GDPR and WordPress – How GDPR Affects Your WordPress Website


GDPR and WordPress

What you need to know about GDPR and how it affects your WordPress website

The new General Data Protection Regulation (GDPR) introduces some very in-depth regulations surrounding how personal data is handled and stored and it is clear that this sending a lot of business owners into a panic. There has been a lot of scaremongering going on with GDPR and a lot of ‘so called experts’ popping up left right and centre!

This is why Poppy Design Studio has left it quite near to the deadline for GDPR to write this article. It was not done to panic people even more but it was done so we could try and get to grips with it before we even try explaining it to our customers.

If your business processes and stores personal data of EU citizens (even just email), GDPR applies to you.

It is true, there are major fines for companies that do not comply with the new regulations – up to 4% of your turnover or €20 million but please remember before panicking that the ICO will work constructively with business owners in a non-adversarial way. The GDPR fines will only tend to be imposed when a business commits a very severe privacy violation, or where a business refuses to cooperate or continually repeats the same mistakes. This is not us saying you do not need to take GDPR seriously but it really is important that you as a business owner comply with a positive ‘how can we improve things’ mentality, rather than thinking of it as a box-ticking exercise to avoid being fined.

 Ok, so where do I begin to tackle GDPR?

To start we have to add a obligatory disclaimer so we do not get shouted at by a lawyer:

Poppy Design Studio are not lawyers and what follows isn’t legal advice. We are here to give guidance on what needs to happen to Your WordPress Website and GDPR as we have a vested interest but we are in no way legally trained and we have to advise you to get legal advice on your own policies and practices/privacy polices so you know you are covered for your own business.  If If you notice things that are wrong, out-of-date or missing – please let let us know so we can update this article!

If you haven’t started getting ready for GDPR yet, here’s a basic plan based on what we have done at Poppy Design Studio:

  1. Read through the ICO’s guidance on GDPR 
  2. Conduct a GDPR compliance audit for your business.
  3. Identify any weaknesses and address these.
  4. Update your Privacy Information Notice / Privacy Policy.
  5. Update your Cookie Policy and make sure website visitors can turn off cookies easily.
  6. Create/update your Internal Data Security Policy. This should outline the policies and procedures you have in place internally to ensure the security of personal data. We suggest again you talk to a GDPR expert and legal team for this. You can get further advice from a company that we work with a lot and highly recommend :

What needs to be done to help get your WordPress website GDPR compliant

1. Your Privacy Policy – This should be the first thing you update regarding your website. A GDPR compliant Privacy Policy is a very personalised document. In the past, a generic privacy policy could be used, but now you will need to have your privacy policy checked over by someone that is legally qualified and make sure that it is GDPR compliant. We have used the team at for this and can highly recommend them. You can view our privacy policy here for the server details if you are hosted with us, so you can add the details about the server holding IP addresses to protect against brute force attacks and security reasons. Other options include: Online templates and generators, your own solicitor, legal advice from your local Chamber of Commerce or the Federation of Small Businesses if you are a member.

2. Your Cookie Policy – This is another important policy that needs to be on your website and again it needs to be personalised. You will need to scan your website (see point 3) to see what Cookies it is using, and then list them all in your Cookie Policy. You can view our cookie policy here.

3. Scan your website for the Cookies it uses – You now have to list the cookies you use on your WordPress website so a visitor has the option to turn them off. Every website uses them and some are required and cannot be turned off to keep the site functioning but others can be switched off and the visitor needs to be given a choice. We recommend using this website: You can then use that free scan to get a free PDF report of the cookies your website uses, and then you use that to list them and give visitors the option to turn them off.
You can also use a browser extension to run an audit of your website to see what Cookies it is using. We use the Chrome extension called: Attacat Cookie Audit Tool and it really is fantastic. It runs an audit through the whole site as we are clicking through the pages we want to check and then gives you a report on them all, listing them so you can add them to your cookie policy and disable ones you do not want there.

4. Cookie Consent – It is stipulated in the ICO guidelines that when a user visits your website that they must have the ability to turn off cookies easily before they continue to use your website. A simple information pop up bar just listing the cookies is no longer compliant, they literally have to be able to turn them off easily and from the screen they arrived on. This has caused some issues in the WordPress world as some plugins just simply do not work. We have found and tested them all!  We are on the case though and have found a couple that just need a few tweaks and we will update this shortly once we know they are working with no glitches to what we will finally use and recommend.

Cookie Consent

5. Blog Comments –  Add a clear link to your Privacy Information Notice somewhere on your blog comment form.  The link text could read something like: ‘Your data will be processed and stored in line with our Privacy Policy [link].’ State in this notice that users should not enter personal information into the comment field itself.

WordPress are bringing in GDPR tools and my goodness do they leave it ‘til the last minute!.  But remember, do not panic. All WordPress users are in the same position and they realise it takes time for all different plugin and core developers to make everything fully compliant. The core changes are now due to be released on May 17th, it was originally May 15th. These will add a tick box to comment boxes and other things, and this is why it is pointless installing other plugins until we see what WordPress add into the core functions. It also adds the ability to create a basic privacy policy BUT they still recommend writing your own or adding to it, so we advise do not use that one, please get one created for you and your business as stated above. Read more about WordPress core here:

6. Your contact forms – For standard contact forms that just email you the submitted information, not newsletter signup forms or forms that store the message on your WordPress site, you need to link to your Privacy Policy, and let people know that by completing the form, their data will be processed and stored in accordance with your privacy policy.

You need to have a way to collate/correct/delete that data on request. This is something that will be listed in your privacy policy on how you hold and use the data.

If you are using a database plugin to store all emails in your WordPress database, it works differently for you. You will need to have a tick box (acceptance box) This must be their explicit consent, it must be opt-in (rather than a pre-ticked checkbox), it must be separate from any other terms and conditions and make it clear as to why you want the data and what we’re going to do with it and how you are storing it in your database.

7. WooCommerce – Add a text and a link to your checkout page, informing customers how their data will be handled and stored in your privacy policy. If you are signing users up to a mailing list or other service on checkout, ensure you have a specific, unambiguous, opt-in checkbox, unchecked by default. State in your shop terms and conditions or privacy policy the following so the customer knows how long you will hold the order data:  In the UK, there is a legal duty to retain accounting records (including all money received by the company, for example invoices, contracts, sales books and till rolls) for at least 6 years.

WooCommerce will be releasing a GDPR update also. Here are the details, this should cover everything that is needed from a shop perspective. See details here: 

8. Newsletter sign up forms – You must enable double opt-in with your email newsletter provider. You must also clearly set out your newsletter signup forms with a certain structure, including the following: Detailed information on how [company name] process your personal data can be found in our privacy policy [link to privacy policy]
[tick box that is not ticked] I agree to my personal data being stored and used to receive the newsletter.
[tick box that is not ticked] I agree to receive information and commercial offers from [company name] You need consent for each broken down reason why you are emailing them.
Subscribe Button

Other precautions you need to take with a WordPress website:

  • Make sure your WordPress is updated and all your plugins are updated monthly.
  • Ensure your website is on HTTPS


WordPress News:

WordPress have been working very hard to implement a lot of changes in order to make the core of WordPress GDPR compliant. You can watch the latest news here:
GDPRWP & WordPress Core

We hope this will help you prepare for GDPR with your WordPress website and if you feel we have missed anything please leave a comment and we will be more than happy to add it.

Need extra help on GDPR and WordPress ? Email or call us today and we will be happy to help! or 0800 321 3843

No Comments

Post A Comment