Notes on GDPR and data protection in WordPress

These things you have to consider in terms of privacy and GDPR in your WordPress blog - More info in the WordPress Tutorial from

GDPR - an abbreviation, which worries many web page operators at present. This is because the basic data protection regulation, which will come into force throughout the EU on 25 May, makes the online business sector more obligated than before to store and process personal data. checkdomain gives you an overview of the topic and shows you what you have to pay attention to.

Important note: We are not lawyers. The information and tips collected in this article are not legal advice. If you have concrete legal questions or problems, please contact a lawyer. In addition to this article, the checkdomain team will offer you a webinar on the GDPR together with a lawyer in the coming weeks.

What is the aim of the GDPR?

With the new regulation, the European Union is reacting to the fact that data is increasingly gaining value as a raw material. The hunger for data is growing worldwide, and at the same time the collection and storage methods are becoming increasingly sophisticated. With the GDPR, the EU wants to strengthen the rights of consumers on the Internet by regulating the collection of personalised data - such as postal addresses, bank accounts, IP addresses or birthdays - by companies and public authorities throughout Europe for the first time.

From 25 May, the GDPR will replace the Federal Data Protection Act (BDSG) and other regulations that previously applied to website operators. The EU is primarily targeting large companies and public authorities rather than operators of small websites such as bloggers. Nevertheless, this group should also take care of whether its website conforms to the new data protection requirements.

Many of the regulations contained in the GDPR were already in force, but were often insufficiently taken into account, as there was hardly any risk of penalties. This will change drastically with the new regulation: website operators who continue to take data protection lightly must expect severe penalties. The maximum fine can be up to 20 million euros or up to 4 percent of the annual turnover of the entire group. By way of comparison, the BDSG provided for a maximum fine of 300,000 euros.

What are the most important points of the GDPR?

The GDPR offers less concrete regulations than general principles - it is therefore more of a framework on which website operators can hang around in terms of data protection. The basis for the storage and processing of personal data in the EU is the EU:

  • The lawfulness of the processing: personal data may only be processed if there is an appropriate legal basis for it - i.e. the consent of the data subject.
  • Transparency: Users must be able to exercise their right to informal self-determination and have a right of access. From 25 May, website visitors will have the right to know, for example, whether and what personal data are collected on a website, for what purpose the data are collected, how they are processed, where they are stored and whether the data are disclosed to third parties.
  • Data minimisation: Website operators should not collect more data than absolutely necessary.
  • Purpose limitation: Simply collect customer data? This should no longer be possible in the future. The principle of purpose limitation means that companies may only process personal data for the purpose for which it was collected. This means that even within a company, customer data may not simply be transferred from billing to marketing.
  • Storage limitation: Stored data must be deleted as soon as the purpose of processing no longer applies.
  • Accuracy of data processing: Personal data must be correct and up to date. If not, they must be corrected or deleted immediately.
  • Integrity and confidentiality: Companies or authorities must ensure that personal data is secure - for example, that it is not unlawfully disclosed to third parties or lost.

The GDPR changes this in concrete terms

On the basis of the aforementioned principles, the GDPR also results in some very concrete changes. These include, among other things, that the principle "place of residence instead of company headquarters" will apply in future. This means that if a citizen in the EU uses an online service, the GDPR will apply even if the provider is based outside the EU. This is intended above all to strengthen the rights of users vis-à-vis global Internet groups such as Google or Facebook.

Also new are the right to be forgotten (personal data must be deleted if a data subject requests it) and the right to data transfer. In future, users will be able to transfer data from one company to another without having to provide new information and leave data in two places.

Documentation requirements have also been tightened up. From 25 May, companies with 250 employees or more will be required to keep a register of all data processing operations. Among other things, it must record what type of personal data is collected, how it is processed and how long it is stored. If you would like to know more about this point, this sample directory provides a first orientation.

What does the GDPR mean for website operators in practice?

In fact, the new regulation does not change much at first - at least for all those who have adhered to the previous data protection regulations with their website. Because in Germany comparatively strict data protection guidelines already applied. There are, however, a few points that every website operator should take into account and, if necessary, adapt during his online presence:

  • Cookies: Cookies have been a thorn in the side of data protectors for years. The opt-out solution currently used by many websites does not meet the requirements of the GDPR. However, prior user consent is practically impossible. For cookies, this basically means the end - would the GDPR not leave a few loopholes. Exceptions apply, for example, to "legitimate interest" on the part of the website operator. And what is justified has not yet really been determined, at least not yet.
  • Blog comments: In principle, blog comments are also problematic because they store personal data such as the e-mail address and IP address of the commentator. But here, too, data protection is hampered by the legitimate interest of the site operator, who must be able to identify people in the event of an incident - for example, if insults occur.
  • Tracking services: Anyone using Google Analytics and/or other tracking services should check whether all settings are GDPR-compliant. IPs should be transmitted anonymously and users should be informed by opt-out.
  • Social media: In future, it will be even more important than before to keep your hands off the official Facebook and Co. plug-ins, because they transmit uncontrollable data to the relevant provider.
  • Privacy policy: Privacy policy: Should already be on every website anyway. If this is not yet the case, immediate action should be taken. This Online-Generator, for example, helps with the creation.

These are the most important points in a compact overview. Since - as already mentioned - much of the GDPR is very general, it will only become clear in the longer term what website operators will have to do or which practical solutions will be found. Nevertheless, it is recommendable to already be thoroughly occupied with the topic and to check your own website at least for the most important points.

Further Links

Other products you might be interested in
Website Builder
Create your own website without any programming knowledge.
Create a Website
Concentrate fully on your project! Performance and security included.
Optimize your Web site and achieve top rankings.
Website optimization
SSL Certificates
For your site, more safety protect yourself from hacker attacks.
Quickly protect