Changelog

Release notes for DPOKit. Changes that affect your compliance posture are rated High, Medium, or Low impact.

9 min read

Changelog

All notable changes to DPOKit are documented here.

Impact ratings:

  • High Impact — Changes to data processing logic, encryption, or security. Review and action likely required.
  • Medium Impact — New features affecting data flows, consent, or generated documents. Review recommended.
  • Low Impact — Infrastructure, UI, or developer features. No immediate compliance action required.

All generated legal text (privacy notices, ROPA) is a draft only and must be reviewed by a qualified legal or data protection professional before use. DPOKit does not provide legal advice.

1.11.0 — 2026-03-11 | Compliance Impact: Medium

Phase 11 — Compliance & Legal Positioning

Frameworks: GDPR (EU) · UK GDPR · CCPA/CPRA

Changes

  • Added Compliance & Legal admin page with four tabs: Frameworks, Legal Disclaimers, Annual Review, Changelog.
  • Introduced explicit compliance framework scope selection (GDPR, UK GDPR, CCPA/CPRA) with jurisdiction, rights, and deadline information.
  • All generated legal text (Privacy Notice, ROPA) now carries a prominent, customisable disclaimer stating it requires legal review before use.
  • CCPA/CPRA legal basis labels and data subject rights added to Privacy Notice and ROPA reports.
  • Annual review tracker covering: vendor library, retention periods, data map, consent categories, DSAR workflow.
  • Admin notice displayed in all DPO Kit pages when any review subject is overdue (> 12 months).
  • In-plugin compliance changelog with compliance-impact ratings.

Action Required

Review and configure active compliance frameworks under DPO Kit → Compliance & Legal → Frameworks. Complete initial annual review acknowledgements for all tracked subjects under the Annual Review tab.

1.10.0 — 2026-02-01 | Compliance Impact: Low

Phase 10 — Licensing & Subscription Management

Frameworks: GDPR (EU) · UK GDPR

Changes

  • Licence key validation with remote API (grace period for offline/staging).
  • Feature gating between free tier (consent banner + basic scan) and paid tier (DSAR, retention, reporting).
  • Automatic plugin updates via licence-authenticated update endpoint.
  • Daily licence status background check via WP-Cron.

Action Required

None. No changes to data processing logic.

1.9.0 — 2026-01-15 | Compliance Impact: Low

Phase 9 — Developer Experience

Frameworks: GDPR (EU) · UK GDPR

Changes

  • dpo_kit_register_data_source filter for DSAR data-collection extensions.
  • dpo_kit_register_deletion_handler filter for DSAR deletion extensions.
  • dpo_kit_register_scripts filter for consent-gated script registration.
  • dpo_kit_register_vendor filter for vendor library extensions.
  • WP-CLI commands: wp pv scan, wp pv retention, wp pv reports, wp pv dsar.
  • REST API endpoints for consent status read/write and DSAR intake.

Action Required

None for existing installs. Third-party plugin authors can now register data sources and deletion handlers without modifying core plugin files — review integrations if any custom code was previously patching core.

1.8.0 — 2025-12-20 | Compliance Impact: Low

Phase 8 — Performance

Frameworks: GDPR (EU) · UK GDPR

Changes

  • Bulk retention and deletion jobs chunked into batches to avoid PHP timeout on databases with 100,000+ records.
  • Database index health check tool added to Performance admin page.
  • Consent banner script minified; defer/async loading enforced; target < 10 KB gzipped.
  • Admin UI assets load only on DPO Kit admin pages (no front-end bloat).

Action Required

None. No changes to data processing scope.

1.7.0 — 2025-12-01 | Compliance Impact: High

Phase 7 — Security & Data Handling

Frameworks: GDPR (EU) · UK GDPR

Changes

  • AES-256-CBC encryption at rest for DSAR case contents and uploaded identity documents, keyed to WordPress secret keys.
  • Honeypot spam protection on DSAR intake form; optional reCAPTCHA v3 / hCaptcha.
  • All database queries use prepared statements — no unsanitised input to $wpdb.
  • Admin capability checks enforced on all compliance data access points.
  • Plugin activity logged to WordPress debug log with configurable verbosity.
  • Compatible with Wordfence and iThemes Security.
  • Phone-home telemetry off by default (explicit opt-in required).

Action Required

If upgrading from v1.6.0 or earlier: Review encryption key configuration under Security settings to confirm data-at-rest protection is active for DSAR cases stored before this upgrade. Previously stored unencrypted records are not automatically re-encrypted; a manual migration may be required for sensitive older records.

1.6.0 — 2025-11-10 | Compliance Impact: Medium

Phase 6 — Integrations

Frameworks: GDPR (EU) · UK GDPR

Changes

  • WooCommerce: orders, customers, subscriptions, and product reviews included in DSAR data collection and deletion.
  • Contact Form 7, WPForms, and Gravity Forms submissions included in DSAR workflows.
  • GTM Consent Mode v2 integration — tags fire/suppress based on consent state.
  • Google Analytics 4 consent-aware event suppression.
  • Plausible and Fathom flagged as consent-exempt/privacy-safe with optional disclosure.
  • Mailchimp subscriber lookup and deletion for DSAR erasure requests.

Action Required

Review and configure integrations under DPO Kit → Integrations. Verify that WooCommerce order data and form submissions are correctly included in DSAR data-collection and deletion workflows for your specific configuration. Update your Data Map to include any newly detected vendors.

1.5.0 — 2025-10-15 | Compliance Impact: Medium

Phase 5 — Audit-Ready Reporting

Frameworks: GDPR (EU) · UK GDPR

Changes

  • Privacy Notice draft auto-generation from Data Map entries, with prominent legal review disclaimer.
  • ROPA export in structured CSV format meeting Article 30 GDPR requirements.
  • Consent Audit Report, DSAR Activity Report, and Retention Enforcement Report.
  • Report archive with 12-month retention and pagination.
  • Scheduled report generation and email delivery to nominated recipients.

