WordPress and the GDPR

If you are operating the popular content management system WordPress as your website instance and you processes personal data on the site, there’s no getting away from the General Data Protection Regulations (GDPR), which are being enforced across the European Union from 25th May 2018.  Not just across the EU, but globally for any organiation processing the personal data of European citizens.

This site is here to guide you through understanding the legislation as it relates to WordPress.

Please note that the GDPR allows for country specific derogations (changes/refinements), so it is important to check with relevant supervisory authority.

There are five key questions to answer before going any further.

  1. Is the site being used for solely personal, domestic purposes and not generating an income?
  2. Is the Information data as defined by the legislation? (Data)
  3. Is the data personal or special category personal data? (Personal Data/Special Category Personal Data)
  4. Who is responsible for deciding the way in which data is to be stored? (Data Controller)
  5. Are the any other organisations ‘processing’ the data? (Data Processor)

Let us help you straight away with the common answers and guidance.

  1. GDPR does not apply, but remember that any monetisation, affiliate marketing links becomes a business and GDPR does apply.
  2. Without doubt the information is data under the legislation as it is stored in an electronic/digital format in a database.
  3. Usually yes in all cases on personal data, but depends on the setup about sensitive/special category personal data.  Personal Data is any information relating to an identifiable ‘natural’ person who can be directly or indirectly identified in particular reference to an identifier. So; name, address, email are perhaps the more standard identifiers, but look at the definitions, it now includes things such as IP address, genetic and biometric data and also images.  It’s really important to understand this or you may get lost on your way through this website.

For WordPress, personal data can be either in the content of pages, post, comments etc., or in user/member/subscription elements (or both), so you will need to clearly identify what you are processing and where it’s being processed within your WordPress installation.

Even if you do not contemplate procesing personal data, consider someone registering for your newsletter using firstname.lastname@company.x – could they be identified by the email address? Yes!

4. The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data – (either alone or jointly or in common with others) is the Data Controller.  So if for example you are operating alone then it’s you.  If you are operating the website as part of a company then the company is the Data Controller.

5. Any person (other than an employee of the data controller) who processes the data on behalf of the data controller, so if you are using a third party for email campaigns, ecommerce it may be the third party.  In a similar way your hosting provider (if not self hosting your site) will be a Data Processor acting on your behalf.