GDPress

GDPress is providing tools for privacy and more.

Major features in GDPress include :

• a privacy request form
• a menu in the admin_bar to see at once confirmed privacy requests

and since version 2.0 a set of tools to help you comply with GDPR
* a set of protection and wellness tools, because protecting personal data starts with a healthy and protected installation to prevent potential data breach.
* a RoPA assistant to help you building your Records of Processing Activities – a GDPR obligation (Article 30).
* a logging of all events related to export/erase requests by/for the data subject (see settings page).
* a specific wp role for dpo.
* and a dedicated Privacy/GDPR/ISO27701 dashboard for your d.p.o. !

GDPR compliancy is a never ending process.

Technical Details

n/a

Privacy

GDPress is not calling any external web services
and is not using any external software other than WordPress core.

GDPress stores events related to the data subject and core privacy processes if archive setting is set.
Archives are under the authority of the Data Protection Officer for legal purpose ONLY.
They are retrieved to the data subject, but not deleted.

Accountability/Auditability

These are legal obligations in GDPR. In front of your local data protection authority or a judge :
* You are accountable of your actions to reach GDPR compliancy and must prove it (activating this plugin is not enough).
* If sued, you will have to provide some evidence : you acted lawfully and replied to the request of the data subject (archive all activities for Legal Purpose is allowed in GDPR and must be declared in your Records of Processing Activities).

Other Major Obligations

• Records of Processing Activities, expecting WordPress team to publish it for core. And for any theme or plugin, adding a new Privacy Section in readme.txt is a must do.
• Communication of a personal data breach to the data subject (and to your local D.P.A.)

Privacy by design

This concept is in GDPR too. In wp, Privacy is a component like Gutenberg, Admin, wp-cron …
Privacy by design is or should be declined and included in ALL wp components. Should all components publish their “Privacy Section” just like the above recommandation for themes and plugins ?

Pending Questions

• Privacy settings in core : only one setting on a unique page that cannot be amended (no hook) : the privacy policy page
• any privacy request is a personal data and should be retrieved to the data subject
• removing an export request do not delete the export file (security issue, potential data breach)
• external processors to be identified (privacy by design)
• Gutenberg blocks coherence with embed handlers and oembed providers as set on the server side (privacy by design)
• oEmbed responses cached in transients (no more postmeta html cached) for blog posts or oembed providers (privacy by design)
• ability to remove blocks in Gutenberg such as “/map” for Mapbox (privacy by design)
• future “Icon” component : from Dashicons to svg (privacy by design)
• Nowadays, emails such as “θσερ@εχαμπλε.ψομ” are valid but rejected by wp function is_email() (privacy requests rejected)
  Web standards should apply and this can be a legal issue : one of the “variety of privacy issues around the world” !