What else is allowed according to GDPR?

What’s the matter?

Many web designers, agencies and site operators use WordPress.org and the available extensions, tools and plugins to create websites. But can WordPress be used at all in compliance with the GDPR? Which WordPress plugins and tools are still allowed? Where are the risks and what should you do now?

1. What is personal data?

If you use WordPress, you must comply with the provisions of the GDPR. However, you only have to apply the GDPR to the processing of personal data. Personal data is information that relates to a specific person. This includes, for example:

  • First and Last Name
  • address
  • E-mail address
  • payment details
  • IP address

The use of WordPress and the GDPR regulations inevitably always coincide: Basically, every WordPress blog stores the IP addresses of the users. The GDPR does not only affect large corporations, but also clubs, bloggers and small businesses. Excluded are purely private blogs that have no intention of making a profit. If you are running a private site, you should not feel too secure too quickly. If you use analysis tools such as Google Analytics, you are no longer considered a “private operator” according to the legal jump. The same applies if you use Adsense and include advertising banners or affiliate links.

2. WordPress and the GDPR: Requirements for data processing

Regardless of whether you are an agency, WordPress blog or graphic designer: you may only use personal data under certain conditions:

  • The data storage requires the consent of the user.
  • The user must be informed about the use of his data.
  • It must be possible to view, correct and delete data.

You meet these requirements with a simple pop-up. You must provide this with instructions on the GDPR, for example with the sample instructions from eRecht24.

3. WordPress and data protection: This is to be considered

When using WordPress, data protection is a top priority. You must lawfully collect and process all data. Limit data usage to the stated purpose and only store the data for as long as necessary. You also have to ensure its security and document the processing.

4. Plugins ensure compatibility of WordPress and the GDPR

You have no way of aligning your WordPress site with just one software to the GDPR. But there are many different plugins with which you can make a website GDPR-compliant. The compatibility of WordPress and the GDPR can be implemented relatively quickly with a little specialist knowledge. We particularly recommend the use of the following plugins:

  1. Borlabs Cookie: opt-in solution for cookies. Suitable for example for Google Analytics and AdSense.
  2. Disable Embeds by LittleBizzy: disable embeds. These transmit data to social networks such as Twitter and Facebook.
  3. GDPR Pixel Mate: Blocks external resources. Enables the integration of opt-ins and opt-outs for Google Analytics and the Facebook pixel.
  4. Remove Comments IPs: Automatically deletes IP addresses of commenters after 60 days.
  5. Google Analytics Germanized: Integrates Google Analytics in compliance with data protection regulations, for example through IP anonymization.
  6. Smart User Slug Hider: Replaces usernames in URLs with numeric codes.

Many other plugins exist to help you achieve GDPR compliance.

SSL encryption

The compatibility of WordPress and data protection requires high-quality encryption. You must ensure that personal data is transmitted securely. You can tell whether your website uses SSL encryption by the green lock in the browser line. In addition, the http:// address converts to an https:// address.

Google Analytics

The use of Google Analytics places increased demands on the compatibility of WordPress and the GDPR. If you use the analysis tool, you should conclude an order processing contract with Google. You then agree to the “Addition to data processing” in the Google Analytics account. With the Google Analytics “Opt-Out” tool, you offer your site visitors an opt-out option: Site visitors have the option of hiding their visit from Google Analytics with a mouse click.

eRecht24 DSGVO WordPress02

cookies

The compatibility of WordPress and the GDPR requires the adaptation of cookies. We recommend not using non-essential cookies. Only cookies for the member area or the shopping cart are essential – their use is justified on the basis of a balance of interests. After all, these cookies are in the interest of the site visitors. You have to inform your website visitors about the exact use of cookies via the data protection declaration. We recommend the use of cookie banners.

eRecht24 DSGVO WordPress03

Data protection

In order to reconcile WordPress and data protection, a data protection declaration tailored to the DSGVO is absolutely necessary. Place the data protection declaration in such a way that it is easily accessible from every page. We recommend placing it in a separate point next to the imprint.

Adapt the content of the data protection declaration to the individual characteristics of your website.

Practical tip: At eRecht24 Premium, web designers, agencies and professional website operators will find a professional generator for their data protection declaration.

eRecht24 DSGVO WordPress04

hosting

If you host your website with a provider, you should conclude a contract for order processing (AV). Because your provider saves access to websites in its server logs.

