I have a plugin hosted on wordpress.org. The plugin consists of an inquiry form to be submitted by the visitors on the front-end. I have followed the 4.9.6 update regarding GDPR. I have also added exporter and eraser in my plugin.
Is there something I need to add more in my plugin? Is there something I have to added in my inquiry form to make it GDPR compatible?
4 Answers
Well, this has little to do with WordPress development as such, even if there is now a special privacy function, but since I´ve been writing about online privacy for over 25 years now I´ll gladly answer. Let´s take a look at the principles:
-
Lawful basis. Since you are collecting data with a form, it is clear what data is collected and what for. You could add two optional notes to be filled in in the backend ‘what will we use your data for’ and ‘what data do we store’, so your users are more aware of their obligations towards the visitors of their website. These notes could also be shown in the frontend.
-
Responsibility, data protection and pseudonymisation. These are mainly security issues that your plugin can do little about, except maybe applying cryptography when storing the information. But that would mean the data can only be accessed through your plugin.
-
Right of access. This too is something that could be added to the form as a note: tell the visitor what he can do to access/erase his information after he has filled in the form.
-
Right to erasure. See above. Also: does your plugin provide only manual erasure options or scheduled erasure as well? The plugin could help reduce load on the users if data older than, say, one year is automatically removed.
-
Records of processing activities. Does your plugin allow users to modify data collected? In that case, does it store old values? This may be a little bit overkill for a simple form, but if you are collecting sensitive data (such as medical records) keeping track of modifications might be wise. Processing also involves other stuff that users do with the collected data, but that is not your responsibility as a plugin developer.
-
Data protection officer and breaches. Not your responsibility.
So, you are mostly done. The most important addition might be to include a note on your options page explaining GDPR to users of your plugin and allowing them to pass information on their rights to their website’s visitors. At this point you have built the necessary technical tools into your plugin, but you should also support transparency.
Update: Sample texts
- We will use your name and email address [what data we store] only to send you a maximum of one newsletter every month [exactly what we store it for]. Every newsletter will include a link that lets you unsubscribe [right to erase].
- We store the data in the questionnaire together with your name and contact info [what data we store] for our research purposes [exactly what we store it for]. Your name and contact info are only stored so we get into contact with you for clarifications of the questionnaire. We delete your name and contact info automatically after three months [erasure info, after this the rest of the data is no longer personal data unless the questionnaire asks personal stuff]. The questionnaire data we will keep as long as is necessary for the research.