Action Required

All generated privacy notices and ROPA exports must be reviewed by a qualified legal or data protection advisor before use, publication, or submission to any regulatory authority. Do not publish or submit without legal sign-off. The plugin generates a starting point only.

1.4.0 — 2025-09-20 | Compliance Impact: High

Phase 4 — Retention & Deletion Enforcement

Frameworks: GDPR (EU) · UK GDPR

Changes

  • Retention policies configurable per data category (orders, form submissions, user accounts, comments, log data).
  • Legal hold rules override standard retention (e.g. retain orders for 7 years for tax purposes).
  • Automated enforcement via WP-Cron: anonymise, delete, or flag for manual review on expiry.
  • Dry-run mode to preview affected records before enforcement.
  • Immutable audit log of all automated deletions with tamper-evident hashed chain.
  • Log retention configurable (default 3 years).

Action Required

Configure retention policies and legal holds under Retention Policies before enabling automated enforcement. Review default retention period recommendations with your legal advisor. Run a dry-run first to verify scope.

1.3.0 — 2025-08-10 | Compliance Impact: High

Phase 3 — DSAR Workflows

Frameworks: GDPR (EU) · UK GDPR

Changes

  • Embeddable DSAR intake form supporting: access, deletion, rectification, portability, objection requests.
  • Email confirmation verification step (optional ID upload).
  • Automated acknowledgement email with reference number and 30-day statutory deadline.
  • DSAR case management: Received → Verified → In Progress → Completed/Rejected.
  • Automated data collection from WordPress user accounts, WooCommerce, comments, and form submissions.
  • Structured data export (JSON + HTML) for access/portability requests.
  • Deletion/anonymisation workflow with legal hold overrides.
  • Deletion confirmation record with audit trail.

Action Required

Configure the DSAR form and publish it on an accessible page using the [dpo_kit_dsar_form] shortcode. Update your Privacy Notice to include the contact mechanism for data subject requests. Review the automated acknowledgement email template under DSAR Settings.

1.2.0 — 2025-07-01 | Compliance Impact: High

Phase 2 — Consent & Script Enforcement

Frameworks: GDPR (EU) · UK GDPR

Changes

  • Category-based consent management: functional, analytics, marketing, personalisation.
  • Consent records stored with timestamp, categories accepted, user agent, and IP hash.
  • Prior consent respected on return visits; withdrawal and re-prompt supported.
  • GTM integration to fire/suppress tags based on consent state.
  • Script blocking via <script> tag interception.
  • Accessibility-compliant consent UI (WCAG 2.1 AA).
  • Developer API for third-party plugins to register consent-gated scripts.

Action Required

Configure consent categories and banner wording under Consent Settings. Test that non-essential scripts are correctly blocked before consent is given. Publish and verify the consent banner on all front-end pages.

1.1.0 — 2025-06-01 | Compliance Impact: Medium

Phase 1 — Third-Party Data Flow Inventory

Frameworks: GDPR (EU) · UK GDPR

Changes

  • Automated scanning for third-party scripts, iframes, pixels, and tracking endpoints.
  • Cookie detection and classification (functional, analytics, marketing).
  • Google Tag Manager container enumeration.
  • Form submission endpoint detection.
  • Living data map with vendor, purpose, data categories, legal basis, and retention period.
  • Manual data flow additions for server-side integrations.
  • Data map diff/history log.
  • PDF and CSV data map export.
  • Built-in vendor library (Google, Meta, Stripe, Mailchimp, etc.) with pre-filled descriptions.

Action Required

Run an initial site scan under Scanner and review all detected data flows. Update the Data Map to assign legal bases and retention periods. Add any server-side integrations not detectable by scanning.

1.0.0 — 2025-05-01 | Compliance Impact: Medium

Initial Release

Added

  • Data mapping: automated page scanning for third-party scripts, cookies, iframes, and tracking pixels
  • Vendor library: 100+ pre-filled vendor entries (Google, Meta, Stripe, Mailchimp, and more)
  • Consent management: category-based script blocking (functional, analytics, marketing, personalisation)
  • Consent banner: WCAG 2.1 AA compliant banner with accept all / reject all / manage preferences
  • GTM Consent Mode v2 integration
  • Consent records: timestamped, IP-hashed consent log
  • DSAR intake: embeddable form with shortcode [dpo_kit_dsar_form]
  • DSAR case management: status tracking, deadline countdown, internal notes, bulk actions
  • Automated data collection for WordPress users, WooCommerce orders, form plugin submissions, and comments
  • Deletion handling with legal hold support
  • Retention policies: configurable per data category
  • Retention enforcement: scheduled job with dry-run mode and chunk-based processing
  • Immutable audit log: SHA-256 tamper-evident chain
  • ROPA export: PDF and CSV in Article 30 format
  • WP-CLI commands: scan, retention, dsar, report, licence, vendors
  • REST API: consent status/record, DSAR intake, licence status
  • WooCommerce integration (orders, customers, subscriptions, reviews)
  • Contact Form 7, WPForms, and Gravity Forms integrations
  • Mailchimp integration (retrieve and delete subscriber records)
  • Licence tiers: Free, Pro, Agency
  • Multisite support with per-site configuration

Notes

Compliance note: All generated legal text (privacy notices, ROPA) is a draft requiring legal review. DPOKit does not provide legal advice.

All release entries with High or Medium compliance impact should be reviewed by your data protection officer or privacy legal counsel.

DPOKit does not provide legal advice. This changelog is informational only.