Introduction
The General Data Protection Regulation (GDPR) came into force in May 2018, and yet many WordPress site owners are still unclear about what compliance actually requires. This guide cuts through the complexity and gives you a practical roadmap.
What Personal Data Does Your WordPress Site Process?
Before you can comply with GDPR, you need to know what data you hold. Most WordPress sites process far more personal data than their owners realise:
- User accounts — usernames, email addresses, display names, passwords (hashed)
- WooCommerce orders — names, addresses, phone numbers, purchase history
- Contact form submissions — names, emails, messages, IP addresses
- Comments — names, emails, IP addresses, the comment text itself
- Analytics data — IP addresses (even anonymised partial IPs count), page visit history
- Cookie data — behavioural data tied to identifiable users
Step 1: Create a Data Inventory
A GDPR-compliant data inventory (formally called a Record of Processing Activities or ROPA under Article 30) must document:
- What data you hold
- Why you hold it (the legal basis)
- Who has access to it
- Where it goes (third-party processors)
- How long you keep it
Legal Bases for Processing
GDPR requires you to have a valid legal basis for every processing activity. The six bases are:
| Legal Basis | When to Use |
|---|---|
| Consent | Marketing emails, non-essential cookies, optional features |
| Contract | Processing orders, providing the service a user signed up for |
| Legal obligation | Tax records, fraud prevention |
| Legitimate interests | Security logging, internal analytics (with a balancing test) |
| Vital interests | Rarely applicable to websites |
| Public task | Government bodies only |
Practical tip: Don't over-rely on legitimate interests as a catch-all. The ICO expects you to conduct and document a genuine balancing test.
Handling Data Subject Access Requests
Under GDPR Articles 15–22, individuals have the right to:
- Access a copy of their data
- Rectify inaccurate data
- Erase their data (the "right to be forgotten")
- Restrict processing
- Port their data to another service
- Object to processing
You have 30 days to respond to most requests. For complex requests you can extend to 3 months, but you must notify the individual within the first 30 days.
Automating DSARs with DPOKit
Manually handling DSARs is time-consuming and error-prone. DPOKit automates the collection of data from WordPress core, WooCommerce, Contact Form 7, and other plugins — generating a structured export package that meets GDPR portability requirements.
// DPOKit developer hook: register a custom data source
add_filter('dpokit_dsar_data_sources', function($sources) {
$sources['my_plugin'] = [
'label' => 'My Plugin Data',
'callback' => 'my_plugin_collect_data',
];
return $sources;
});
Retention Periods
GDPR's storage limitation principle (Article 5(1)(e)) requires you not to keep data longer than necessary. Common retention periods:
- Marketing email lists: Until consent is withdrawn
- Order records: 7 years (UK tax law requirement)
- Contact form submissions: 1–2 years (unless the matter is ongoing)
- Access logs: 90 days (security purposes under legitimate interests)
- Analytics data: 14 months (Google's own recommendation for GA4)
Cookie Consent
Since the UK GDPR and PECR came into force, freely-given consent is required before setting non-essential cookies. "Consent" means:
- Freely given — no cookie walls that deny service without consent
- Specific — granular categories, not a blanket "accept all"
- Informed — users must know what they're consenting to
- Unambiguous — a pre-ticked box is not consent
Conclusion
GDPR compliance for WordPress is achievable, but it requires ongoing attention — not a one-time checkbox exercise. The key steps are: map your data, establish legal bases, implement consent management, build DSAR workflows, and enforce retention policies.
DPOKit is designed to make all of these steps manageable from within your WordPress dashboard.
Sarah Mitchell
Privacy & Compliance Lead