WordPress GDPR Compliance – What You Need to Know and What You Need to Do!

ESPRESSO.digital - WordPress GDPR Compliance

WordPress GDPR Compliance – What You Need to Know and What You Need to Do!


ESPRESSO.digital - WordPress GDPR Compliance - Are You Ready?

Are You Ready for GDPR?

It is less than one month away, yet many business and website owners are still not fully aware of the upcoming General Data Protection Regulations (GDPR) and how they affect their business and online presence. And that could cause big problems very soon. Here at the highly caffeinated agency we have been following this for a while. Since we have a European presence we must be in compliance ourselves. And to help other business owners and webmasters here is what you should know about WordPress GDPR compliance.

What is the GDPR?

The General Data Protection Regulation, or GDPR, is pretty complex, and the purpose of this post is not to go into every little detail of it. Simply put, the General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR will come into effect across the EU on May 25, 2018.

What is Data Protection?

If you are not quite sure what data protection means or entails you should check out this great infographic that explains all the different areas of data protection, how it applies to GDPR, and what they mean for you and your business and online presence. Better safe than sorry, right?

To Whom Does GDPR Apply?

There is a common belief that simply because you, your business, and therefore your website, are located in North America the GDPR does not apply to you. This belief is incorrect, and if you persist with it you are going to be in big trouble! Simply put, the GDPR applies to everyone! If you have a website that an EU resident can visit, you’re affected!

Read this carefully: The GDPR applies to businesses, non-profits, government agencies, and other organizations. It applies to organizations in the EU, organizations that offer goods and services to EU residents, and any organization that collects data on EU residents. In other words, everyone. No matter what the purpose of your website, it has a global audience.

So, you don’t think you actually get website visitors from the EU? Here is an easy test for you! Simply check your Google or WordPress Jetpack analytics from time to time and see how many visitors you receive from EU countries. The numbers may surprise you. And once again, even if you only get a single visitor from the EU you need to be aware of WordPress GDPR compliance!

What Does GDPR Mean for Your WordPress Site?

As a WordPress website owner, you have three basic responsibilities you must fulfill for your website visitors:

  1. Right to Access
  2. Right to Be Forgotten
  3. Data Portability

To get started please answer these questions about your WordPress website, and how it collects visitor information:

  1. Do you have a contact form, or any other form that collects personal information like name, email address, or phone number?
  2. Can visitors post a comment anywhere on your website?
  3. Can people purchase products through your website or eCommerce shop?
  4. Do you provide a forum or message board?
  5. Do you have a method where visitors can chat with your company directly?

If you answered ‘No‘ to ALL of these questions, your WordPress website is most likely in good shape and you will be in compliance on May 25th. If you don’t collect the information, you don’t have to protect it. It is really that simple!


ESPRESSO.digital - WordPress GDPR Compliance - General WordPress GDPR Compliance

General WordPress GDPR Compliance

However, if you answered ‘Yes‘ to ANY of these question, please read on. Here are some general steps you need to consider as you prepare for WordPress GDPR compliance:

Update Your Privacy Policy

The first step to WordPress GDPR compliance is to update your privacy policy. And if you don’t have a privacy policy this would be a great time to add one to your site. In addition to helping you become GDPR compliant a privacy policy instils trust and transparency in your website visitors.

Here are some minimum recommendations:

  • Include a GDPR compliance line
  • Specify what information you collect and store from website visitors. (for instance: I.P. addresses, device information, access information, cookies, visit duration and tracking, mouse and swipe actions, email, phone, name, address and billing addresses )
  • Specify who has access to this personal data. (e.g. you, MailChimp, Google, Salesforce, etc.)
  • Specify the contact details of the assigned Data Protection Officer in your organization. For small businesses, this is probably you. Larger businesses and enterprises should have a dedicated senior-level person who carries indemnity insurance to cover the liability of this role. This person should receive data protection training and a certification.
  • Provide instructions on how to submit a data access request.
  • Specify how long you store personal information.

If you are unsure how to generate a GDPR compliant privacy policy you can use this GDPR Privacy Policy Generator.

Remove Automatic Opt-ins

If you are using any automatic or pre-filled opt-in forms either delete them completely OR remove any prefilled data. All fields and checkboxes must be empty in your online forms. There is a good reason for that; an empty field or box cannot imply acceptance.

