Handling guest user requests

Hi @piotreba,

I am not qualified to give you legal advice. I can instruct you on how to use the plugin.

To process requests, you can add the request forms using the available shortcodes. You can see the available shortcodes here: https://gdpr-wp.com/knowledge-base/functions-shortcodes/.

If by forms you mean regular contact forms, you can manually add a checkbox that explains why you are asking for the data contained in the fields, where are they going to be stored, what you plan to do with them and so on. Again, I’m not a lawyer, I’m not sure if you need something more than this.

Hi @fclaussen,

I studied the short-codes before I posted this.

But I understand that this plugin is for gathering consents / submitting requests, right? Will it gather and provide all personal data from a WordPress site (including custom posts types, for example) to a user when s/he requests it?

Thanks

It will gather the user meta information.

It’s in my plans to add the actual posts and comments in the data export.

Ok, so the matter is far more complicated when we use regular or custom posts and user requests anonymization/removal, for example. I imagine it will not be easy to anonymize/remove personal data automatically, as these data may be introduced into various pieces of the post structure.

It’s important to be aware what this (or other similar one) plugin will NOT do upon particular requests, and what may result in not conforming to the formal requirements of the legislation.

Hi @piotreba,

I was discussing this matter with my colleagues. Sorry that it took me this long to get back to you.

We thought of a situation where this would apply. Let me know if my example matches what you are saying.

Let’s say I have a Webinar Post Type and I register my speakers as a custom post meta. And one of those speakers asks to be anonymized. Is that the scenario you are saying?

If so, I can probably build an anonymization tool that will look through the user meta, return the list of found metas so you can pick what data you want to anonymize.

This tool would also look into a whitelist of post_metas and return every post that has this post_meta and that the value matches something.

Let’s say I whitelist a post_meta called “webinar_speaker_name” and on the tool I tell the plugin to look for this meta and the value should be “Cheryl Pounder”. That would return a list of posts and you could anonymize or delete those.

What do you think?

Dear @fclaussen,

hmm, I’m not sure how technically it would be best to achieve. I can imagine that personal data can exist in many parts of a single post, not only post meta data, but also including its content. So processing these data may be challenging and as a result, some sophisticated methods to achieve that may go for nothing. I ask myself now what are the limits about data anonymization requests, if any, and how the new regulations affect personal data inputting “habits” by admins/editors within, e.g., WordPress (anonymization means removing personal data completely or replacing by some “xxx”?) ? Maybe such a plugin like yours should integrate with WP native posts/pages but also with custom post types (the plugins that offer creating custom post types) in a way that it could be possible to set an option by each field (or posts meta data) to be processed by your plugin when a request is made to, e.g., anonymize data? Then it is website admin/editor, etc. responsibility to place personal data in line with some scheme which would allow to anonymize them?

Some of my remarks are probably irrelevant as I still don’t understand all aspects of this new regulation. To refer your example with webinar, request to anonymize speaker data could result in that it would be impossible to organize the webinar ?? (but probably such requests may not be fulfilled at any time…, may they? ?? )

That’s the thing. This is all very tricky. Also, I realize now that my suggestion might be resource heavy for most popular servers, depending on how many posts and custom fields the site has. It’s not viable.

I guess the best thing to do is to send all users to the reviews table and then doing some work to try and anonymize and/or delete everything that you can find.

As far as I know, you have 30 days to deal with a request and you can even request to extend this. That’s more than enough time to run through and find all entries for a particular person.

Also, if you can’t get everything, the person who made the request will flag it with a complaint. Which will give you another chance of removing the data.

I believe that fines will only be applied to folks who do not show considerable effort to comply.

I’m not a lawyer though. Don’t quote me on anything. Haha

I think it’ll take some time to understand the regulation itself too ??

Thank you for your comments.