Social Media Plugins

Social networks like Facebook, Twitter & Co. are trendy. You can quickly acquire new customers via share and like buttons. The compatibility of social media plugins, WordPress and data protection is more difficult under the new GDPR. Many buttons establish a connection to social networks and the account of the site visitor. They transmit data such as the user’s profile picture and information such as “these friends also like the page”.

blogs15

Gravatars

The compatibility of WordPress and data protection is decided on small hooks. In the case of blog comments, the attentive viewer recognizes small user images. The Gravatar.com service automatically assigns this to the stored email address. You avoid complications by deactivating the avatars. This is possible via “Settings” > “Discussion” > “Avatars”. Plugins such as “GDPR Patron” automatically prevent the loading of external services.

eRecht24 GDPR WordPress05

Contact form and comment function

The use of WordPress and GDPR compliance requires a rethink in many ways. The GDPR requires the adaptation of contact forms. Only transmit data via SSL encryption and inform the user about the use of their data. The WP GDPR Compliance plugin is a good solution for GDPR compliance. Alternatively, a checkbox with a mandatory field can be integrated. The same principles apply to the comment function. Many providers save the IP address of commentators. You should therefore prevent the storage of IP addresses or ensure automatic deletion. We recommend the “Remove Comment IPs” plugin for this.

Sending newsletters

If you use an external service to send newsletters, you should conclude an order processing contract (AV) with your provider. Attention: If your external service provider is located outside the European Union, further regulations must be observed (Privacy Shield).

Google web fonts

Third-party services are always problematic when it comes to WordPress and GDPR compatibility. For example, there are hardly any websites that do not use Google Webfonts. The fonts look aesthetic but transmit the IP address of their beneficiaries. It is not clear what data the web fonts send to Google. You solve the problem by storing the fonts on your local server.

5. WordPress plugins in the GDPR check

There are WordPress plugins that collect personal data and have to be adapted to GDPR compliance. Other plugins are completely harmless. We show you the most important plugins in the GDPR check.

as a source We used the much more extensive presentation of 200+ plugins at https://www.blogmojo.de/wordpress-plugins-dsgvo/

Legend

Red => Not GDPR compliant
Green => can be used without hesitation
Adjustments necessary => instructions available in the premium area

1. Social Plugins

With social plugins, there are often data protection problems with regard to the compatibility of WordPress and the GDPR.

Red

AddThis / Instagram Feed / jQuery Pin It Button for Images / MashShare / Monarch / Share Icons Share Buttons / ShareThis / Social Locker

Green

Arqam Social Counter / Better click to Tweet / Blog2Social / Meks Smart Social Widget / NextScripts: Social Networks Auto-Poster / Open Graph for Facebook, Google+ and Twitter Card Tags / Social Count Plus

adjustment necessary

PixelYourSite / Fuse Social Floating Sidebar

2. Security Plugins

With the security plugins, there are many plugins that become GDPR-compliant through small adjustments.

Red

Google Captcha by BestWebSoft

Green

BBQ (Block Bad Queries) / Sucuri Security

adjustment necessary

All In One WP Security & Firewall / iThemes Security / Limit Login Attempts / Limit Login Attemps Reloaded / Login LockDown / NinjaFirewall / SpyderSpanker / WP Limit Login Attempts

3. Anti-Spam Plugins

Anti-spam plugins do use IP addresses to prevent SPAM.

adjustments necessary

Askimet / Antispam Bee / WPBruiser / WP SpamShield

4. Statistics Plugins

Statistics plugins also store personal data.

Red

FeedStats

Green

Statify

adjustments necessary

Count per Day / Google Analytics Dashboard for WP / Google Analytics for WordPress by MonsterInsights / WP Statistics

5. Contact Forms

The entered form data is of course personal data. Therefore, the user must explicitly agree to the storage.

adjustments necessary

Contact Form 7 / Contact Form by WPForms / Gravity Forms / Ninja Forms / Super Forms – Drag & Drop Form Builder

6. Comment function

With comment plugins there is a risk that the plugin will pass on personal data such as IP address and e-mail.

Red

Disqus Comment System / wpDiscuz

7. Membership, Community and Forum Plugins

Personal data such as e-mail addresses or even payment data are stored in member areas.

adjustments necessary

BuddyPress / Digimember / OptimizePress / Simple:Press / UltimateMember

8. Load Time and Performance Plugins

There is no known loading time or performance plugin that stores personal data.

9. SEO Plugins

With the SEO plugins, only the “Redirection” plugin saves IP addresses. You switch this off in the options for the “IP logging” list item.

10. Images and Media Plugins

With plugins that edit media such as images, GDPR problems are increasing.

Red

Compress JPEG & PNG Images / EWWW Image Optimizer Cloud / Kraken.io Image Optimizer / ShortPixel Image Optimizer / WordPress File

Green

Comet Cache / Enable Media Replace / EWWW Image Optimizer / Imsanity / Media Cleaner / Resize Image After Upload / Regenerate Thumbnails / Unite Gallery Lite

adjustments necessary

NextGEN Gallery

11. Theme Plugins

Many design plugins can be made GDPR-compliant with simple measures.

Green

Genesis Columns Advanced / Mag Mega Menu / MaxButton / Popup Builder / Posts in Page / Shortcoder / WP-PageNavi

adjustments necessary

Elementor Page Builder / Page Builder by SiteOrigin / WP Bakery Page Images