What is the GDPR? Explanation of measures against GDPR by site operators such as WordPress

This post is also available in: 日本語



In recent years, regulations have rapidly advanced in the area of personal information protection. This regulation on personal information is being advanced all over the world. The Japanese government is also actively discussing this issue. In particular, the EU has enacted a law called the GDPR, which regulates methods of obtaining personal information on the web, such as cookies. This article explains what the GDPR is and what measures are necessary for site operators using WordPress.

What are cookies?
A mechanism for storing information in a browser on a Web page. You can obtain and provide login information and terminal information as cookie information.


Key points of this article

First, I’ll list the points of this article! If you don’t have time, please take a look at this point.

  • All companies that collect personal data from EU residents
  • May require user consent to retrieve information
  • Privacy Policy needs to be updated
  • Update and user consent required for personal information retrieval tool
  • If you fail to comply with the GDPR, there are fines and other sanctions.
  • Revision of the Personal Information Protection Law in Japan May Stricter the Rules

What is the GDPR?

Let’s start with the GDPR. GDPR stands for “General Data Protection Regulation”. When translated into Japanese, it is called “EU General Data Protection Regulation”. Effective May 25, 2018, this law replaces the “Data Protection Directive 95 (EU Data Protection Directive)” which came into effect in 1995.

Background to the establishment of the GDPR

Behind the establishment of the GDPR is the development of IT technology and economic globalization. Starting with huge platforms such as Google and Facebook, there are increasing numbers of companies that leverage massive amounts of data to expand their businesses globally. The EU has established the GDPR as an updated version of the emergency legislation to respond to such environmental changes.


Basic Principles of the GDPR

The GDPR has basic handling principles. Please check the following.

  • Data must be handled in a lawful, fair and transparent manner
  • No. I need your consent.
  • Personal data must be collected for a specific, clear and legitimate purpose and handled only for that purpose.
  • Personal data must be appropriate, relevant, and minimally sensitive to the needs of the purpose for which it is handled.
  • Personal data must be accurate and current.
  • Personal data should be stored for as short a period of time as possible, with the data subject identifiable.
  • Personal data must be handled in a manner that ensures the appropriate security of the personal data.
  • Administrators are responsible for the above principles and must be able to prove compliance.

Penalties of the GDPR

The following are fines and examples of violations of the GDPR.

Higher of “2% of a company’s worldwide annual sales” or “10 million euros.”
Higher of “4% of a company’s worldwide annual sales” or “20 million euros.”

Personal data subject to the GDPR

Let’s look at the personal data covered by the GDPR.


Country Coverage

The countries covered are:.

  • EU member states
  • 3 member countries of the EEA (European Economic Area)

Defining Personal Information

This information will lead to the identification of all individuals, including employees and company representatives, as well as general consumers in the target countries.

Personal information may include the following:.

  • Names are known: organization chart, seating chart, employee management books
  • Names of stakeholders: Shareholder registry, customer management data
  • email addresses: mailing lists, data in CRM tools
  • Personal Information: Video/Image/Audio

It is easy to understand if you consider all the data that can be specified by individual designation as the object. The same applies to data that, when combined with other information such as employee IDs and mobile numbers, can identify individuals. In this regard, online identifiers, such as cookies and IP addresses, are relevant when combined with other data to provide personal identification.


Will Japanese companies be affected by the GDPR?

Although the GDPR is an EU law, Japanese companies may be affected by this law.

  • have subsidiaries in the EU region
  • located in Japan but serving EU residents
  • Access to EU resident personal data collected by companies in the EU
  • handle the personal data of EU residents on a consignment basis
  • What should website operators do to comply with the GDPR?

Since the GDPR is primarily concerned with a very large department, this article lists the actions required from the perspective of a business site operator using a CMS tool such as WordPress.

  • Development of internal systems
  • Establishment of a privacy policy
  • Obtaining user consent
  • data encryption
  • Plugin Checking and Updates
  • Development of internal systems

As for the internal maintenance, it is necessary to have a data manager first. At the same time, it is necessary to organize internal rules concerning data management.

Updating the Privacy Policy Page

We need to establish a privacy policy. In many cases, the privacy policy is based on the assumption that users of the service can view it, so there may be a need to update the privacy policy of the website. I recommend that you consult a lawyer or other specialist.

Obtaining user consent

When obtaining personal data from users, it may be necessary to obtain clear consent from the data subject, and a record is required to confirm that the data subject has actively expressed his or her intention to consent.

Here are some of the tools and techniques you should be aware of:

■Google Analytics Data
■e-mail magazine
■Getting Cookies for Retargeting Ads
■Obtaining location data such as GPS

Data Encryption/SSL

Data storage location encryption and data communication traffic encryption (https) are required. The term “encryption” is not required by the GDPR as it is not used extensively in the GDPR. However, as it is a basic content for information management of a company, it is better to work on it if it is not prepared.

Checking and Updating Plug-ins

WordPress plug-ins that collect and store personal information must be updated. The main plug-ins are:.

  • Inquiry Forms Plugin
  • Comment Plugin
  • analytic plug-in
  • Marketing Plugins
  • Community Plug-in


Japan Prepares to Revise Personal Information Protection Law

I don’t feel safe because my company doesn’t serve EU residents. In Japan, a bill to revise the Act on the Protection of Personal Information, including stricter conditions for the use of cookies, has been approved by the Cabinet (As of March 2020).


In this article, we introduced the definition of the GDPR and the points of its countermeasures. Regulations on the protection of personal data will be strengthened not only in the EU but also in the world, so we may be able to create an opportunity to inspect sites and services once again. That’s all for the article.