We’re rolling out updates to our privacy features and policies in the coming weeks. You’ll have more control over your personal information and more detail on what information we keep and what we do with it. The updates will also make sure we comply with new privacy laws, and will help you do the same for your own website or store.
via New Privacy Features and Updated Policies — The WordPress.com Blog
The above blog post is WordPress.com’s site owners first look at what Automattic, WordPress.com’s parent company, is doing to help site owners comply with the General Data Protection Regulation coming into effect on May 25. If you haven’t seen it yet, please read it in its entirety.
If you are a site owner here, besides the WordPress.com Blog post, you’ll want to read the Automattic Privacy FAQ, particularly the section for site owners, as well as the information on Jetpack regarding commenting. On top of that, there’s also now a privacy.blog where further updates will be posted.
When It Rains…
Personally, in spite of having read endlessly on GDPR even before the above post was published, I feel like I’m drowning. We’ve suddenly gone from having hardly any information at all to a downpour of information and, unfortunately, the information we received doesn’t really bring much clarity to what casual blog and website owners should do ahead of May 25. It feels like too little (or, in this case, way too much!), too late. There’s no “one privacy policy fits all” document that site owners can point visitors to, although the new Privacy Notice was mentioned.
While Staff have been providing some helpful pointers in the forums, the phrase most often repeated there is that they cannot give users legal advice specific to their site because they are not our lawyers. And that, as irritating or disappointing as it may be, is correct.
Do You Need A DPA?
It was also mentioned in the WordPress.com blog post that users with a paid upgrade that require a Data Processing Agreement (DPA) can request one. I admit I’m confused about this point because I understood that every WordPress.com site owner requires such an agreement with Automattic to process data for EU individuals on our behalf. Am I wrong? Does the fact that I’m running a site without a paid upgrade make any difference as far as the GDPR is concerned? On the MailChimp site they’ve conveniently provided a sample of their DPA saying,
“We offer a data processing agreement for EU/EEA and Swiss customers or non-EU/EEA and Swiss customers processing data on behalf of EU/EEA and Swiss individuals, in addition to our publicly posted Privacy Policy.” Emphasis mine.
From Statement to Policy
Meanwhile, and it now feels like a very tiny drop in a very big bucket, I’m fretting over the Privacy Statement in my sidebar that is turning into an extended Privacy Policy, hopefully to be in place by the 25th of May. I keep finding more and more points that need addressing, like the ads that WordPress.com runs.
Concerning the stats collected on this site, there have also been updates to both Google’s Privacy Statement and changes happening on Clicky, which at one point considered shutting down due to the cost of bringing their service into compliance. As far as I can tell the biggest impact the GDPR is going to have for website owners is on visitor statistics and tracking. Depending on your point of view, that may be a good thing or bad thing.
In the end, we’ll all eventually benefit from these changes in privacy and data rights. I just hope we casual blog and website owners manage to maintain our sanity getting there.
WPcomMaven 
The recent 4.9.6 release of WP for self-hosted sites there is a mechanism for site owners to delete someone’s data if/when they request it. Do you know what the equivalent is or will be for WP.com because, of course, we do not get access to the database?
The only things that I saw that are remotely similar are mentioned in the Automattic Privacy Notice, no wait, Privacy Policy, which looks to be newly updated (again). https://automattic.com/privacy/ and in the WPcom blog announcement where they said that in the coming weeks they would launch a way for users to request access to their personal data. No specifics given yet.
As a part of my own efforts, I’ll be including a form for users to request deletion of a comment or contact form submitted on my site. That’s as close as we can get to the database.
Mini-lawyers indeed! Bah, humbug!