The GDPR: Right of Access Requests

Written by Allen Snook on May 16, 2018 Blog, Getting ready for the GDPR.

You probably know someone who’s requested their data from one of the big social media platforms. It can be staggering to see all the detail in one of these data “dumps”!  

If your store collects data from EU residents, you can expect to start receiving “Right of Access” requests under the GDPR. 

An EU resident has a right to a copy of all the data you’ve collected about him or her, ideally in an electronic format. This includes information like name, address, and phone number, along with less obvious things like shipment tracking numbers or VAT IDs. Thankfully, WordPress 4.9.6WooCommerce 3.4, and many WooCommerce extensions automate the legwork Right of Access requests require — we’ll walk you through the process.

There is a new tool for WordPress to help with Right to Erasure requests
There’s a new tool responding to Right of Access requests right in WordPress

Before You Get Your First Request

To start, do a few test orders with your store to understand what data you collect and develop a standard procedure for responding to requests. Your procedure should include: 

  • How you will confirm the person’s identity: You don’t want to send personal data to anyone but an authorized person!
  • Where you will obtain the data. Some data will be available using the new tools in WordPress and WooCommerce. Some plugins store data separately, and you might have other online systems separate from your WordPress/WooCommerce store where you input data. Make a list of all sources of personal data connected to your store.

Not sure you know all the places data might be stored? Do a test order at your store and use it to flesh out your procedure. You’ll be able to see what plugins are automatically providing data using the new WordPress export tool — and what plugins are conspicuously absent. Note all the plugins you don’t see in the export tool; you’ll have to get their data separately.

When The First Request Comes In

1. Confirm identity of the requester

Confirm the identity of the person making the request before you export their personal data.  WordPress has a new page under Tools → Export Personal Data where you can send a confirmation request to the customer’s email address (or via their username, if they’re a registered user on your site):

To send the request, type their email address in the box provided and hit “Send Request.”  They’ll receive an email with a confirmation link, which they’ll use to confirm the request:

While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.” Once they click the link, the status switches to “Confirmed”:

2. Export data

WordPress, WooCommerce, and many extensions work together to assemble an “export” file containing a person’s personal data. You can either send the customer a link to the file — it’s good for three days — or download their file yourself. The latter is useful if you need to combine the export file with sources of data from other plugins to get a complete picture.

After you’ve downloaded or emailed the file, the request will be marked “Completed.” You can leave the completed request alone or use bulk actions to remove it, depending on how you want to log compliance with the law.

Curious to know what a download might look like? Voila:

What About Repeated or Nuisance Requests?

If you find yourself facing multiple requests from the same customer, you are permitted under the law to assess a reasonable fee.  That’s something else you should consider as you draw your “right to access” procedures together.

We’ve covered the importance of putting someone in charge of privacy, how to build a policy, and how to prepare for Right of Access request. Next up: Right to Erasure.

WooCommerce and the GDPR - get resources and tools

5 Responses

  1. Brett
    May 18, 2018 at 11:19 pm #


    I have just tried testing this as I get ready for May 25th, and I am stumbling at the first hurdle.

    I am getting the response: An error occurred while attempting to export personal data.
    Unable to generate export file. ZipArchive not available.

    Do you know why this might be and how I may be able to fix it?

    Many thanks.

  2. Tod Raines
    May 18, 2018 at 11:48 pm #

    I just tried this ‘Export Personal Data’ tool and I get an output file in a .zip format. Opening this I get and file titled “index.html’. Opening this in a browser I see the “About” and “User” section of the report.
    However I do not get any of the “Customer Data” nor “Orders” sections.
    I see this tool as incomplete at this point.
    I hope it gets fixed before May 25th.


    • Alex Milligan
      May 20, 2018 at 12:11 pm #

      I have this same issue. I’ve run multiple test orders through my store in the past and should see a lot more on myself when I request the data. It just shows the ‘About’ section.

      There is no “Customer Data” or “Orders” information

      • Alex Milligan
        May 20, 2018 at 12:12 pm #

        I should add that I am able to find the “Customer Data” and “Orders” information manually, so it is definitely there.

  3. Jeremy
    May 19, 2018 at 8:04 pm #

    I tried the request and the link I receive for confirming the request does not work, it’s opening a page letting me know it cannot reach the page.

    What can I do?


Leave a Reply

WooCommerce - the most customizable eCommerce platform for building your online business.

  • 30 day money back guarantee
  • Support teams across the world
  • Safe & Secure online payment