The European Union (EU) has passed new regulation related to data privacy for its citizens called the “General Data Protection Regulation (GDRP)”. This regulation carries important considerations for anyone operating a website that uses Paid Memberships Pro and serves customers residing in the European Union.
Continue reading to see how the team at Paid Memberships Pro is preparing for this regulation and what steps you should take to better understand and comply with the GDPR.
What is GDPR
GDPR is a set of regulations will affect all companies that processes and hold personal data for people residing in the European Union. The regulations will begin to be enforced on 25 May 2018 and apply to all companies worldwide, regardless of location.
Failure to comply with the GDPR could carry huge penalties, regardless of whether you are located in the EU or not. While it may be possible for smaller non-EU companies in particular to fly under the radar of these regulations, it is our opinion that all businesses do their best to comply with the GDPR. Following these best practices to respect the privacy of your users is good whether it’s required or not, and it’s very likely that other jurisdictions will adopt regulations similar to the GDPR. You should review the full GDPR documentation and gain a firm understanding of how to comply fully. The home page of EU GDPR provides a great overview of the GDPR and links to additional resources for further reading.
WordPress Core Efforts for GDPR Compliance
There are updates we need to make to our Paid Memberships Pro plugin for GDPR compliance, and we plan to have those released before the May 25th deadline, and will detail them in more detail below. However, the GDPR requirements affect other plugins and WordPress core in general. And so we always knew that a full solution for GDPR compliance was something that impacted more than just our plugin.
For a while there, it was looking like GDPR compliance for WordPress was going to require one or many third party plugins to reach full compliance. I thought we might even have to create some of these plugins, not just for PMPro users but for all WordPress users.
This year a few plugins developed by other groups started looking very promising, with a lot of effort and functionality in place to meet the requirements of the GDPR in a way that was adequate but general enough for the wide range of sites (each with different models of data collected/etc) that run on WordPress. I started looking into what it would take for PMPro to integrate with these plugins, but then discovered that a group of veteran WordPress core contributors was working on GDPR updates to WordPress core.
The WordPress core developers have started a number of efforts to support Right to Access and other GDPR requirements, with a the target of including these updates into WordPress 5.0. These updates will add hooks and filters for plugins to use. We hope to release specifics soon (i.e. code on GitHub you can test), but our plan is to support these core updates and use the features, hooks, and filters added to make sure the PMPro plugin is compliant.
Data Subject Rights
There are 6 key areas of GDPR that outline a subject’s rights to their data. Below is an overview of each area and how we plan to offer compliance:
The GDPR outlines that if a subject’s data is compromised (breached) in a way that is likely to “result in a risk for the rights and freedoms of individuals,” the company must notify their customers within the first 72 hours of their awareness of the breach.
This area of GDPR does not have a specific effect on how Paid Memberships Pro works as a plugin on your WordPress site. We’re including it here so that you as the site owner are aware of the requirements related to your knowledge of a breach in your website data. This article on “Hardening WordPress” via the WordPress.org Codex is a good resource to review if you would like to strengthen your website’s security.
Right to Access
This portion of the GDPR provides subjects with the right to request a full report (electronically) of all data that the company is maintaining about them, what that data is being used for, and with whom that data has been shared.
We plan to use new hooks added to WordPress for GDPR to add our own default report about the data that Paid Memberships Pro tracks for users and how that data is shared with third parties. This report would be editable for you to adjust based on your specific use case.
As for what third parties may have accessed or processed data about the subject, we plan for the electronic report to also include a list of third party sources that our plugin recognizes may have received a copy of the data. These may include (but are not limited to) your payment gateway, email marketing services, CRM services, other integrated plugins, and analytics software.
There will certainly be other sources that may have received some portion of a subject’s data that are outside of our awareness. We will leave this portion of the electronic report up to the site owner to add in any additional sources that may have processed data about the subject.
Right to be Forgotten
As the name states, this area of the GDPR allows a subject to request all of their identifying data be erased (also known as Data Erasure). The data controller must erase and cease to share all data about the subject, and is also potentially responsible for forcing any third party with access to the subject’s data to stop processing it.
We will ensure GDPR compliance by making sure our Core Plugin and Add Ons completely clear identifying user meta and options saved about a user when the user is deleted (when the WP_User object is deleted). We already do this in our plugin, we’ll want to make sure it functions for GDPR-related deletions and covers all the data that it should.
We will not delete related order data about the user as it needs to be preserved for accounting records. The order data does not include any identifying information aside from the User’s ID (which will be deleted and no record of the user’s ID will be present after the WP_User object is deleted). The fact that this data is retained for business reasons will be included in the Right to Access blurb generated by PMPro.
This data erasure will include all captured fields about the subject that were added via the Register Helper Add On. If the subject has provided upload files as part of completing a Register Helper checkout field or profile field, this uploaded file must also be removed.
Other requirements that fall under this section include anonymizing data, either up front or instead of deleting data when a user requests to be forgotten. We will evaluate our plugin for data that should be anonymized this way.
Data Portability refers to the regulation that a subject should be able to request and receive all personal data the company stores about them in a ‘commonly used and machine readable format.’ The subject should have the right to transmit this personal data to another controller.
As it relates to Paid Memberships Pro, we will use the new hooks and filters added to WordPress for GDPR compliance to include PMPro-related data in any exports. Per the requirements of the GDPR, these exports will be in a digital and accessible format (CSV, JSON, or XML) that can be readily shared by the subject with another controller should they so desire.
Privacy by Design
A key factor of PCI Compliance, Privacy by Design outlines that a data protection must by a component of how you design your system, not an afterthought. This includes both the technical and the operation aspects of your systems.
It is important for you as a membership site owner to only share a subject’s data with the people in your organization that need to process that data. You can do this by sharing a limited number of Administrator or Membership Manager Roles (which both have access to member data) among the core organization and remove access to this data for unnecessary user accounts (developers, test accounts, etc.). It is also important not to request and store data that won’t be needed for your operating activities.
Data Protection Officers
This regulation refers to how a data processor must share their data processing activity with officials in each member state of the EU. Former EU regulation required reporting of data processing activity to each individual member state’s appropriate offices. The new regulation as outlined in the GDPR removes this requirement in most cases. We suggest exploring the full GDPR resources for more information about whether or not you must report data processing activity.
This is not a factor that Paid Membership Pro will create a system or integration for, but rather the scale and operating activity of your organization.
GDPR Resources for Continued Reading
Here is a list of other resources you can review for your protection and understanding: