GDPR Compliance and Your WordPress Blog

The GDPR and Your WordPress Blog - How to get setup to be GDPR Compliant

On May 25, 2018, the internet business world as we know it will change.

The European Union’s (EU) General Data Protection Regulation (GDPR) will go into effect and data management on your WordPress Blog will change completely.

I know, the big question you may have is: But this is an EU Law and I live in a country outside of the EU.  Why do I have to worry about the GDPR?

The GDPR is wide-ranging and has support from most of the worlds industrial nations due to pre-existing treaties and trade agreements.

This means that anyone who has a website where ANYONE from the EU visits, must be in compliance with the GDPR and its data protection provisions.

So it doesn’t matter if you live in the EU or if you live in the United States (or some other country), you must comply with the regulation.

This post is meant to help you understand the basics of the GDPR and give you the ability to setup your WordPress blog using a few free tools to protect yourself and provide data and privacy protection for your site visitors.

****This post does not constitute legal advice.  The content here is merely a recommendation on how to protect yourself and your blog business.  If you have a complex WordPress Blog and data collection setup, I highly recommend contacting a lawyer to discuss how the GDPR affects you.  That being said, for most Bloggers, the content below should suffice in providing the required protection for your blog business.****


What is the GDPR?

The GDPR is a regulation which provides data protection and data privacy for all citizens of the European Union.

This means that you must receive consent from an EU Site Visitor before collecting and using any of their data.

This can be as simple as collecting a name and an email address for sending a Contact Form message or using cookies on your site to collect data for tracking through WordPress Registrations and Logins or 3rd Party applications like Google Analytics.

The bottom line is this:  If you collect data at all from a citizen of the EU, they must provide you with explicit consent before you use it.

This means that you must tell them exactly how their data is going to be used and they must provide you with their consent to take those actions before you use it.


The Main Provisions of the GDPR

There are a few main provisions of the GDPR which affect WordPress blog owners quite a bit.

They are as follows:

Data Collection, Processing, and Storage

There are three main parts to this section of the GDPR.  They are:

  • The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing, and storage of the data. Users will also have to be provided a copy of their data.
  • The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their personal data to be used.
  • The data portability clause of the GDPR provides users a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller.

With WordPress, this can affect things like:

  • user registrations
  • comments
  • contact form entries
  • analytics and traffic log solutions
  • any other logging tools and plugins
  • security tools and plugins

Data Breach and Notifications

The next provision affects you if you have a data breach or if you have been hacked in any way.

In the event that data has been lost on your site, you must notify all those affected within 72 hours of the event occurring. In a WordPress scenario, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.

With this in mind, having a secure WordPress blog is a critical element in running your business.  If you need help getting your site setup for SSL to protect user data and to implement high-level security controls on your blog, I recommend using our Free WordPress Blog Setup Video Tutorial Series to install, setup, and secure your WordPress blog correctly.

Using WordPress Plugins and GDPR Compliance

All of us who use WordPress love using WordPress Plugins, Themes, and other integrations like Google Analytics, Google Adsense, etc.

With this in mind, you must make sure that any plugin or tool you use is also GDPR Compliant.  This also includes any email marketing software or service you may use.  If it is on your site, you are ultimately responsible for ensuring that you have at least been informed in good faith that the plugin creator is implementing GDPR safeguards into their tool (if it collects user data).


Why Should I Take the GDPR Seriously?

The GDPR is being supported by governments worldwide.  If you live in the United States, for example, almost 92% of businesses have prepared for the GDPR.

The penalty for non-compliance can be up to € 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.  There are other provisions for smaller fines and actions to be taken for small offenses.  I recommend reading the FAQ Section of the regulation to get more insight on the specifics.

Supervisory Authority

Supervisory Authorities (SA) of different member states are being set up with the full support of the law. Each member state may have multiple SAs, depending on the constitutional, administrative, and organizational structures.

There are various authorities that SAs will have:

  • carry out audits on websites,
  • issue warnings for non-compliance,
  • issue corrective measures to be followed by deadlines.

SAs have both investigative and corrective powers to check your compliance with the law and recommend changes for you to be compliant.


How to Make Your WordPress Blog GDPR Compliant

With all f this in mind, you might be saying that you don’t know what do next.

This all might sound overwhelming, but it doesn’t have to be.

There are a few steps you can take to make your WordPress blog compliant with the GDPR.

