GDPR Explained for WordPress Site Owners: Complete Beginner Guide

Sarah runs a photography portfolio on WordPress. She’s based in Portland, Oregon, has maybe 500 monthly visitors, and figured the European data protection law she kept hearing about was for Facebook and Google — not someone selling portrait sessions to Pacific Northwest families. Then a German visitor submitted a contact form, followed two weeks later by an email demanding to know exactly what personal data Sarah’s site had collected, where it was stored, who had access to it, and requesting its complete deletion.

Sarah had thirty days to respond. She had no idea where to start.

This scenario plays out constantly across the WordPress ecosystem. The General Data Protection Regulation has generated over €5.65 billion in fines since taking effect in May 2018, with supervisory authorities issuing more than 2,245 penalties. Spain alone has levied 932+ fines, and the majority targeted small and medium businesses — not tech giants. The regulation’s reach extends far beyond European borders, and WordPress sites collect far more personal data than most owners realize.

Understanding GDPR isn’t optional for anyone running a WordPress site accessible to European visitors. The good news: once you understand what the regulation actually requires and how WordPress handles personal data, compliance becomes manageable rather than mysterious.

The Regulation That Changed Everything

Before GDPR, businesses operating across Europe faced a fragmented nightmare of 28 different national data protection laws. A company selling to customers in Germany, France, and Italy needed separate compliance frameworks for each country. The General Data Protection Regulation (officially Regulation EU 2016/679) replaced this patchwork with a single enforceable standard that took effect on May 25, 2018.

The regulation addresses a fundamental problem that had been growing for decades: individuals had lost control over their personal information. Every website visit, every form submission, every purchase created data trails harvested, analyzed, sold, and exploited in ways people neither understood nor consented to. GDPR restored the balance by establishing that personal data belongs to the individual, not the organization collecting it.

The official text spans 99 Articles organized into 11 Chapters, supplemented by 173 Recitals providing interpretive guidance. For WordPress site owners, certain sections matter more than others. Article 3 explains why the regulation applies to sites outside Europe. Article 5 establishes the seven core principles governing all data processing. Article 6 defines the six lawful bases that make processing legal. Articles 12 through 22 enumerate the rights individuals can exercise over their data. Article 30 covers documentation requirements. Articles 33 and 34 address what happens when things go wrong — data breaches.

The regulation operates on principles that, once understood, feel like common sense. Organizations should collect only the data they genuinely need. They should use it only for the purposes they stated when collecting it. They should keep it only as long as necessary. They should protect it appropriately. And they should be able to demonstrate they’re doing all of this correctly. These aren’t suggestions or best practices — they’re legally enforceable requirements carrying penalties up to €20 million or 4% of annual global turnover, whichever is higher.

Seven Principles That Govern Everything

Article 5 establishes the foundational principles from which every other GDPR requirement flows. Understanding these principles matters because compliance isn’t about following a checklist — it’s about embodying an approach to personal data that these principles define.

Lawfulness, fairness, and transparency form the first principle. You must process data legally, treat individuals fairly, and tell them clearly what you’re doing with their information. Secret data collection violates this principle. Deceptive practices violate it. Burying critical disclosures in impenetrable legalese violates it. When someone submits a contact form on your WordPress site, they should understand — before hitting submit — what happens to their information.

Purpose limitation requires collecting data only for specified, explicit, and legitimate purposes. The email address someone provides for order confirmation cannot automatically land in your marketing newsletter. The information gathered through a support ticket cannot feed your advertising targeting. Each purpose requires its own justification, and using data beyond those stated purposes violates this principle.

Data minimization means collecting only what’s adequate, relevant, and limited to what’s necessary. If your contact form needs a name and email to respond to inquiries, requiring phone numbers, addresses, company names, and job titles violates this principle. Every field you add should have a genuine justification. “Nice to have” doesn’t qualify.

Accuracy obligates you to keep data accurate and up to date, correcting or erasing inaccurate information without delay. If a customer updates their email address, your records should reflect that. If someone’s information has become outdated and you no longer need it, deletion serves accuracy better than retention.

Storage limitation prohibits keeping identifiable data longer than necessary for the purposes you collected it. Indefinite retention violates this principle. You need defined retention periods — how long you keep contact form submissions, how long customer records persist after their last purchase, when you purge old user accounts. “Forever” is never the right answer.

Integrity and confidentiality requires appropriate security against unauthorized access, accidental loss, or destruction. For WordPress sites, this translates to SSL certificates encrypting data in transit, strong passwords and two-factor authentication protecting admin access, regular software updates patching security vulnerabilities, and careful plugin selection avoiding code that introduces weaknesses.

Accountability places the burden on you to demonstrate compliance with all these principles. When a supervisory authority asks how you handle personal data, you need documentation proving your practices — not just claims that you’re compliant. This principle transforms GDPR from theoretical requirements to practical obligations requiring ongoing attention.

Personal Data Hides Everywhere on WordPress Sites

Many WordPress site owners genuinely believe they don’t collect personal data. They’re almost universally wrong.

Article 4(1) defines personal data as any information relating to an identified or identifiable natural person. The definition is deliberately expansive. Someone becomes identifiable when they can be recognized directly or indirectly through identifiers including names, identification numbers, location data, or online identifiers like IP addresses and cookies. That last category catches most WordPress sites off guard.

