The Complete WordPress GDPR Guide: What Does the New Data Regulation Mean for Your Website, Business and Data?

TL;DR: The GDPR is a new regulation by the EU. It changes a lot regarding how each and every WordPress site goes about doing their business. Even non EU-based sites and businesses are affected. You have less than a year to make your WordPress GDPR compliant. Else you’re facing serious fines – up to €20 million.

On 25th May 2018, the GDPR (General Data Protection Regulation) enacted by the EU will come into effect. Is your website running on WordPress GDPR compliant? What are the steps that you must take to ensure that you follow the guidelines? What if you neglect this?

This post will help you in your endeavor to be ready when the regulation kicks in.

  • First, we’re going to talk in detail about the GDPR guidelines, the specific areas of your business that the guidelines affect, and why you should be concerned about WordPress GDPR compliance.
  • Next, we will cover the basics of making a WordPress site complaint with the guidelines.
  • Finally, we will discuss the implications of the use of plugins on your WordPress site and how your GDPR compliance might be affected.


What is GDPR?

Disclaimer. This post is not legal advice. We’re not lawyers.

GDPR stands for General Data Protection Regulation and it is a new data protection law in the EU, which comes into force in May 2018.

The aim of the GDPR is to give citizens of the EU control over their personal data, and change the approach of organizations across the world towards data privacy.

The GDPR provides much stronger rules than existing laws and is much more restrictive than the “EU cookie law.”

For instance, users must confirm that their data can be collected, there must a clear privacy policy showing what data is going to be stored, how it is going to be used, and provide the user a right to withdraw the consent to the use of personal data (consequently deleting the data), if required.

The GDPR law applies to data collected about EU citizens from anywhere in the world. As a consequence, a website with any EU visitors or customers must comply with the GDPR, which means that virtually all websites and businesses must comply.

To better understand the regulation, take a look at the publication of the regulations in the Official Journal of the European Union, which defines all terms related to the law. There are two main aspects of the GDPR: “personal data” and “processing of personal data.” Here’s how it relates to running a WordPress site:

  • personal data pertains to “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address,
  • whereas processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user.

Should GDPR be taken seriously?

Webmasters have time until May 2018 to comply with the regulations set by the GDPR. The penalty for non compliance can be 4% of annual global turnover, up to a maximum of €20 million.

There are various slabs of penalties according to the seriousness of the breach, which have been described in the FAQ section of the GDPR portal.

Such a high amount in penalties has been proposed to increase compliance. However, one may wonder what steps for the supervision of websites are in place. Supervisory Authorities (SA) of different member states are going to be set up, with the full support of the law. Each member state may have multiple SAs, depending on the constitutional, administrative and organizational structures. There are various powers that SAs will have:

  • carry out audits on websites,
  • issue warnings for non-compliance,
  • issue corrective measures to be followed with deadlines.

SAs have both investigative and corrective powers to check compliance with the law and suggest changes to be compliant.

It is too early to speculate how SAs of various member states would interlink and work together, but one aspect is clear; SAs would enjoy considerable power to enforce the GDPR guidelines.

Six months after the guidelines were released, PwC surveyed 200 CXOs of large US firms to assess the impact of the GDPR guidelines. The results revealed that a majority of the firms had taken up the GDPR guidelines as their top data protection priority, with 76% of them prepared to spend in excess of $1 million on GDPR. This shows that owning to a substantial presence in the EU, large corporations are taking up the GDPR compliance seriously.


(Charts by Visualizer Lite.)


The details of your WordPress GDPR compliance

Okay, so with all the official information out of the way, let’s take a moment to talk about how to make sure that your website is compliant and that you won’t experience any WordPress GDPR problems.

Before you move on to each of the aspects and how to comply with them, a security audit on your WordPress site should, in general, reveal how data is being processed and stored on your servers, and steps that are required to comply with the GDPR. The Security Audit Log plugin can help you perform a security audit on your website.

Some usual ways in which a standard WordPress site might collect user data:

  • user registrations,
  • comments,
  • contact form entries,
  • analytics and traffic log solutions,
  • any other logging tools and plugins,
  • security tools and plugins.

