Posted on

April is WordPress Plugin Privacy Audit Month

With less than 45 days until the game-changing EU GDPR law takes effect, it is a good time for WordPress administrators to do a privacy review of the plugins they have installed on their site. This information will help you create or update a privacy policy for your site – a must have for any modern web presence.

Administrators are well advised to first deactivate any plugins they no longer need – a good security practice in itself. But don’t delete it right away! If you suspect that plugin might have collected personal data, you’ll want to contact the developer and make sure that deleting their plugin will also clean up any personal data it collected.

Next, administrators should review the privacy policy for each plugin. Most plugins haven’t written these – privacy by design is a new concern for many software developers – so you will probably have to contact each developer and ask them directly.  Here’s the questions you’ll want answered:

  • What data the plugin collects from site users and visitors
  • What the plugin does with the data / why the data is collected
  • What third-parties does the plugin share the data with
  • Where does the plugin store data (both on the site itself and on any cloud based resource), how access to the data is protected
  • How long the plugin retains the data
  • What options administrators and users have about data collection and use
  • How the administrator or users can access, update or delete the data the plugin collects
  • Assurance that, when deleted, the plugin also cleans up any data it collected

Happy Spring Cleaning and Privacy Policy writing!

Posted on

WordPress Plugin Data Deletion and the GDPR

With the GDPR deadline looming, it is an excellent time for WordPress plugin developers to finish adding or updating that often skipped, often neglected plugin uninstall code – you know, the “clean-up” code that deletes options and meta data and tables that the plugin added to the site?

This is especially a good time for you to do this if your plugin handles personal data in any way.  Why? To give assurance to the administrators that install your plugin that, if they delete that plugin from their site, they are no longer responsible for including in their privacy policy (or, heaven forbid, disclosing in the event of a breach) what data, especially personal data, was collected (or exposed) by your plugin.

Here’s the Plugin Handbook page you’re looking for: https://developer.wordpress.org/plugins/the-basics/uninstall-methods/

Tick tock. The GDPR takes effect on May 25, 2018.

There are, of course, other aspects of the GDPR that apply to the way plugins handle personal data or expose site visitors to data collection by 3rd parties, and solutions to those are coming in WordPress core (see below), but this area (data clean-up on plugin deletion) is one area that developers can attend to now if they haven’t already.

Interested in joining me in helping to make the world’s top CMS more privacy oriented and GDPR ready? Come join the privacy party at https://make.wordpress.org/core/tag/gdpr-compliance/

Posted on

3-minute GDPR

https://www.youtube-nocookie.com/embed/n5WJOncaHt4

Not a bad overview at all – I think it is useful to clarify that:

  • the GDPR covers not EU citizens but EU residents, and
  • that data portability (Article 20) requires being able to request and send a machine readable copy of data to another controller but doesn’t require that controller to have software ready to actually read it

but otherwise a great overview/introduction.