Administrators are well advised to first deactivate any plugins they no longer need – a good security practice in itself. But don’t delete it right away! If you suspect that plugin might have collected personal data, you’ll want to contact the developer and make sure that deleting their plugin will also clean up any personal data it collected.
- What data the plugin collects from site users and visitors
- What the plugin does with the data / why the data is collected
- What third-parties does the plugin share the data with
- Where does the plugin store data (both on the site itself and on any cloud based resource), how access to the data is protected
- How long the plugin retains the data
- What options administrators and users have about data collection and use
- How the administrator or users can access, update or delete the data the plugin collects
- Assurance that, when deleted, the plugin also cleans up any data it collected
With the GDPR deadline looming, it is an excellent time for WordPress plugin developers to finish adding or updating that often skipped, often neglected plugin uninstall code – you know, the “clean-up” code that deletes options and meta data and tables that the plugin added to the site?
Here’s the Plugin Handbook page you’re looking for: https://developer.wordpress.org/plugins/the-basics/uninstall-methods/
Tick tock. The GDPR takes effect on May 25, 2018.
There are, of course, other aspects of the GDPR that apply to the way plugins handle personal data or expose site visitors to data collection by 3rd parties, and solutions to those are coming in WordPress core (see below), but this area (data clean-up on plugin deletion) is one area that developers can attend to now if they haven’t already.
Interested in joining me in helping to make the world’s top CMS more privacy oriented and GDPR ready? Come join the privacy party at https://make.wordpress.org/core/tag/gdpr-compliance/
“The people whose job is to protect the user always are fighting an uphill battle against the people whose job is to make money for the company” – Sandy Parakilas, from Facebook Exit Hints at Dissent on Handling of Russian Trolls
Not a bad overview at all – I think it is useful to clarify that:
- the GDPR covers not EU citizens but EU residents, and
- that data portability (Article 20) requires being able to request and send a machine readable copy of data to another controller but doesn’t require that controller to have software ready to actually read it
but otherwise a great overview/introduction.
One observer said it “would be naive” to expect that a combined Google/Nest wouldn’t bring all the platforms and all the data together.
via Google-Nest merger reawakens privacy worries — Naked Security