Here are some key aspects of the WordPress GDPR that users need to take care of:

(a) Breach notification

Under the GDPR compliance, if your website is experiencing a data breach of any kind, that breach needs to be communicated to your users.

A data breach may result in a risk for the rights and freedoms of individuals, due to which notifying users in a timely manner becomes necessary. Under the GDPR, a notification must be sent within 72 hours of first becoming aware of a breach. Data processors are also required to notify users as well as the data controllers, immediately after first becoming aware of a data breach.

In a WordPress scenario, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.

This clause of the GDPR thus creates a legal requirement to assess and monitor the security of your website. The ideal way is to monitor web traffic and web server logs, but a practical option is to use the Wordfence plugin with notifications turned on. In general, this clause encourages one to use the best security practices available to ensure data breaches do not occur.

(b) Data collection, processing and storage

Three elements of this: Right to Access, Right to Be Forgotten and Data Portability.

  • The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing and storage of the data. Users will also have to be provided a copy of their data free of cost within 40 days.
  • The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their personal data to be used.
  • The data portability clause of the GDPR provides users a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller.

Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is absolutely necessary. This encourages site owners and controllers to adopt potentially safer policies for data, by limiting the access to number of data points.

As a WordPress site owner, you first need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored.

Next, you need to have a setup to provide users with a copy of their data. This is perhaps the most difficult part of the process. However, we can assume that when the time comes, most plugin developers or tool developers – for the tools and plugins that you have on your site – will have already come forward with their own solutions to this.

It is still advised, however, to have a system in place to derive the required data out of your database.

Further, it may be wise to avoid data storage altogether in certain cases. For instance, contact forms could be set up to directly forward all communication to your email address instead of storing them anywhere on the web server.

(c) Use of plugins – implications of WordPress GDPR compliance

Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.

This can still mean some tough times for some of the most popular plugins out there. For instance, solutions like Gravity Forms or Jetpack have a lot of modules that collect user data by nature. How are those tools going to comply with the GDPR exactly?

For plugins too, the same rules apply, although they must be approached from the point of view of the WordPress site owner. Each plugin needs to establish a data flow and inform about the processing of personal data. If you are the developer of a plugin, consider providing users of your plugin an addendum that they may add to their website’s terms in order to make them GDPR compliant. Gravity Forms, for instance, needs to let the user know how personal data being filled in a contact form is going to be published, and an option to get it removed, if necessary.

Although there has been no official communication from the popular WordPress plugin developers, Jetpack’s Twitter handle has confirmed that they are preparing for the GDPR, and further updates would appear in their new privacy related features.

No other plugin seems to have released any statements related to this yet.

Also, here’s a short comment from our own Ionut Neagu – CEO of ThemeIsle and the person in charge of all the plugins available under ThemeIsle’s and Revive.Social’s brands:
Ionut Neagu

Ionut Neagu
GDPR looks like a really big change that we should all treat very seriously and look for solutions. If there’s one thing we learned from VAT, it’s that the EU is quite serious about those things. They keep introducing more and more regulations and then put new mechanisms in place to enforce them. Those 4% fines aren’t looking good.

Also, some tools that sit seemingly outside of your WordPress website will see the impact of this too. Take, email marketing tools, for example. It’s a common practice to have those integrated with your WordPress website and to send promotional emails based on a list of email addresses. Depending on how you run your newsletters/lists, those addresses might not have been obtained by getting explicit consent from users.

For instance, a checkbox that’s selected by default would count as a violation. Under the GDPR, everything that’s part of your online presence as a business will need to explicitly collect consent and have a privacy policy in place. There are other implications too – if you wish to buy a mailing list, you would be sending emails illegally to the recipients, since no one explicitly asked to receive emails from you.

Although the final responsibility lies with the site owner, WordPress itself may have to look into its processes to become compliant as well. As of July 2017, a search for GDPR does not yield any results in the ideas page for WordPress, which suggests that there are no planned changes to the structure and working of WordPress. The only assigned change is the addition of a privacy policy for WordPress.

