The GDPR Framework is built by developers for developers. Every part of the plugin is extendable and you can override pretty much any behaviour built in the plugin. You can add and remove elements from the Privacy Tools page in both front-end and the dashboard. You can override each and every template used in this plugin. There’s also a comfortable interface for adding tabs under Tools > Privacy as well as adding steps to the Setup Wizard.

Note that even though this doc contains everything you need to make your custom-built features or plugins GDPR-compliant, this is just the super-brief ‘beta’ version of our developer docs. We’re currently putting together more detailed documentation – stay tuned! If you spot any mistakes or find something unclear, don’t hesitate to email indrek@codelight.eu and ask!

Data subjects

The GDPR Framework identifies data subjects by their email. All actions and filters have $email as one of the parameters – it refers to the email of the data subject whose data is being processed.

Actions with data

Downloading a data subject’s data

When an admin or data subject downloads their data, it’s passed through a filter. You can add custom data there.

<php
add_filter('gdpr/data-subject/data', 'gdpr_filter_data', 10, 2);

function gdpr_filter_data($data, $email) {
  $data['My Custom Data'] = [
    'some data',
    'some other data',
  ];
  return $data;
}

The variable $data is simply an array of key-value pairs, containing all the downloadable data of that data subject. You can have nested arrays inside it.

The same filter is triggered both when exporting data as HTML or as JSON.

Note that this filter is also used to check if any data belonging to a particular data subject is stored on the website at all.

Don’t forget to return $data!

Exporting data in a different format

If you’d like to change the default JSON format to something else, you can use the following action:

<php
add_action('gdpr/export/json', 'gdpr_export_data', 10, 2);

function gdpr_export_data($data, $email) {
  // do something here
}

Anonymizing data

To do something when a data subject is anonymized, you can use the following action:

<?php
add_action('gdpr/data-subject/anonymize', 'gdpr_anonymize_data', 10, 2);

function gdpr_anonymize_data($email, $anonymizedId) {
   // do something here
}

The second parameter, $anonymizedId refers to the anonymous, randomly generated ID that can be used to tie bits and pieces of data together (but it’s still anonymous). For example, if a user is anonymized, then $anonymizedId will be stored in their usermeta table. If, for example, a Gravity Forms submission is also made using the same email, then the email will be replaced with the same anonymous ID, allowing you to connect it to the anonymized user. This might be useful for analytics, for example.

If the data subject has a user account, the user will be anonymized on the same action at priority 100. This means you can still access it if you set the priority to 10, for example.

Note that if the Delete Action is set to “notify”, then this action is triggered when the admin anonymizes the data subject, not when the data subject clicks on “delete everything” button.

Read about what exactly happens when a data subject is anonymized.

Deleting data

To do something when a data subject is deleted, you can use the following action:

<?php
add_action('gdpr/data-subject/anonymize', 'gdpr_anonymize_data'); 

function gdpr_anonymize_data($email) { 
  // do something here 
}

If the data subject has a user account, the user will be deleted on the same action at priority 100. This means you can still access it if you set the priority to 10, for example.

Note that if the Delete Action is set to “notify”, then this action is triggered when the admin deletes the data subject, not when the data subject clicks on “delete everything” button.

Read about what exactly happens when a data subject is deleted.

Consent

Registering a new type of consent

You can register a type of consent via code like this:

<?php
add_action('init', 'gdpr_register_my_consent');

function gdpr_register_my_consent() {
  gdpr('consent')->register(
    'my_custom_consent_slug', 
    'My custom consent human-readable title',
    'My custom consent long description',
    true
  );
}

Calling gdpr('consent') returns the ConsentManager object. The register function accepts 4 parameters: $slug, $title, $description and $visible. The last one controls whether or not the registered consent should be visible to the data subject on the Privacy Tools page. It defaults to true.

Setting a consent as ‘given’

When something happens, for example a visitor submits a form, you can set a consent like this:

<?php
if (isset($_POST['my_custom_consent_slug']) && $_POST['my_custom_consent_slug'] === 'yes') {
  $dataSubject = gdpr('data-subject')->getByEmail($_POST['email']);
  $dataSubject->giveConsent('my_custom_consent_slug');
}

Withdrawing consent

When a visitor withdraws their consent to something, the following action is triggered:

add_filter('gdpr/consent/withdraw', 'gdpr_withdraw_consent', 10, 3);

function gdpr_withdraw_consent($validation, $email, $consent) {
  if ($consent === 'my_custom_newsletter_consent') {
    // Do something here
  }
  return $validation;
});

You can set the $validation parameter to false if there’s a condition that disallows the user from withdrawing consent. Make sure you return it either way.

Querying all data subjects who have given a specific consent

We’ll update this shortly!

Privacy Tools page

There are two Privacy Tools pages. First, there’s the public facing page on your website’s frontend which can be accessed by authenticating via email. Second, if the data subject has a user account, there’s the Privacy Tools page under Users (or Your Profile) menu item. Both require separate handling, unfortunately.

The front-end Privacy Tools page is put together with hooks using the following action:

'gdpr/frontend/privacy-tools-page/content'

To add something between the consent table and the data export buttons on the Privacy Tools page:

<?php
add_action('gdpr/frontend/privacy-tools-page/content', 'gdpr_add_tools_content', 15);

function gdpr_add_tools_content() {
  echo "My custom content!";
}

The existing content is hooked in there in PrivacyToolsPageController:

<?php
add_action('gdpr/frontend/privacy-tools-page/content', [$this, 'renderConsentForm'], 10, 2);
add_action('gdpr/frontend/privacy-tools-page/content', [$this, 'renderExportForm'], 20, 2);
add_action('gdpr/frontend/privacy-tools-page/content', [$this, 'renderDeleteForm'], 30, 2);

To remove something, you can fetch the PrivacyToolsPageController object and remove the action like this:

<?php
$controller = gdpr(Codelight\GDPR\Components\PrivacyToolsPage\PrivacyToolsPageController::class);
remove_action('gdpr/frontend/privacy-tools-page/content', [$controller, 'renderConsentForm'], 10);

If you wish to add something to the Dashboard Privacy Tools page, you can use the following action:

<?php
add_action('gdpr/dashboard/privacy-tools/content', 'your_function');

Overriding templates

You can override each and every template used in this plugin. The mechanism is exactly the same as in WooCommerce and many other major plugins. Just create a folder called ‘gdpr-framework’ inside your theme and place your custom templates inside that folder, using the same folder structure as you can see inside the plugin’s ‘views’ folder.

For example, if you wanted to override the email that is sent when a data subject identifies themselves, in your theme folder you would create the following folders and file:

gdpr-framework/emails/identify-data-subject.php

When the View class searches for a view, it first looks into child theme, then parent theme and finally in the plugin.

Admin & setup wizard

We’ve created a simple interface to add steps to the setup wizard as well as admin tabs. Details coming soon!