Many articles talk about this topic, I talk about this too because it is very important to make your website GDPR compliant. In this post, I will show that it is not very complicated.

First, What is GDPR?

The General Data Protection Regulation (GDPR) is the new reference text at European level for the protection of personal data. It strengthens and unifies data protection for individuals in the European Union.

This regulation will enter into account from May 25, 2018. If your site is not GDPR compliant, you risk heavy penalties. I think sites will be punished after a few months but it is still better to do it now πŸ™‚

Who is concerned?

Unless your site is outside the European Union and no country in the European Union can access it, everyone is concerned.

What should I do?

First, understand that I am not a lawyer, just a developer who has read many things about it, so contact a lawyer to be sure your site is GDPR compliant would be a good thing.

Make a site GDPR compliant is different for each site but here are some points to check:

1. Google Analytics

It depends on how you use Google Analytics on your site but this point is very important. For my part, I use Google Analytics to track visitors and cookies to collect data. The collected data are processed anonymously.
In order to be compliant with the new regulation, Google included a data processing amendment.

2. Your Forms

Every form on your website that collects data like names or email addresses needs to have a checkbox for the user to consent the storage of their data.
Great people created an amazing free plugin called WP GDPR Compliance, it is fully compatible with Contact Form 7, Gravity Forms, WooCommerce and probably more plugins in the future.
I don’t really understand why it has bad reviews, I think many users didn’t really understand its purpose or maybe it was not as good as it is now, but this plugin doesn’t make your site automatically GDPR compliant but help you a lot to make the task easier.
In the next release of this plugin, your users will be able to send a request to see all their data present in your database and also to request their data to be anonymized.

WP GDPR Compliance is very simple to use, you just need to activate it and go to Tools > WP GDPR Compliance. I use Gravity Forms on my site, so I added the checkboxes on all my forms and for the WordPress Comments too.

3. eCommerce

WooCommerce work on a new update to make their plugin GDPR compliant so you will probably have to do nothing on that side. I don’t know about Easy Digital Downloads but they will probably do a similar thing too.
There is also WP GDPR Compliance who have a setting for WooCommerce.

4. Privacy Policy Page

If it is not already done, you need to create a Privacy Policy page to tell your users how you use their data. For example, if you request a user’s name and email for a form that serves as your support, you must say that you are using their data to contact them and help them with their problem.
You can take example of my page if you want:


You can see in this post that it is not difficult to make a WordPress site GDPR compliant. You just have to keep in mind that every time you collect personal data from a European user, you have to let them know that their data is being collected.

To go deeper, you can read this great post on the Kinsta blog which explains many things about GDPR:
Do not hesitate to ask questions in comment if you misunderstood a point or if you think I forgot to talk about something.

Nicolas Lecocq

When I am not working on improving OceanWP or creating new extensions, it is possible that I write an article on the blog... or I watch Game Of Thrones :)

This Post Has 24 Comments

  1. Awesome!

    I hate to read long articles. In short, I like to read to the point.

    Your article has covered most of the basics in plain and simple language.

    I loved the way you have set up the privacy policy page. For individuals like us, I think there is nothing much to mention on the privacy policy page other than how the collected data will be used. At least, I am not into using Google Analytics or Email Marketing, so there is nothing much to worry about.

    Even though I don’t think any EU person is going to visit my websites or purchase any services from me, but it’s still a good idea to keep the website GDRP complaint.

    Thanks a million for sharing such a useful information.

    1. Glad that you like the article πŸ™‚
      It is not very complicated, you just need to let users know that you collect their data in some way and how you use them.

  2. Nice short and to the point article Nicolas, thanks for sharing it and I like your privacy policy being that easy to be read and understood.
    Just one comment, I believe the implementation date of GDPR is 25th May and not 28th as mentioned in the article.
    Thanks πŸ™‚

    1. Thank you, yes you’re right, it is 25 May πŸ™‚
      I correct the post.

      1. You are welcome, another question, the Mailchimp widget in OWP, what is the best way to add the consent checkbox to it ?


          1. Great as usual πŸ™‚

  3. Thank you, a helpful summary.

  4. Hi!

    Thanks for a nice summary of the new regulations. However you gave your own privacy policy as an example and it is not even close to compliant with what the new regulations demand. This is what you need to have in a privacy policy according to the ICO ( ):

    The name and contact details of our organisation.

    ☐ The name and contact details of our representative (if applicable).

    ☐ The contact details of our data protection officer (if applicable).

    ☐ The purposes of the processing.

    ☐ The lawful basis for the processing.

    ☐ The legitimate interests for the processing (if applicable).

    ☐ The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).

    ☐ The recipients or categories of recipients of the personal data.

    ☐ The details of transfers of the personal data to any third countries or international organisations (if applicable).

    ☐ The retention periods for the personal data.

    ☐ The rights available to individuals in respect of the processing.

    ☐ The right to withdraw consent (if applicable).

    ☐ The right to lodge a complaint with a supervisory authority.

    ☐ The source of the personal data (if the personal data is not obtained from the individual it relates to).

    ☐ The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).

    ☐ The details of the existence of automated decision-making, including profiling (if applicable).

    Hope this helps!

    1. Hello, there some things to add but the main information are to say how you use users data.

  5. Thank you Nicolas. This was really helpful. Short and simple to understand.

  6. I did not know this was required on forms, glad to know.

    This doesn’t solve the cookie issue with remarketing tags (Google or Facebook Pixel). – this allows you to add a bar for people to have to accept cookies, which solves this, and allows it to only show to countries in the EU so it doesn’t bother others.

    Hope this helps someone!

  7. This is the only GDPR article I have read to completion. Reason: short, sweet simple πŸ™‚

  8. Merci pour cet articles et les prΓ©cisions sur le GDPR. J’utilise Ocean WP et j’en suis trΓ¨s satisfait.

  9. Merci!

  10. I love your articles, they are allways helpfull. One thing what I miss here: If you go by the book, you have to be able to manage / revoke consent. There is a good plugin called WP DSGVO (DSGVO being the german adaption of GDPR). It offers a cookie banner that asks for consent first and allows you to revoke it later for i.e. analytics and facebook pixels. While it’s only in german right now, the author makes it translatable on the next update.

    If you want to see it in action, check out my site – of course build with OceanWP + Elementor Pro πŸ™‚

  11. Every form on your website that collects data like names or email addresses needs to have a checkbox for the user to consent the storage of their data.

    This is not actually true, it is required if you obtain data by consent but that is just one of the six approved methods for processing data.

Leave a Reply

Download just a click away

Just fill out the form below to download the best theme you’ve ever tried