All owners of a WordPress website must comply with the requirements of the General Data Protection Regulation. But how to comply with the RGPD in WordPress ? How should the personal data of users be treated to comply with the new data protection law in WordPress ? In this article we explain it in detail.

How does GDPR affect WordPress websites?

After the entry into force of the RGPD , a new legal framework was established for EU countries when processing personal data.

This regulation is complemented by other laws promulgated by each of the Member States, which must be in accordance with the provisions of the RGPD. In the case of Spain, these regulations are the LOPDGDD (Organic Law on Data Protection and Guarantee of Digital Rights) and the LSSI-CE (Law on Services of the Information Society and Electronic Commerce).

Basically, the RGPD establishes new obligations for those responsible and in charge of data processing, and establishes new rights for users regarding the protection of their personal information.

Taken to the web pages, the application of the data protection law in WordPress supposes the fulfillment of a series of obligations, which are summarized in:

  • Record treatment activities (if applicable).
  • Identify the person in charge of the treatment, his representatives, or those in charge of the treatment.
  • Inform about the purpose of the treatment.
  • Indicate the period of conservation of the data.
  • Inform about whether the data is going to be transferred to third parties.
  • Indicate the ways by which users can exercise ARSULIPO rights (access, rectification, deletion, limitation, portability and opposition).
  • Establish the necessary technical and organizational measures to guarantee the security and integrity of the data.
  • Report security breaches.

These obligations for WordPress of the RGPD must be fulfilled by all those responsible for the treatment, that is, the owners of the web pages, whenever they collect and process any personal data, which basically happens with all types of online sites. It is enough that only the IP address is registered (considered personal data) to have to comply with the regulations, even if it is a personal blog.

How is user data collected in WordPress?

As we said, the obligations of the RGPD in WordPress affect the vast majority of corporate web pages, online stores, affiliate websites, etc., since most of these web pages made in WordPress collect personal data through one or more of these methods:

  • Registration data: websites that store access credentials or registration information of their users.
  • Cookies: all those websites that use cookies for marketing purposes or to save user preferences.
  • Comments: keep in mind that the websites that allow you to leave comments store data such as the email, name or IP address of the user.
  • Forms: contact forms are another of the main ways to collect user data, which becomes part of a database.
  • Plugins: there are also plugins that store user data, in addition to the website.

This means that, in practice, the web pages required to comply with the RGPD in WordPress are:

  • Websites with registration forms
  • Online stores
  • Websites of public bodies
  • Websites displaying advertising
  • Affiliate websites
  • dropshipping stores
  • Websites that display social sharing buttons
  • Personal blog with comments enabled or measuring audiences with analytics plugins, etc.

How to comply with GDPR obligations in WordPress

To adapt a WordPress website or blog to the RGPD , we must take into account a series of requirements, with which we will comply with the different obligations of the regulations that we cited above.

Legal texts in WordPress

Data protection regulations require that whenever we are going to process personal data, the interested parties (users of our website) are informed of it. This information is provided through so-called web legal texts .

These legal texts must contain all the information related to the processing of personal data, from the identification of the person in charge, through the purpose, to the conservation period. Since they must be given in a clear and understandable, but detailed way, we must resort to two information layers.

The first layer is a “summary” of the basic information and is what we find in the web forms, in the comments, in the cookie notice, etc., also including a link to the second information layer, which contains all the relevant information. This second layer is hosted on a separate URL, usually as a subpage, linked from the footer of the main website, since it must be accessible from anywhere on the online site.

The web legal texts are:

  • Legal notice: It informs the user about the identity of the company that is going to process their personal data. It must contain the following information:
    • Company name and address
    • NIF or Fiscal Identification Number
    • Commercial Registry Number (if registered)
    • Telephone, email and other contact information
    • Information about the Professional Association to which you belong (if you belong to one)
    • Other information of interest, such as confidentiality agreements or clauses on intellectual or industrial property
  • Privacy policy: to comply with the privacy policy in WordPress , users must be informed about the treatment of their personal data. It must indicate:
    • Legal basis for the treatment
    • Identity of controllers and processors
    • Purpose of the treatment
    • Transfer of data to third parties
    • Data retention period
    • Ways to exercise rights ARSULIPO
  • Cookies policy: there is an obligation to notify about the use of cookies in WordPress. The cookie policy indicates which cookies the website uses, who manages them, what their purpose is and their retention period. The cookie notice, which, as we said, in the first information layer about them, must be shown the first time the user enters the page or when they have deleted the cookies, so that they grant their consent for their use.

rgpd wordpress

Managing consent in WordPress

To comply with the GDPR in WP, it is mandatory to have the user’s consent to process their personal data. After the entry into force of the GDPR, consent can no longer be implied or granted by default. Now, the consent must be express and must be granted through an explicit, voluntary and unequivocal action, for example, asking the user to check a box or checkbox to accept the privacy policy.