First, you must have a system which allows you to cover the main provisions we talked about above.

Data Access, Data Portability, and the Right to be Forgotten.

Fortunately, there are a lot of developers who have been preparing for the GDPR, including WordPress itself.

In fact, on May 17, 2018, WordPress plans on releasing WordPress Version 4.9.6 which will have GDPR Compliance Tools built in, along with a Privacy Policy tool.  WP Tavern has a great article about this upcoming release and what it includes here.

I have done some testing and have put together a video tutorial which will show you how to implement GDPR Compliance into your WordPress blog.

The Tutorial is almost 50 minutes long, but it covers all of the Provisions listed above, along with Cookie Consent, Privacy Policy creation, Cookie Policy Creation, data access, data portability, and the right to be forgotten.

I recommend using this video tutorial below as a way to implement compliance on your WordPress blog now.

Tools used in the video tutorial above:

Pro Tools you can use for a Legally backed, Lawyer Reviewed Privacy Policy and Cookie Consent Policy:

GDPR Privacy Policy, Terms of Use, Privacy Tools, and Cookie Policy here on the Starter Academy Blog:

*I used the Cookie Policy Generator at iUbenda after seeing how poorly the generated Cookie Policy was from the Cookie Consent Plugin.

**I highly recommend following the Starter Academy GDPR and changes we make as we learn about the GDPR, implement the processes, and identify our mistakes in this process.

***Want an All-in-One Solution which covers all 7 of the major areas of the GDPR for your WordPress blog automatically?  Check out the GDPR Fix WordPress Plugin here now!

UPDATE:  See my Update on GDPR Cookie Consent and Your WordPress Blog Here.

What’s Next?

The next thing you should do is implement the GDPR Compliance tips above into your WordPress blog and your business workflow.

Once that is complete, the next step is to make sure all of the tools you use are GDPR Compliant and that you are using them in the way that GDPR compliance requires.

Remember, we only covered the basics in the video above for Google Analytics.  Be sure to check to make sure everything you use is compliant.

Once this is incorporated into your everyday workflow, you will largely take it as a matter of routine.

You are not the only one who has to do this and do not assume you can get away without following this regulation.  It will only end badly.

If you have any questions or want to discuss this further, please use the comment section below (you will notice that the comments are now GDPR Complaint).

Thanks and Good Luck!


Mike Johnson

Mike is a Wordpress Power User and Developer with over 40 Plugins, Themes, and Wordpress tools authored by him and his team. Mike is also the creator of some of the most powerful Blogging and Internet Marketing training available on the web with titles such as the Auto Blog Blueprint, Profit Marketer, and much more!

Click Here to Leave a Comment Below 6 comments
Rob - Clarip - May 22, 2018

Hi Mike,

Just wanted to add that there are a few other lawful basis of processing in the GDPR besides consent. For some data collection and sharing, these may make more sense than consent because the consent must be granular and specific. If you aren’t specifically capturing consent for each thing that you are doing, then you may ultimately find out that you don’t have legal consent for any of it.

    Mike Johnson - May 22, 2018

    You are absolutely correct. I have a blog post coming which talks about these very things. This one was specific to your blog and the basics of the GDPR as it pertains to your blog.

    Thanks. Great comment.

Jessica Chaney - May 23, 2018

Hi Mike,

In your video, you listed yourself as your Eu representative. What do we do during this section? Can we list you also? are you based in the Eu?

Thank you, Hope to hear from you soon.

    Mike Johnson - May 23, 2018

    Actually I list myself as my site’s Data Protection Officer, not the EU Rep. The EU Rep settings I show are the default for the Plugin and you can look at the list (in the plugin settings) that will allow you to select a rep which is in the country you do business with the most. If you don’t focus on the EU, then you can simply use the default one they select for you.

    I am not an EU Rep, nor do I have any legal standing. This is simply a recommendation based on my research and knowledge on the subject.

    I hope that helps.

Ryan - March 8, 2019

Can companies be GDPR non-compliant if they are storing uncontrolled hard drives with past employee details on them? As I am sure there are alot of companies out there unaware of what they may have.

Mike Johnson - March 18, 2019

That isn’t a GDPR issue if it was collected by the company as a part of employment. It is a legal issue if Personally Identifiable Information is not being safeguarded.


Leave a Reply:

I accept the Privacy Policy