The GDPR: Right of Access Requests

Written by Kevin Bates on May 16, 2018 Blog, News, Sell Online.

You probably know someone who’s requested their data from one of the big social media platforms. It can be staggering to see all the detail in one of these data “dumps”!  

If your store collects data from EU residents, you can expect to start receiving “Right of Access” requests under the GDPR. 

An EU resident has a right to a copy of all the data you’ve collected about him or her, ideally in an electronic format. This includes information like name, address, and phone number, along with less obvious things like shipment tracking numbers or VAT IDs. Thankfully, WordPress 4.9.6WooCommerce 3.4, and many WooCommerce extensions automate the legwork Right of Access requests require — we’ll walk you through the process.

There is a new tool for WordPress to help with Right to Erasure requests
There’s a new tool responding to Right of Access requests right in WordPress

Before You Get Your First Request

To start, do a few test orders with your store to understand what data you collect and develop a standard procedure for responding to requests. Your procedure should include: 

  • How you will confirm the person’s identity: You don’t want to send personal data to anyone but an authorized person!
  • Where you will obtain the data. Some data will be available using the new tools in WordPress and WooCommerce. Some plugins store data separately, and you might have other online systems separate from your WordPress/WooCommerce store where you input data. Make a list of all sources of personal data connected to your store.

Not sure you know all the places data might be stored? Do a test order at your store and use it to flesh out your procedure. You’ll be able to see what plugins are automatically providing data using the new WordPress export tool — and what plugins are conspicuously absent. Note all the plugins you don’t see in the export tool; you’ll have to get their data separately.

When The First Request Comes In

1. Confirm identity of the requester

Confirm the identity of the person making the request before you export their personal data.  WordPress has a new page under Tools → Export Personal Data where you can send a confirmation request to the customer’s email address (or via their username, if they’re a registered user on your site):

To send the request, type their email address in the box provided and hit “Send Request.”  They’ll receive an email with a confirmation link, which they’ll use to confirm the request:

While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.” Once they click the link, the status switches to “Confirmed”:

2. Export data

WordPress, WooCommerce, and many extensions work together to assemble an “export” file containing a person’s personal data. You can either send the customer a link to the file — it’s good for three days — or download their file yourself. The latter is useful if you need to combine the export file with sources of data from other plugins to get a complete picture.

After you’ve downloaded or emailed the file, the request will be marked “Completed.” You can leave the completed request alone or use bulk actions to remove it, depending on how you want to log compliance with the law.

Curious to know what a download might look like? Voila:

What About Repeated or Nuisance Requests?

If you find yourself facing multiple requests from the same customer, you are permitted under the law to assess a reasonable fee.  That’s something else you should consider as you draw your “right to access” procedures together.

We’ve covered the importance of putting someone in charge of privacy, how to build a policy, and how to prepare for Right of Access request. Next up: Right to Erasure.

Take a look at our tools and resources on GDPR

14 Responses

  1. Brett
    May 18, 2018 at 11:19 pm #

    Hi,

    I have just tried testing this as I get ready for May 25th, and I am stumbling at the first hurdle.

    I am getting the response: An error occurred while attempting to export personal data.
    Unable to generate export file. ZipArchive not available.

    Do you know why this might be and how I may be able to fix it?

    Many thanks.

    • Carl
      May 22, 2018 at 2:19 am #

      It’s really buried in the stackoverflow post here
      https://stackoverflow.com/questions/3872555/fatal-error-class-ziparchive-not-found-in

      but, assuming you’re using ubuntu, run the following
      sudo apt-get install php7.0-zip
      then restart your server service. For example, if you’re using apache, run
      sudo systemctl restart apache2

    • Allen Snook
      May 24, 2018 at 1:11 am #

      Please try again with WooCommerce 3.4 which released today and which integrates with WordPress’s privacy tools.

      Cheers!

  2. Tod Raines
    May 18, 2018 at 11:48 pm #

    Hi,
    I just tried this ‘Export Personal Data’ tool and I get an output file in a .zip format. Opening this I get and file titled “index.html’. Opening this in a browser I see the “About” and “User” section of the report.
    However I do not get any of the “Customer Data” nor “Orders” sections.
    I see this tool as incomplete at this point.
    I hope it gets fixed before May 25th.

    Regards,
    Tod

    • Alex Milligan
      May 20, 2018 at 12:11 pm #

      I have this same issue. I’ve run multiple test orders through my store in the past and should see a lot more on myself when I request the data. It just shows the ‘About’ section.

      There is no “Customer Data” or “Orders” information

      • Alex Milligan
        May 20, 2018 at 12:12 pm #

        I should add that I am able to find the “Customer Data” and “Orders” information manually, so it is definitely there.

        • Fred Higson-Brown
          May 21, 2018 at 12:40 pm #

          To get that data in the export file you’ll need to be running the beta for the woocommerce version that’s due to drop this week.

          • Allen Snook
            May 24, 2018 at 1:12 am #

            Fred is exactly correct. WooCommerce 3.4 which includes integration with WordPress’s privacy tools released today.

  3. Jeremy
    May 19, 2018 at 8:04 pm #

    I tried the request and the link I receive for confirming the request does not work, it’s opening a page letting me know it cannot reach the page.

    What can I do?

    Sincerely,
    Jeremy

  4. jeremy
    May 21, 2018 at 4:36 am #

    Oui beg de mis a jours qui explique par le fait que tout monde n’est pret et donc en retard wordpress, google, les thèmes, les plugin….
    Et vos plugin vous donnerons jamais les garantie crédible que vos plugin sont conforme au GDPR.
    De ce fait c’est à nous, de tout vérifier code compris.
    Dans le cas ou vous êtes un amateur, vous n’avez aucune garantie que vos plugin ne vole pas des informations confidentielle à votre insu.

    La seul solution crédible, serrait que WordPress recontrôle s’engage et certifie les plugin qui sont conforme au GDRP avec un label officiel qui garantie que les plugin est compatible, complet et conforme au GDPR et ce sous la responsabilité des WP
    Bien entendu, cela va causé des préjudices grave si wordpress.
    Si il doivent vérifier l’ensemble des plugin.
    Autre solution, obligé tout les plugins a:
    – signé une charte de conformité GDPRde ce mettre en conformité GDPR
    de garantir personnellement les droit de suppressions et de consultation.
    Mais cela laisserai un danger potentiel de fuites, si on laisse des porte ouverte sur les donné confidentiel.
    modifier pour les mettre en conformités et/ou bannir les mauvais élevé et l’ensemble des pluginou les mettre en conformités…

    Et si il font cela, il faudra mettre un label officiel qui garantie que les plugin est compatible, complet et conforme au GDPR et ce sous la responsabilité des WP.

  5. jeremy
    May 21, 2018 at 4:46 am #

    for me, it’s the same!
    Update problem too fast?

  6. Charo
    May 24, 2018 at 8:09 pm #

    I need to know how to download data from all my customers in order to store it safely ie. without having a request from each of my customers. I’m supposed to keep a copy of all at Data protection Spanish Office but I don’t know how to bulk export all data from customers.
    Thanks
    Charo

  7. Zsuzsa
    June 1, 2018 at 1:31 pm #

    Hi, I have Woocommerce 3.4.1 version and tried to test the personal data erasing process. At final stage once I push “Erase Personal Data” button I get this message: “Erasing Data has failed. Retry” …”An error occurred while attempting to find and erase personal data.”
    I set the Privacy settings, I don’t have a clue what is the problem exactly. WP and WOO, I have the latest version. What is behind of this “error”? Thanks