2. Getting started with GDPR compliance
Chapter 2
Before we get started with the practical parts of the guide, let’s briefly talk about the purpose of the WordPress GDPR Framework, the WordPress plugins and ecosystem and some major problems that have not yet been solved.
The WordPress GDPR Framework
The WordPress GDPR framework is a free, open-source plugin that has four purposes.
First, it provides various tools and features to help you make your website properly compliant. All the base requirements of GDPR are covered. (We’ll go through the details later.)
Second, it guides you through the maze of rules, regulations and requirements of GDPR. We’ve put a lot of effort into breaking up the massive regulation into a human-readable guide (the one you’re reading now). The plugin also comes with an installer wizard that walks you through setting it up, step-by-step.
Third, it aims to provide solutions for various complex corner cases regarding data privacy and customer rights. And there’s a lot of them! Note that this is work in progress – we will be constantly adding new features as we become aware of new difficulties related to following the rules properly. (If you can help us with that in any way, let us know – we need you!)
Fourth, it’s a framework for developers. Every piece of functionality can be extended or modified and new features can be built on top of the existing ones. Our developer docs are in beta right now, but as we are developers ourselves, this is a major priority for us.
WordPress and GDPR
As you might know, WordPress itself is already working on adding GDPR compliance. However, we don’t know when the updates will be released and exactly which problems they will solve. The WordPress GDPR Framework aims to be compatible with the official features of WordPress (even if it means removing or changing some of the functionality we’ve already built) and provide assistance with common problems that the WordPress team considers out of scope.
A major problem: WordPress ecosystem is not ready for GDPR
The WordPress plugin repository contains over 54 000 plugins. Not all of the process visitor data, but those that do need to be made GDPR-compliant. Even if WordPress publishes their official GDPR update and plugin guidelines within the following weeks, it’s not likely that all plugin authors will be able to make their plugin compliant by May 25th. This means that if your site depends on a lot of plugins, you can either put development hours into making those plugins compliant yourself (which is actually quite simple using the GDPR Framework!), or alternatively, wait and hope.
So what can you do now?
Fortunately, if you have a simple WordPress site and you don’t use many plugins that collect data from visitors, then there’s a good chance that you’ll still be able to achieve GDPR compliance on a reasonable level right now. Just follow this guide and make sure you read and understand everything.
If you have a more complex site that relies on a lot of plugins, things are not that simple. You’ll need to put some extra effort into getting compliant before May 25th. Alternatively, you can take a business risk and wait until the WordPress ecosystem catches up. But either way, there are plenty of things you can do right now (and we really recommend getting started as soon as possible – this process is probably more time-consuming than you expect).
For this reason, we’ve divided the practical sections of the guide into two parts: what you should do now and what you should do in May. We’ll explain the things that are optimal to do right now and show you how to do them using the WordPress GDPR Framework. And we’ll also explain which parts you’ll need to revisit in May.