Is Your WordPress Manager GDPR Compliant?
Protect your data! Your WordPress Manager should only be run on your servers!
We built MainWP from the very start to be privacy-focused.
With the emerging privacy laws around the globe, we wanted to address a few important things related to you and your client’s data.
GDPR & Privacy
As we all should know, the General Data Protection Regulation (GDPR) was enacted in 2018 by the EU. GDPR is one of the most highly enforced privacy laws in the world and imposes quite a few requirements for businesses to ensure that personal data is kept private. One of those requirements centers around the transfer of personal data from the European Union to other countries such as the United States.
According to GDPR, personal data can be transferred from the European Union to countries that have been deemed to provide an adequate level of protection for personal data that is equivalent to that provided by GDPR. Unfortunately, the United States is not on the list of such countries. As such, data transfers from the European Union to the United States used to take place under the Privacy Shield framework where companies certified that they will provide adequate privacy protections for individuals.
The Effects of the Schrems II Ruling
However, in 2020, Max Schrems, a privacy activist, filed a complaint with the Irish Data Protection Commissioner, alleging that Facebook’s transfers of his personal data to the United States violated his privacy as the data could be accessed by US intelligence agencies. The Court of Justice of the European Union agreed with Max Schrems and held that such transfers do indeed violate GDPR.
This decision also invalidated the use of the Privacy Shield and held that it can no longer be used for transfers of data to the United States. Finally, the decision held that companies that want to transfer data from the European Union to the United States need to ensure that the data receives the same level of protection as that provided in the European Union.
Providing the same level of protection would mean having contractual requirements in place and to impose technical safeguards to ensure that the data is protected.
The Schrems II decision was seminal because it effectively restricted the transfers of personal data from the European Union to the United States. This decision was recently enforced in two cases. First, the Austrian Data Protection Authority found that the use of Google Analytics violates GDPR because Google Analytics transfers user data to the European Union. The DPA found that Google Analytics violates GDPR because the data collected by Google Analytics could be accessible to US intelligence agencies in violation of the Schrems II decision. In addition to the Austrian Data Protection Authority, France’s Data Protection Authority came to a similar conclusion as well.
In addition, a German court recently found that a website owner violated GDPR by using Google-hosted fonts. The German court found that the website owner could not use the legitimate interests legal basis to process the data collected by Google Fonts due to the fact that Google Fonts can be hosted locally and thus there is no legitimate need to process the data. The court stated that the solution to this GDPR non-compliance issue is to simply host the fonts locally.
What Are My Options?
Let’s go over the two types of WordPress Management Solutions.
- Hosted Solution (SaaS)
1. Hosted Solutions (SaaS)
The term SaaS stands for “Software as a Service,” which means you are using a third-party tool (hosted on their hosting server) to manage your clients’ website(s).
With an open source tool like MainWP, you can access the software files and host them on your server.
Why Should I Care if It’s a Hosted Solution?
In the SaaS model, the privacy of your clients can not be guaranteed. The third-party provider may access your client’s personally identifiable information and have the ability to share that data.
When it comes to GDPR and the other regional privacy laws, you need to know where your client’s information is sent. Are you using tools that send your clients’ data outside the EU, breaching GDPR?
When using a self-hosted WordPress Manager, like MainWP, you can choose web hosting that fits the laws in your area and control every point of access to your client’s data.
What You Need to Know.
So, being an agency, developer, or freelancer managing multiple websites for your clients, this is important to know how your clients’ data is being used. Using certain services, such as a WordPress Manager, that collect personal data and transfer it to the United States can thus have legal implications for both you and your clients.
It is also important to note that as an agency, you should ensure that your client understands and agrees that they are the ones responsible for the compliance of the website, not you.
How Is Your Data Being Used on a Hosted Solution?
Here are a few questions that you may need to check with your SaaS-based WordPress Manager and communicate to your client:
- What client information is your manager collecting?
- Where is it sending that information to?
- Does the WordPress Manager have a compliant Data Processing Agreement?
- Can you get the data sources from your manager?
- Do they have access to your client’s information?
- How is the data secured?
- Has the WordPress Manager implemented sufficient technical safeguards to ensure that the personal data cannot be accessed by US intelligence agencies?
You may also need to get a copy of the above questions and any additional relevant questions to show to your clients’ for their consent BEFORE adding them to a hosted WordPress Manager.
What Information Do the MainWP Plugins Collect?
1. MainWP Dashboard Plugin
If you never install an Extension, we never receive any of your personal information.
If you install an Extension, only the URL of your Dashboard is sent back to our site. (Read More)
2. MainWP Child Plugin
No information about your clients is ever sent to MainWP. The MainWP Child plugin does not track or store ANY information off your server.
In short, only YOU have access to your client’s information and credentials. (Read More)
MainWP Protects Your Client’s Privacy!
And with fully auditable, open source code, you can be sure we do not track or keep any personal information about your Child Sites.
In addition, since no personal information is collected, no personal information is sent to the United States.
Lastly, since no personal information is collected, using MainWP also does not have any effect on your compliance programs with other privacy laws such as the California Consumer Privacy Act, Canada’s Personal Information Protection and Electronic Documents Act, or the Australia Privacy Act.
Do you still have questions about how your or your clients’ data is handled at MainWP? Feel free to get in touch.
Please note that the information on this page is presented for informational purposes only and does not constitute legal advice. Please see an attorney for assistance with your specific legal needs.