Only Collect Required Visitor Information

Of course, you need to gather some information from your website visitors in order to run your business. But be sure to only collect information you require to run your business. Here are a few things to do:

  • Delete personal information that you no longer use that may be stored on servers, in excel spread sheets, etc. This includes emails with file attachments that may contain personal information.
  • Keep only one version of personal information. You may keep copies for backup and restore purposes only. Up to 4 backups is acceptable. If you keep more, you have to justify it. The location of the backups needs to be captured in your data/security audit.
  • Collecting extra information in case you may use it in the future is unlawful. Information you have about individuals for which you have no use must be deleted.

Record All Data Breaches

Your WordPress GDPR compliance includes recording all data. Examples of data breaches include:

  • Personal information being passed or coming into the possession of an unauthorized data processor or subcontractor.
  • Passing of personal data into a non-GDPR compliant country.
  • Passing of personal data to a third party without the knowledge of the data subject.
  • Personal information leaked as a result of a website hack.

Plan Ahead

Have a security data breach response plan and process in place. Here’s a link to a helpful toolkit that can help you get started developing a plan if you don’t already have one: Security Breach Response Plan Toolkit

Have a Process

Have a process to comply with anyone asking for a copy of their data.

  • Verify their identity
  • Make sure you have the data before processing the request, if you don’t have the data, respond and say, “I don’t have the data”.
  • Do not create more personal data while performing the request
  • Process the request
  • Record it in your data audit log
  • Do it within 20 days.

Update Your Records

As you prepare for WordPress GDPR compliance don’t forget to update your contracts, NDA’s, and privacy policies on your website, social media platforms, and in your written documents and communications. At a minimum you should make sure that:

  • All staff need to have signed NDA’s and data protection awareness training. A good rule of thumb is to include all staff even if they do not have direct access to personal information in the normal course of their duties.
  • All customer contracts have to be updated with a GDPR clause.


ESPRESSO.digital - WordPress GDPR Compliance - What You Can No Longer Do

What You Can No Longer Do

Up to now we talked a lot about what you need to do to meet WordPress GDPR compliance guidelines. But you also need to understand what you are no longer allowed to do! This part takes many business website owners and marketers by surprise, so pay attention!

Strict No-No’s

  1. You cannot send unsolicited emails to anyone. That includes no more purchasing lists from third parties, or merging lists from different companies into other lists.
  2. Sending auto emails from abandoned shopping carts offering discounts is no longer permitted, unless the shopper has opted in for email at the top of the checkout.
  3. You cannot refuse to give customers their personal details on request.
  4. Sending unsolicited text messages via mobile phone numbers is no longer allowed.

Yes, This Includes You!

Don’t get fooled into a false sense of security here! Especially small business owners may think the EU has bigger fish to fry. That is easy to understand seeing the EU is busy taking on giants like Amazon and Microsoft. They’ll never audit a small business like yours, right? Believe me, this thinking is dead wrong! As a European myself, and as someone who owns one and does business in Europe, I can guarantee you that no business or brand is too small to warrant the attention of EU governing bodies!

Here is how you need to look at this. Even if you only collect information from a single EU resident who comes to your business website, you may be subject to a GDPR audit. They may not audit you right now, but they may at any time in the future, even if your business is not based in the EU. Why take the risk of being cited for non-compliance?


ESPRESSO.digital - WordPress GDPR Compliance - WordPress GDPR Compliance Specifics

WordPress GDPR Compliance Specifics

The following areas or elements of your WordPress website are the ones most affected by the upcoming GDPR regulations. Take a look at what they are, and what specifically you must do to be in WordPress GDPR compliance.

Online Forms

If you are using ANY online forms make sure you add a checkbox specifically asking the form user if they consent to you storing and using their personal information to communicate with them. This checkbox must be unchecked by default. Also mention if you will send or share the data with any 3rd-parties and why. The consent statement must include a link to your GDPR compliant privacy policy.

Visitor Comments

If you allow visitor comments on ANY part of your WordPress website, you must add a checkbox specifically asking commenters if they consent to storing their message attached to the e-mail address they are using to comment. This checkbox must be unchecked by default. Also mention if you will send or share the data with any 3rd-parties and why. The consent statement must include a link to your privacy policy.

E-Commerce Order Forms

Make sure you add a checkbox specifically asking the customer if they consent to you storing and using their personal information to ship the order. This cannot be the same checkbox as the Privacy Policy checkbox you should already have in place. This checkbox must be unchecked by default. Also mention if you will send or share the data with any 3rd-parties and why.

