Have you thought about your web application plugins and third-party libraries in your efforts to become ready for GDPR?

We can’t ignore it anymore: the General Data Protection Regulation (GDPR) will become law in all 28 EU member states. Hopefully you’re already taking action to prepare your business for these new regulations to protect privacy. If not, get started now!

Plugins and libraries

If you have a website or webshop and you use a common platform like WordPress, Drupal, Joomla, Magento, PrestaShop or WooCommerce, you most likely use a diversitiy of plugins to provide a richer customer experience and have extra features beyond the basic functionality of the platform. But are these plugins safe to use and won’t violate GDPR?

To give you an example what I mean, let’s look at a plugin for WordPress for having a contact form on your website. A quick search for “contact form” on the WordPress Plugins page, gives me numerous results. I just take the first two in my result.

screenshot wordpress plugins
screenshot wordpress plugins

Contact Form 7

Contact Form 7 is a simple plugin that allows you to add forms in your WordPress website and all communication will be e-mailed to an email address you specify.

Contact Form by WPForms

Contact Form by WPForms is a more advanced plugin that allows you to design your forms with a drag-and-drop interface and add created forms to your posts and pages with a click of a button. All submitted forms will be collected in the WordPress database for easy lead follow-up.

Review

While both plugins offer the same basic functionality, the way they process submitted contact forms is different. Where Contact Form 7 just sends the form directly to an email address without storing any information inside a database. From privacy point of view, this is a good thing. When your WordPress installation gets compromised, no personal data is kept there.

Contact Form by WPForms is storing the information directly in the WordPress database, unfortunately it does this in plain-text, so when the database gets compromised, the data is accessible for anyone who wants it. A better solution in this case would be that the data is encrypted or secured in a separate database away from WordPress, but this would be too complicated for the end user.

Our conclusion: we prefer to use Contact Form 7 because data is not stored on the server.

What about eCommerce?

Above we just described a very common but simple problem for a blog website, but what about the more complex eCommerce websites where some extra functionality is required to be a webshop?

We see that Payment, Shipping & Transportation and Customer Supportplugins are common on most online shops. And since all of these require some form of Personal Identifiable Information, choosing the right one is a very important step.

We contacted directly vendors and services of these plugins to figure out if they were going to be ready for GDPR by May 2018. Their answers provided us enough information to create an online tool to check if a specific plugin is safe to use for GDPR. It also comes with an API if you prefer to automate your checks.

Plugin Check

What can you do yourself?

If you’re using a website or eCommerce platform, see if you can reduce the amount of customer information stored in the database of the platform. If the platform gets compromised, your customer data will be at risk too.

When you’re using a 3rd-party service provider for processing payments, delivering goods or providing a support platform, you need to be careful. GDPR is a shared responsibility! Even when you’re fully compliant with GDPR, your supplier needs to be that as well. Luckily most services are taking enough measures to protect the data of their customers (you), but not all. So ensure you have done plenty of research figuring out what your supplier is doing for GDPR and make sure you have a formal agreement with your supplier that you share PII with them.

One last advice I would like to leave you with: store the minimal amount of information required to run your web application. The less information you have, the lower risk of a personal information is breached. And if you do have to store information on your system, make sure you keep it in a separate, more secure and preferrably encrypted data storage. There are plugins and add-ons out there that offer the ability to select a different database than what you use for your web application.


Michelangelo van Dam

Michelangelo van Dam is a senior PHP architect, PHP community leader and international conference speaker with many contributions to PHP projects and community events.