Final thoughts

To sum up what it means to make WordPress GDPR compliant:

  • the law comes into effect in May 2018,
  • it applies to any website that deals with personal information of EU users (read: all WordPress websites),
  • it gives the user the right to control the flow of their personal information,
  • there are defined processes to monitor compliance and huge fines are in place for non-compliance.

In a nutshell, to make your WordPress GDPR compliant, you should (1) look into all the different ways in which you’re collecting visitor data. Next, (2) put mechanisms in place to make sure that users can control their data. Additionally, (3) it’s probably a good idea to avoid collecting user data where it’s not necessary (like the contact form example from above). And most importantly of all, (4) even if you’re using third-party tools and solutions, you still need to make sure that those are GDPR compliant as well.

If you don’t have all of the above taken care of by May 2018, trouble.

Nonetheless, the GDPR regulation is the right step in ensuring transparency in handling of data. Although this post has covered the basics of GDPR, you may want to go through the regulation in detail if you have a profitable business running behind your WordPress website. Remember, not complying can be fined up to €20 million or 4% of your global revenue.

Don’t forget to join our free crash course on speeding up your WordPress site. With some simple fixes, you can reduce your loading time by even 50-80%:

Layout and presentation by Karol K.

  • callmeisaac

    They don’t have jurisdiction outside the EU unless there are bilateral agreements

    • Alessandro

      If your company operates on EU territory, either physically or digitally, you’ll have to comply. If not, other than the fine, your website might get closed/obscured and your business won’t be able to operate in the EU anymore. If you’re a business, it matters.

      • callmeisaac

        What does that mean? If the site is hosted somewhere else and the company is located somewhere else and an EU customer goes there and buys, and if there are no bilateral agreements in place, the EU has no jurisdiction.

        • Alessandro

          It’s the so called “digital presence”, what’s so hard to understand. If you want to sell your product or service to European citizens on the european digital market , you have to respect the EU laws. Otherwise your website can be obscured in the EU. Every country has right to block websites inside its territory. Eu citizens will simply not see your website anymore, losing business from them. The fine is more complicated, but bilateral laws already exist between most western countries.

          • callmeisaac


          • Alessandro

            You might want to look into “geo blocking” before making yourself look like a fool 😉

          • pete preston

            The hostility! 😀 😀

  • Tinovaziva

    I have always been respectiful of people’s private data. I don’t sell it people just comment, I send them emails if they are subscribers. If they unsubscribe I stop. I don’t know or care what this new law means because I don’t live in the EU. My country’s laws apply. This worrying trend by the EU and US thugs where they try to control everything like third world dictators sickens me. As far as I am concerned they can take these regulations/laws and shove them wherever.

    • These new laws are designed to reduce abuse from small and large actors who routinely take advantage of the magical world of information technology. It allows a user to have more awareness and control over what information is kept about them and who has access to it. Since large events like the Equifax breach and more are exposing more and more personal information (yes, I know it is a US event, not EU), it makes sense that new laws ensure that companies respect individuals and put in adequate measures to ensure security, privacy and communication.

  • andreas

    Are you aware of any EU-based web hosting companies who are already GDPR compliant?

  • I work for an agency – possibly a silly question, but who would be liable for GDPR compliance? Us or the client? I’m assuming the client since they own the website. I’m aware that we have a responsibility to our clients to make the websites GDPR compliant, but it is something that us as an agency would need to charge for – we’re not a charity after all :). If client’s refuse to pay for the work required for GDPR compliance, but the website is hosted on servers that we have a contract for, would we then be liable?

  • Denise

    We are a small business with an information website and are now being charged £500.00 by our hosting company Media Orb to make this site GDPR compliant. This seems an excessive charge. What are other people charging for this?

    • Jakub Blažej

      That seems quite too much to me, if you have only info website with no comments and such.

  • John Dray

    Bit of a correction, the maximum fine is €20 million or 4% of your global annual revenue, WHICHEVER IS GREATER. (In other words, it is not limited to €20 million for really big companies and it is not limited to 4% of global annual revenue for small companies.)