Forums and Message Boards

If your WordPress website uses forums or message boards, you must add a checkbox specifically asking forum / board users if they consent to you storing and using their personal information and messages. This checkbox must be unchecked by default. Also mention if you will send or share this data with any 3rd-parties and why. The consent statement must include a link to your privacy policy.

Chat Bots

Many business sites use chatbots for consumer engagement. If that includes you make sure to add a checkbox specifically asking chat users if they consent to you storing and using their personal information and messages. This checkbox must be unchecked by default. You must also mention how long you will store chat messages or delete them all within 24 hours. Also mention if you will send or share the data with any 3rd-parties and why. The consent statement must include a link to your privacy policy.


ESPRESSO.digital - WordPress GDPR Compliance - Useful WordPress Plugins and Resources

Useful WordPress Plugins and Resources

Yes, getting your online presence into GDPR compliance will take some time and effort. But I have some good news for you! Meeting WordPress GDPR compliance regulations is a bit easier, especially if you are using any of these handy WordPress tools and plugins. Here is a list of a few I recommend you consider using on your WordPress site.

WordPress GDPR Compliance Plugins

WP GDPR Compliance

This plugin assists website and webshop owners to comply with European privacy regulations known as GDPR. By May 24th, 2018 your site or shop has to comply to avoid large fines. WP GDPR Compliance currently supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments.


This open source plugin will assist you making your website GDPR compliant by making personal data accessible to the owner of the data. Visitors (owners) don’t need user accounts to access their data. Everything works through a unique link and e-mails.


This plugin is meant to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.

Delete Me

This plugin is helpful in addressing the “Right to be Forgotten”. It provides a method for data erasure of a user’s profile, comments, etc. It’s available to WordPress admins, but goes a step further if you are comfortable allowing users to delete their own data without having to create a request for it.

Security Audit Log

This plugin helps you perform a security audit on your website. It is WordPress’ most comprehensive real time user activity and monitoring log plugin. It helps thousands of WordPress administrators and security professionals keep an eye on what is happening on their websites.

WordFence (Pro version)

Satisfies the GDPR legal requirement to assess and monitor the security of your website to ensure data breaches do not occur. If a breach does occur, you will receive a real time notification from the plugin.

A Word of Caution

The above WordPress plugins will help you reach WordPress GDPR compliance, if used correctly. But be aware that using any of these plugins will affect the functionality of your WordPress site. That unfortunately can also include other web functionality and even the appearance of your site. Before you use any of these I recommend you make a complete backup of your WordPress site, and proceed with caution.

Other GDPR Resources

GDPR Compliant Privacy Policy

Each enterprise should have a privacy policy. On this page you will find the privacy policy generator of the German Association for Data Protection. Our sample privacy policy has already been adapted to the provisions of the General Data Protection Regulation. The use of our sample text means: you have less concern and may concentrate on your core activity.

Useful GDPR Resources

Useful links to articles, videos, summaries, opinions, and analysis on all things GDPR.


ESPRESSO.digital - WordPress GDPR Compliance - Final Thoughts

Final Thoughts on WordPress GDPR Compliance

This post is meant to give you an overall analysis and explanation of what GDPR is, what it means for you and your website in real terms, and what you can and must do in order to reach WordPress GDPR compliance by May 25th, 2018. But even if you follow every last step and recommendation in this post it is NOT a guarantee that you will be in WordPress GDPR compliance.

As in anything related to your business, if you are in doubt about GDPR or if your business is indeed in compliance you should consult with a legal professional. As mobile-first web designers we can help get your WordPress website updated to meet these requirements. But there may very well be other considerations for your business. If you have any doubts be sure to check with your legal or business advisors.


ESPRESSO.digital Any Questions?

Need Help with WordPress GDPR Compliance?

Here at ESPRESSO.digital, we offer a full range of WordPress services, including WordPress web design and development, technical support servicessearch engine optimization, and website maintenance plans. Contact us to learn more about how our team can help you get your own WordPress website and meet your online objectives.

Do you have anything to add to our recommendations for WordPress GDPR compliance? Maybe you have some helpful tips or recommendations of your own? Please leave your comments below so our audience can benefit as well and grab our feed so you don’t miss our next post! And help your friends and associates stay on the good side of EU regulators by sharing our WordPress GDPR compliance tips with them!

Thank you! We appreciate your help to end bad business websites, one pixel at a time!

By Gregor Schmidt
Co-Founder / Digital Barista

Related Posts


Looking for innovative multilingual WordPress web design options for your business or brand?
Hold on just a sec!

Share This

Share this post with your friends!