You probably know someone who’s requested their data from one of the big social media platforms. It can be staggering to see all the detail in one of these data “dumps”!
If your store collects data from EU residents, you can expect to start receiving “Right of Access” requests under the GDPR.
An EU resident has a right to a copy of all the data you’ve collected about him or her, ideally in an electronic format. This includes information like name, address, and phone number, along with less obvious things like shipment tracking numbers or VAT IDs. Thankfully, WordPress 4.9.6, WooCommerce 3.4, and many WooCommerce extensions automate the legwork Right of Access requests require — we’ll walk you through the process.
Before You Get Your First Request
To start, do a few test orders with your store to understand what data you collect and develop a standard procedure for responding to requests. Your procedure should include:
- How you will confirm the person’s identity: You don’t want to send personal data to anyone but an authorized person!
- Where you will obtain the data. Some data will be available using the new tools in WordPress and WooCommerce. Some plugins store data separately, and you might have other online systems separate from your WordPress/WooCommerce store where you input data. Make a list of all sources of personal data connected to your store.
Not sure you know all the places data might be stored? Do a test order at your store and use it to flesh out your procedure. You’ll be able to see what plugins are automatically providing data using the new WordPress export tool — and what plugins are conspicuously absent. Note all the plugins you don’t see in the export tool; you’ll have to get their data separately.
When The First Request Comes In
1. Confirm identity of the requester
Confirm the identity of the person making the request before you export their personal data. WordPress has a new page under Tools → Export Personal Data where you can send a confirmation request to the customer’s email address (or via their username, if they’re a registered user on your site):
To send the request, type their email address in the box provided and hit “Send Request.” They’ll receive an email with a confirmation link, which they’ll use to confirm the request:
While you’re waiting for the customer to confirm, you’ll see the request displayed as “Pending.” Once they click the link, the status switches to “Confirmed”:
2. Export data
WordPress, WooCommerce, and many extensions work together to assemble an “export” file containing a person’s personal data. You can either send the customer a link to the file — it’s good for three days — or download their file yourself. The latter is useful if you need to combine the export file with sources of data from other plugins to get a complete picture.
After you’ve downloaded or emailed the file, the request will be marked “Completed.” You can leave the completed request alone or use bulk actions to remove it, depending on how you want to log compliance with the law.
Curious to know what a download might look like? Voila:
What About Repeated or Nuisance Requests?
If you find yourself facing multiple requests from the same customer, you are permitted under the law to assess a reasonable fee. That’s something else you should consider as you draw your “right to access” procedures together.
We’ve covered the importance of putting someone in charge of privacy, how to build a policy, and how to prepare for Right of Access request. Next up: Right to Erasure.
About
Hi,
I have just tried testing this as I get ready for May 25th, and I am stumbling at the first hurdle.
I am getting the response: An error occurred while attempting to export personal data.
Unable to generate export file. ZipArchive not available.
Do you know why this might be and how I may be able to fix it?
Many thanks.
It’s really buried in the stackoverflow post here
https://stackoverflow.com/questions/3872555/fatal-error-class-ziparchive-not-found-in
but, assuming you’re using ubuntu, run the following
sudo apt-get install php7.0-zip
then restart your server service. For example, if you’re using apache, run
sudo systemctl restart apache2
Please try again with WooCommerce 3.4 which released today and which integrates with WordPress’s privacy tools.
Cheers!
Hi,
I just tried this ‘Export Personal Data’ tool and I get an output file in a .zip format. Opening this I get and file titled “index.html’. Opening this in a browser I see the “About” and “User” section of the report.
However I do not get any of the “Customer Data” nor “Orders” sections.
I see this tool as incomplete at this point.
I hope it gets fixed before May 25th.
Regards,
Tod
I have this same issue. I’ve run multiple test orders through my store in the past and should see a lot more on myself when I request the data. It just shows the ‘About’ section.
There is no “Customer Data” or “Orders” information
I should add that I am able to find the “Customer Data” and “Orders” information manually, so it is definitely there.
To get that data in the export file you’ll need to be running the beta for the woocommerce version that’s due to drop this week.
Fred is exactly correct. WooCommerce 3.4 which includes integration with WordPress’s privacy tools released today.
I tried the request and the link I receive for confirming the request does not work, it’s opening a page letting me know it cannot reach the page.
What can I do?
Sincerely,
Jeremy
Hi Jeremy!
Would you mind opening a ticket at https://core.trac.wordpress.org/newticket and give as many details as possible? Please tag the ticket gdpr
Thanks!
Oui beg de mis a jours qui explique par le fait que tout monde n’est pret et donc en retard wordpress, google, les thèmes, les plugin….
Et vos plugin vous donnerons jamais les garantie crédible que vos plugin sont conforme au GDPR.
De ce fait c’est à nous, de tout vérifier code compris.
Dans le cas ou vous êtes un amateur, vous n’avez aucune garantie que vos plugin ne vole pas des informations confidentielle à votre insu.
La seul solution crédible, serrait que WordPress recontrôle s’engage et certifie les plugin qui sont conforme au GDRP avec un label officiel qui garantie que les plugin est compatible, complet et conforme au GDPR et ce sous la responsabilité des WP
Bien entendu, cela va causé des préjudices grave si wordpress.
Si il doivent vérifier l’ensemble des plugin.
Autre solution, obligé tout les plugins a:
– signé une charte de conformité GDPRde ce mettre en conformité GDPR
de garantir personnellement les droit de suppressions et de consultation.
Mais cela laisserai un danger potentiel de fuites, si on laisse des porte ouverte sur les donné confidentiel.
modifier pour les mettre en conformités et/ou bannir les mauvais élevé et l’ensemble des pluginou les mettre en conformités…
Et si il font cela, il faudra mettre un label officiel qui garantie que les plugin est compatible, complet et conforme au GDPR et ce sous la responsabilité des WP.
for me, it’s the same!
Update problem too fast?
I need to know how to download data from all my customers in order to store it safely ie. without having a request from each of my customers. I’m supposed to keep a copy of all at Data protection Spanish Office but I don’t know how to bulk export all data from customers.
Thanks
Charo
Hi, I have Woocommerce 3.4.1 version and tried to test the personal data erasing process. At final stage once I push “Erase Personal Data” button I get this message: “Erasing Data has failed. Retry” …”An error occurred while attempting to find and erase personal data.”
I set the Privacy settings, I don’t have a clue what is the problem exactly. WP and WOO, I have the latest version. What is behind of this “error”? Thanks