collected by WordPress and participating plugins; again, site managers can send the data subject an email to confirm the request to be forgotten.

As above, this functionality only erases data collected by WordPress and participating plugins so if you are using extra plugins, you will need to ensure that you take appropriate steps to delete any data they hold on a data subject.

Check the plugin’s information pages, check that they have been recently updated (for your security as much as anything) by the creator, and be ready to choose an alternative, compliant plugins if your existing favourites do not comply.