I’m not a lawyer but from what I’ve learned it’s not too hard to achieve compliance (or avoid needing it). The most important steps to avoid getting sucked into the “GDPR machine” in the first place are:
– Make sure no personal data ever leaves the system.
– Anonymize IP’s before processing/storing them (at least for unregistered users).
– Provide a data retention rule (auto-delete all of this data).
– Provide a way to search/delete/correct personal data.
Since this plugin works in the interest of site security, it is okay to handle personal data temporarily, as long as it’s mentioned in the privacy policy of that site and automatically gets deleted when not needed anymore. All users will have to give consent to this procedure when signing up to the website that’s using your plugin.
So, as long as you don’t collect any of that data yourself, this GDPR thing is pretty much out of your hair.
You could provide a list of data that may be used and explain in layman’s terms how it’s used and secured from unauthorized view so people can use that bit in their own site’s privacy policy.
Example:
This website uses Simple History, a security log and website change verification tool that helps us to identify (un)authorized changes made to this website. This tool may store site user’s personal data in a temporary log, for inspection by authorized staff only.
Data used:
- Anonymized IP address
- Site username
- Email address
This data will automatically be deleted after x days.
It will never be shared it with any third party.
—
This is a bit too basic but you get the idea. It’s the site developer’s responsibility to make sure all the tools used are compliant and you can best assist them in making that information easily accessible.
—
Note: I don’t think the feed feature is GDPR compliant (no authentication to protect the data from view), adding a note to the settings page should be all it needs though.
Again, I’m not a lawyer, it’s just a couple of recommendations to get you going.
