More Than A Privacy Plugin
First Things First
Welcome. Wherever and whenever a E.U. citizen visits a website (front-end or back-end), GDPR applies. A lot of hours have gone into GDPress, and i’am dedicated to making it better every day. Thank you for making it part of your journey to GDPR compliancy.
— André Renaut
- PHP version 7.0 or higher.
- MySQL version 5.0 or higher.
- WordPress version 5.4 or higher.
GDPress is not calling any external web services and is not using any external software other than WordPress core.
GDPress stores events related to the data subject and core privacy processes if archive setting is set. Archives are under the authority of the Data Protection Officer for legal purpose ONLY. They are retrieved to the data subject, but not deleted.
State of the Privacy (May 2020)
- These are legal obligations in GDPR. In front of your local data protection authority or a judge :
- You are accountable of your actions to reach GDPR compliancy and must prove it (activating this plugin is not enough).
- If sued, you will have to provide some evidence : you acted lawfully and replied to the request of the data subject (archive all activities for Legal Purpose is allowed in GDPR and must be declared in your Records of Processing Activities).
- Other Major Obligations
- Records of Processing Activities, expecting WordPress team to publish it for core. And for any theme or plugin, adding a new Privacy Section in readme.txt is a must do.
- Communication of a personal data breach to the data subject (and to your local D.P.A.)
- Privacy by design
This concept is in GDPR too. In wp, Privacy is a component like Gutenberg, Admin, wp-cron ... Privacy by design is or should be declined and included in ALL wp components. Should all components publish their "Privacy Section" just like the above recommandation for themes and plugins ?
- Pending Questions
Plugins cannot solve all issues. Hereunder are listed some questions and concerns around WordPress and GDPR compliancy that should be or are part of WordPress governance.
- Any privacy request is a personal data and should be retrieved to the data subject
- Removing an export request do not delete the export file (security issue, potential data breach)
- External processors to be identified (records of processing activities, privacy by design)
- Gutenberg blocks coherence with embed handlers and oembed providers as set on the server side (privacy by design)
- oEmbed responses cached in transients (no more html cached) for blog posts or oembed providers (privacy by design)
- Ability to remove blocks in Gutenberg such as "/map" for Mapbox (privacy by design)
- Future "Icon" component : from Dashicons to svg (privacy by design)
- Web standards should apply : nowadays, emails such as "θσερ@εχαμπλε.ψομ" are valid but rejected by wp function is_email() (privacy requests rejected). This is a legal issue : one of the "variety of privacy issues around the world" !
GDPR aims to build a chain of trust and this is why GDPR rules !
If you have any suggestions, ideas, or comments, or if you (gasp!) found a bug, join me in the Support Forums.
Share the Law
If you enjoy GDPress please consider telling a friend, setting it up for someone less knowledgable than yourself, or make a small donation.
And remember, GDPR compliancy is a never ending process.