Wordfence GDPR Update 2: On Target For May 25th

Update: Wordfence is now GDPR compliant. Click here to learn more.

Preparations to get Wordfence and our organization ready for GDPR continue at Defiant and we are on schedule. Last week we sent out an update that said we are applying for the Privacy Shield certification program for both EU-US and Swiss-US and will soon have available a Data Processing Agreement for our EU customers who need one.

We have now completed our application for the Privacy Shield certification programs mentioned above. As of this morning, May 16th, our Privacy Shield application has not been processed yet. We expect it to be completed by this coming Monday, the 21st of May.

Once the Privacy Shield application is processed, on Monday, we plan to roll out plugin updates, website updates, policy updates, new ‘Help’ content and a further blog post explaining the updates. Most of this work is already completed, we just need to complete the application process and the rollout.

If for some reason our Privacy Shield application is not processed by early next week, we have a contingency plan in place that would meet the deadline. It will create more work for us, but would ensure that we can continue to serve our European customers and keep ourselves and them GDPR compliant. The contingency plan does not require any changes to our software, only changes to our policies. Hopefully our Privacy Shield application will be processed in a timely fashion and we’ll remain on track. But as they say, hope for the best, plan for the worst.

The bottom line is that by the end of next week, we will have completed our rollout to become fully GDPR compliant. Wordfence remains committed to serving our European customers, along with our US and world-wide customers, and the Defiant team is working hard to ensure that you will remain secure and compliant.

As always, you are welcome to post in the comments below. Just a reminder, I am not a lawyer and, while we have a spectacular legal team of our own (Thank you Charlie, Mark, Corey and K&L Gates!), I can not give you general GDPR advice. I can only advise you on our own progress with regards to GDPR compliance.

Did you enjoy this post? Share it!


  • Best news of today! Thanks for the great effort,
    best regards from Germany

  • Mark,
    My target B to B customers are in the western part of the US. I do see some requests from out of the US. Why should I care about GDPR compliance?

    • As I mentioned in the post, I can't really advise you on that. I only understand our specific situation and we have European customers and are required to be compliant.

  • Good luck with application!

    Though 2 things from my experience:
    1) it takes more than one week for DoC to process it (for us it took few months!);
    2) Privacy Shield certification isn't the same as GDPR compliance. For sure it helps your EU customers - they can use your service without additional fuss (like signing EC standard contractual clauses), but if you are subject to GDPR - it's whole another story.

    • Atis I'm not sure what you mean by "whole another story".

      Our process to become compliant has been a large project with many moving parts. I've mentioned some of them in the blog post above. Docs, software changes, agreements, Privacy Shield application, internal processes and accountability - are just some of the things this has touched.

      The Privacy Shield is just a dependency we need to get through - perhaps we focused a bit too much on that in the post above.

  • As far as I understand, GDPR compliance means that Wordfence and the website owner make a contract that any data sent to Wordfence is processed according to the rules of the GDPR. In other words, it's high time to prepare such a document, so website owners can sign it, send it to Wordfence and get a copy of the treaty before May, 25th. In other words, we have to follow the same procedure Google does with Google Analytics.

    The alternative is that Wordfence simply does not collect data on any server except the website server itself. Actually, I'd prefer this alternative.

    What's your opinion? Does the privacy shield certificate make the signed contract superfluous?

    • Hi Stephan,

      Please read the first paragraph of the above post again:

      "Preparations to get Wordfence and our organization ready for GDPR continue at Defiant and we are on schedule. Last week we sent out an update that said we are applying for the Privacy Shield certification program for both EU-US and Swiss-US and will soon have available a Data Processing Agreement for our EU customers who need one."

      Yes we will have a data processing agreement for you as part of what we're launching next week.

  • cant be as bad as the first implementation of iso 9001

  • Michael, every website is concerned by GDPR.

    Even if your target market is not European and that your website is hosted out of Europe you are concerned in some way because the internet has no boundaries thus someone might share your website on social media where European citizens can have a look or your US visitor can send your website url directly to a European citizen.

    You see, in both scenarios a European citizen will land on your website! GDPR is made to protect our data. Remember what happened with Facebook lately ;-)

  • Micheal

    The GDPR standard is complicated when looking at who is or isn't subject to this, but if you put all the complications to one side and accept that it is a very good piece of regulation that sets the standard for individual data protection, it worth getting to know and to adopt even for users outside.

    For my company, and we are B 2 B only, it has been an excellent exercise and helped us update our policy and practice.

    • Yes I think that the process that GDPR creates within organizations can be helpful because it shines light on areas that might otherwise not get any attention. For a long time we've said that the best way to secure data is to get rid of it. GDPR makes you consider what you're storing and whether you should delete it or bring it into compliance. Most often the path of least resistance is to delete it.

      Reference: "Get Rid of Data to Help Secure It" (2016 - Wordfence Blog)

  • Great news. Afaik the GDPR also demands website owners to declare which personal data of website visitors is shared with third-parties (like wordfence in this case), what they do with it and how long they retain it on the privacy policy page. Will you provide a template for this or a explanation, which data is collected, so we can inform our website users?

    • We'll be providing everything you need.

  • Do you have language that's designed to be incorporated into our privacy policy (eg, the default wordpress policy has a few sentences on Gravatar.)

    • I don't think so Adam, but check back next week.

  • I have a website based in the United States, and my website occasionally gets visitors from the EU. I'm also a premium Wordfence customer who uses Wordfence on my website. In preparation for GDPR, do I need to sign Wordfence's Data Processing Amendment? Or is Wordfence's DPA only intended for websites based in the EU? The reason I'm asking is that your blog post stated that Wordfence "will soon have a Data Processing Agreement for our EU customers who need one." That statement implies that the DPA is only for websites based in the EU. But I know that Google (my website's email provider) wanted me to sign their DPA, though I'm in the U.S. Please clarify. Thanks!

    • Thanks David, will include this in a FAQ next week. Check back Monday or Tuesday.

  • Have we got any further updates on GDPR compliance? I'm sure I'm not the only one who wants to know what data is used, for how long, why etc :-)

  • Thanks, can we sign one of these on behalf of all our clients if we manage their website (we’d be the data processor) and you then the sub processor ?

    • Good question. Right now we are a data controller (because we operate our own websites) and a data processor for customers like you. We have our own sub-processors.

      We expect our customers to be data controllers and to use us as a data processor. We have not considered the scenario where you are a data processor and want to have us as a sub-processor. Adam, I'm not sure that's what you want to do because you are an individual or legal entity, but data isn't actually flowing through you. It flows from your clients to us. I'm thinking out loud here, but it seems to me that your clients should be the data controllers and we should be the data processor in this case.

      I'll check with our team and will update if needed.