Note: * Updated 2/19/19 as existing GDPR plugin had issues. See text below for changes.
GDPR and other regulations are forcing WordPress users to do some quick thinking to cover themselves to meet compliance. Now, many think GDPR does not apply to them, at least within the United States. However, if anyone outside the US reads your site, buys something, or signs up for a newsletter or other service, then you may need to protect yourself. Does this mean a heavy uplift? No, not at all. I covered the majority of issues with just three WordPress plugins.
Now, I am not a lawyer. I am not your lawyer, and what I am about to write is just advice. You should always check with your attorney with regard to GDPR and other regulations. There have been laws and regulations governing newsletters, spam, cookies, and personally identifiable information for years. You do need to protect yourself.
The first thing every site requires is a privacy or data handling policy, which at minimum should include how user data will be handled. In addition, if you offer a service, comments, content, or the like, you will want either a terms of service or acceptable use policy published somewhere. These are more legal requirements but are definitely important with respect to GDPR. The Auto Terms of Service and Privacy Policy plugin will assist with each of these.
Next, you need to add consent capabilities for cookies, comment forms, etc. These tools often use cookies and take in other data, such as names, addresses, and IPs, just to name a few. This data is covered by GDPR and is considered personally identifiable information: information that can uniquely identify a human being. Given that, consent to use this data is required. I used two plugins to handle these capabilities: GDPR Framework and GDPR Cookie Consent. You probably only need one, but having the Cookie Consent means I see a footer window every time I go to the site as a visitor for the first time. This is a nice little reminder that you take privacy seriously. The first of these adds consent notices and check boxes to WordPress comments, and other tools and acceptance buttons to Contact Form 7 forms, WooCommerce (which I do not use currently), and other plugins. You may have to add the buttons yourself with text pointing to your privacy policy on any of your forms. *
Next, you need to consider other tools you may use, such as Akismet Anti-Spam or other third-party tools. If a plugin sends data to a third party, you need to be aware of this and how they handle data. Akismet makes this very easy by allowing you to add a link on the bottom of all comments. This link goes directly to the Akismet privacy policy. Third-party tools also often gather data, so you need to ensure you cover your bases with them as well.
Lastly, I chose the WP GDPR Compliance plugin for its ability to export and delete any user’s data. The right to data and the right to be forgotten are a part of GDPR. If you are requested to forget or retrieve a user’s data you are now covered.
Now, given maybe twenty minutes of configuration and three new plugins, you have covered your WordPress Site from quite a few GDPR compliance concerns. Be sure you understand your privacy policy, and if you are at all confused or concerned about GDPR and the need to ask for consent, talk to your attorney.