In the event that, for example, a form requests consent for several purposes, the user must grant said consent separately for each of them.

In addition, if the user wants to revoke the consent given, it must be possible to do so in a simple way and the data controller must comply with that request without unnecessary delay. An example is including a link in commercial communications through which consent can be easily revoked (with the formula “If you do not want to continue receiving commercial communications, follow this link” or similar).

The cookie notice

This express consent also applies to cookies and for this we can facilitate the configuration of them through the cookie notice.

There are different ways to implement the cookie notice, depending on the RPGD plugin that the website uses in WordPress, so that there are some that allow you to accept or reject the different types of cookies on the website by checking the corresponding boxes or by means of buttons or they only allow you to accept or reject all cookies. In any case, the plugin must block cookies until they are accepted by the user and not install them if they are rejected.

As we have already said, the cookie notice will include a link to the cookie policy, so that users can find out about all the cookies used by the website.

Rights of users in WordPress

Likewise, to comply with the RGPD in WordPress, it is necessary that the web pages allow users to exercise their rights of access, rectification, deletion, limitation of treatment, portability and opposition. The ways to exercise these rights must be indicated, and the data controller must respond to requests within a maximum period of one month (with exceptions).

WordPress Security

To guarantee security in WordPress , those responsible for processing must implement the necessary measures to guarantee the protection and integrity of the personal data collected. Likewise, they must notify any security breach to the Spanish Agency for Data Protection (AEPD) or to the relevant control authorities, and to the users themselves, within a maximum period of 72 hours.

Among the measures that may be imposed by those responsible for processing is the pseudonymization of personal data or ensuring that personal information travels correctly encrypted, for example through SSL or Secure Sockets Layer certificates, which allow information to be encrypted between the web and the server.

They must also ensure that unauthorized third parties cannot access the stored personal data, as well as verify that plugins and other accessories used on their website also comply with the RGPD.

rgpd wordpress

Plugins to comply with the RGPD in WordPress

Complying with the obligations of the RGPD in WordPress does not have to be very complicated, even if we lack the technical knowledge to do so, since there are various plugins to help us comply with the data protection regulations on our WordPress website or blog. .

Here are some of the most well-known and used plugins, easy to configure and implement on your online site.

  • Cookie Notice

Cookie Notice is one of the best known and highest rated WordPress cookie plugins . It is a free tool that allows you to easily and flexibly configure the WordPress cookie notice.

Among its options is the possibility of editing the warning message, choosing between three different button designs, choosing the place on the web where the warning will be displayed, or redirecting the user to the cookie policy text so that they can expand the information.

  • WP GDPR Compliance

WP GDPR Compliance is a very popular GDPR plugin for WordPress , it has all the necessary options to comply with the new data protection regulations, and it is compatible with plugins such as WooCommerce, Contact Form 7 or Gravity Forms. And best of all, it’s totally free.

  • WordPress GDPR

Another of the most complete GDPR WordPress plugins . In this case, it is an all-in-one or all-in-one premium tool , which has options for requesting or deleting information, inclusion of contact forms, obtaining consent, notification of security breaches, etc. It can be integrated with numerous tools such as Google Analytics, Google Adwords, BuddyPress, WooCommerce or Contact Form 7.

  • Delete Me

In this case, it is a somewhat different plugin from the rest, whose objective is to allow users to exercise the right to be forgotten. This new right allows users to request the elimination of information about them that is considered out of date, inaccurate or that may be contrary to their interests. This plugin simplifies the process so that users can exercise the right to be forgotten on the web.

In short, complying with the RGPD in WordPress is an obligation that practically any web page or personal blog must contemplate, since only by registering the IP address, we would be dealing with personal data. And remember, that not complying with this regulation could lead to the imposition of important sanctions.