As a child I can remember my parents explaining the importance of knowing my tables. Yes at that age they relating to my multiplication tables and mathematics. In this digital age the sentiment is the same but the subject matter now relates to database tables, in particular WordPress in the new world of the General Data Protection Regulations (GDPR); in particular which tables have the fields that can store ‘process’ personal data.
Information You Hold
As part of the updated guidance from the UK regulator, the Information Commissioners Office (ICO) “preparing for the GDPR”, I noted carefully the second step 2 “Document what Personal Data your Store” and used this as part of my ongoing information audit/data mapping exercise. While I am based in the UK the sentiment applies to any website processing personal data from EU citizens.
To assist, I setup a new instance of WordPress, changing the default database table prefix to ‘xyz_’ and proceeded to populate the site with every possible option; pages, posts, comments, added new users, different roles etc. I then queried the database tables to see exactly what had been stored and where. Doing this has enabled me to apply ‘comments’ to the WordPress tables themselves, resulting in the graphic below.
There are two options/opinions within the comments. Whether the table is likely to process personal data (processing being just about anything you can think of doing with such data, including storage, retrieval etc.) and secondly, if the table was to store personal data, how easy would it be to be able to export it or provide the information back to the individual ‘Data Subject’ in response to a subject access request.
GDPR – Personal Data
‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
So under the ‘GDPR – Personal Data’, merely highlights that, depending on how a WordPress site is setup the table has the functionality to process personal data.
Data Subject Access Requests
The second consideration was to be able to handle requests from data subjects and evaluate any process to facilitate this; in a commonly used electronic format (assuming the request was made by electronic means and the data subject has not stipulated otherwise).
So the ‘DSAR ..’ section of the comments indicates that the functionality is there albeit as a screenshot, as opposed to a dedicated export option and that multiple searches would possibly have to be undertaken to satisfy the requirement.
_posts
This table predominantly stores all the site content in the ‘post_content’ field; It’s the one I may have to highlight over and over again in the coming months as the field most likely to store personal data that could identify or relate to a living individual (natural person under GDPR), but will not necessarily be their name, address, email etc. – One to watch!
Work In Progress
The research continues and results will be shared as soon as possible.
It has not included any plugin’s that may create custom tables within WordPress, but they will need to be taken into consideration for your preparation into compliance with the GDPR.