Initial Configuration
Walk through the DPOKit setup wizard to configure your compliance settings after installation.
Initial Configuration
After activating DPOKit for the first time the Setup Wizard launches automatically. It guides you through the essential settings in seven short steps. You can also relaunch it any time from DPOKit → Settings → Advanced → Relaunch Setup Wizard.
Step 1 — Organisation details
DPOKit uses these details to pre-fill generated legal documents such as your privacy notice and ROPA export.
| Field | Notes |
|---|---|
| Organisation name | Your legal trading name |
| Data controller email | DPO or privacy contact address |
| Registered country | Used to determine default regulatory framework |
| Privacy policy URL | Link included in consent banner and DSAR acknowledgements |
Click Next when complete.
Step 2 — Applicable regulations
Select every regulatory framework that applies to your organisation. DPOKit adjusts its defaults, labels, and generated documents accordingly.
- GDPR (EU) — applies if you process data of EU residents
- UK GDPR — applies if you process data of UK residents post-Brexit
- CCPA / CPRA — applies if you process data of California consumers
You can select more than one. When in doubt, select all that may apply — you can tighten this later under Settings → Compliance Scope.
All generated legal text is marked as a draft requiring legal review. DPOKit does not provide legal advice.
Step 3 — Consent categories
Define the categories of processing for which you will request visitor consent.
The defaults match the IAB TCF v2.2 categories used by most analytics and advertising tools:
| Category | Default state | Examples |
|---|---|---|
| Functional | Always active (not gateable) | Session management, login, cart |
| Analytics | Opt-in required | Google Analytics, Plausible |
| Marketing | Opt-in required | Meta Pixel, Google Ads, LinkedIn Insight |
| Personalisation | Opt-in required | A/B testing tools, recommendation engines |
You can rename categories, add custom categories, or remove categories that are not relevant to your site. Click the pencil icon next to any category to edit its name and description (shown to visitors in the preference centre).
Step 4 — Scan configuration
DPOKit scans your site to detect third-party scripts, cookies, iframes, tracking pixels, and form submission endpoints.
Pages to scan
By default, DPOKit crawls your homepage plus up to 50 pages discovered via your sitemap. Adjust the page limit or add specific URLs to include or exclude:
- Include additional URLs — paste one URL per line to always include specific pages
- Exclude URLs — exclude admin, checkout, or other pages that should not be crawled
- Max pages per scan — default 50; increase for larger sites (reduce if scans time out)
Scan schedule
| Option | Recommended for |
|---|---|
| Daily | Sites updated frequently |
| Weekly (default) | Most sites |
| Monthly | Low-traffic or rarely updated sites |
| Manual only | Developers who prefer WP-CLI or on-demand runs |
Google Tag Manager detection
If your site uses GTM, enable Enumerate GTM tags to have DPOKit inspect container contents and add discovered tags to your data map automatically. Enter your GTM container ID (format: GTM-XXXXXXX).
Step 5 — DSAR settings (Pro / Agency)
Configure how data subject requests are received and processed.
Intake form
- Enable DSAR intake form — adds the
[pv_dsar_form]shortcode to place on your privacy page - Request types to accept — choose from: Access, Deletion, Rectification, Portability, Objection
- Identity verification — Email confirmation is the minimum. Optionally enable ID document upload for deletion requests
Deadlines and notifications
- Statutory deadline — default 30 calendar days (GDPR / UK GDPR standard); adjust if your regulations differ
- Admin notification email — receives an email for each new DSAR submission (defaults to admin email)
- Acknowledgement email sender name — displayed in the confirmation email sent to the requestor
If you are on the Free tier this step is shown as a preview only. Upgrade to Pro to enable DSAR features.
Step 6 — Retention policy defaults (Pro / Agency)
Set the default retention periods DPOKit will apply when scheduling automated deletion and anonymisation jobs.
Recommended starting points (adjust to match your actual legal obligations):
| Data category | Default retention | Common legal basis |
|---|---|---|
| WooCommerce orders | 7 years | Tax / VAT record-keeping |
| Contact form submissions | 2 years | Legitimate interest |
| WordPress user accounts | Duration of relationship + 1 year | Contract |
| Blog comments | 3 years | Legitimate interest |
| Consent records | 3 years | Legal obligation (accountability) |
| DSAR case files | 3 years | Legal obligation |
| Plugin audit log | 3 years | Legal obligation |
You can refine these at any time under DPOKit → Retention → Policies. Policies support legal hold overrides — for example, preventing deletion of orders still within a tax retention window.
Step 7 — Notifications and reporting
Email delivery
DPOKit sends compliance-related notifications (DSAR alerts, retention job summaries, overdue deadline warnings). Confirm the sending address and whether WordPress default mail or a dedicated SMTP plugin is being used.
If you have an SMTP plugin installed (WP Mail SMTP, Post SMTP, FluentSMTP), DPOKit will use it automatically — no extra configuration needed.
Scheduled report delivery
Optionally nominate one or more email addresses to receive automated monthly compliance summary reports. You can adjust frequency and recipients at any time under DPOKit → Reports → Scheduled Reports.
Completing the wizard
Click Finish Setup on the final screen. DPOKit will:
- Save your configuration
- Create any required database tables (if not already created on activation)
- Queue the first site scan to run within 5 minutes
- Activate the consent banner in Preview mode (visible only to logged-in administrators)
You will be redirected to the DPOKit Dashboard where your compliance overview is displayed.
Activating the consent banner
The banner starts in Preview mode so you can review it before your visitors see it.
- Go to DPOKit → Consent → Banner.
- Use Preview to view the banner as a visitor would see it.
- Make any branding or copy adjustments.
- Set Status to Active and click Save.
From this point, non-essential scripts are blocked until each visitor grants consent.
Skipping the wizard
If you prefer to configure settings manually, click Skip Wizard on the first screen. All settings are available individually under DPOKit → Settings. You can relaunch the wizard at any time from Settings → Advanced.
Next steps
- Activate your licence key — unlock Pro or Agency features
- Run your first scan — build your initial data map
- Configure retention policies — automate data lifecycle management
- Set up DSAR workflows — handle data subject requests end-to-end