A default WordPress installation — no plugins, no customizations, just core software — collects personal data through multiple mechanisms. The comments system stores commenter names, email addresses, website URLs, IP addresses, browser user agents, and timestamps in the wp_comments database table. Every comment published on your site represents personal data you’re processing. User registration captures usernames, email addresses, and display names in wp_users, with extended profile information flowing into wp_usermeta. Server logs maintained by your hosting provider record IP addresses, timestamps, and pages accessed for every visitor to your site.

Plugins dramatically expand this data footprint. Contact form plugins capture names, emails, phone numbers, and message content. Contact Form 7 sends submissions via email without database storage by default, but WPForms and Gravity Forms save entries directly to your WordPress database — every message sitting in queryable tables. Analytics tools collect IP addresses, browsing behavior, device information, and location data. Google Analytics sets multiple tracking cookies that follow visitors across sessions and return visits. WooCommerce stores customer names, billing addresses, shipping addresses, email addresses, complete order histories, and payment transaction details. Product reviews add another layer of identifiable content tied to customer accounts.

Security plugins like Wordfence log IP addresses, login attempts, failed authentications, and blocked requests. This processing serves legitimate security purposes, but it’s still personal data processing requiring disclosure. Email marketing integrations transmit subscriber information to third-party services, creating international data transfers that trigger additional requirements. Even embedding a YouTube video or adding social share buttons loads third-party scripts that track your visitors.

The uncomfortable truth for most WordPress site owners: their sites collect substantially more personal data than they realized, through mechanisms they never consciously implemented, stored in locations they’ve never examined.

Controllers and Processors: Understanding Who’s Responsible

GDPR distinguishes between data controllers who determine the purposes and means of processing, and data processors who process personal data on behalf of controllers. This distinction determines your legal obligations and carries significant practical implications.

As a WordPress site owner, you are the data controller. You decided to install WordPress. You chose which plugins to activate. You determined what forms to create and what data to collect. You control what happens with visitor information. This designation carries the highest compliance responsibility — controllers must demonstrate compliance with all GDPR requirements and bear ultimate accountability for how personal data gets handled.

Your hosting provider functions as a data processor. They store data on servers according to your instructions but don’t determine what data you collect or why. The same applies to email marketing services processing your subscriber lists, analytics platforms tracking visitor behavior, payment gateways handling transaction data, and cloud backup services storing copies of your database. These organizations process data on your behalf, following your directions.

This relationship creates a critical requirement under Article 28: Data Processing Agreements. Before any processor handles personal data from your site, you need a signed DPA establishing their obligations — how they’ll protect data, what they’ll do with it, how they’ll assist with compliance requirements, and what happens when the relationship ends. Most major services provide standard DPAs accessible through their legal or privacy pages.

The DPA requirement isn’t theoretical. You likely need agreements with your web hosting provider, email marketing service, analytics platform, payment processors, CDN services, and backup solutions. Any third party touching personal data from your site qualifies as a processor requiring a documented agreement. Fortunately, signing these typically involves clicking through online forms rather than negotiating custom contracts — but you need to actually do it.

Six Lawful Bases Make Processing Legal

Article 6 establishes that processing personal data becomes lawful only when at least one of six conditions applies. There’s no hierarchy among them — the appropriate basis depends on your purpose and relationship with the individual.

Consent works for newsletter signups, marketing cookies, and optional data collection beyond what’s strictly necessary for your service. Valid consent under GDPR carries specific requirements: freely given, specific, informed, and unambiguous through clear affirmative action. Pre-ticked checkboxes don’t qualify — the European Court of Justice explicitly prohibited them in the Planet49 ruling. You must be able to demonstrate that consent was given, and withdrawing consent must be as easy as giving it. If someone clicks “unsubscribe,” that’s it — no confirmation hoops, no waiting periods, no retention “just in case they change their mind.”

Contractual necessity applies when processing is genuinely necessary to fulfill a contract. WooCommerce order processing falls squarely here — you need names and addresses to ship products, email addresses to send confirmations, payment details to complete transactions. This basis covers only what’s actually necessary for contract performance. Marketing to customers requires separate justification; the contract to sell them a product doesn’t include permission to promote your entire catalog indefinitely.

Legal obligation justifies processing required by law. Tax regulations mandate retaining financial records for specified periods — typically six to seven years depending on jurisdiction. Employment laws require maintaining certain employee data. When law compels you to process data, legal obligation provides the basis.

Vital interests protects someone’s life in genuine emergencies — processing necessary to protect vital interests of the data subject or another person. This basis exists for scenarios like medical emergencies where consent cannot be obtained. It rarely applies to typical WordPress sites and shouldn’t be stretched to cover routine processing.

Public task covers processing necessary for official functions carried out in the public interest or through official authority. Government websites, public institutions, and organizations exercising official functions may rely on this basis. Private WordPress sites selling products or publishing content don’t qualify.

Legitimate interests offers the most flexibility, allowing processing necessary for your legitimate interests unless overridden by the individual’s rights and freedoms. Website security logging, fraud prevention, and basic analytics may qualify under this basis. However, legitimate interests isn’t a blanket permission — you must conduct a Legitimate Interests Assessment documenting what interest you’re pursuing, why processing is necessary to achieve it, and how you’ve balanced your interests against individuals’ rights. Cookie-based advertising tracking generally cannot rely on legitimate interests; the European Data Protection Board maintains that consent is required for such processing.

Choosing the wrong basis creates problems beyond compliance risk. If you rely on consent for processing that should use contractual necessity, you face operational chaos when someone withdraws consent for data you actually need to fulfill their order. If you claim legitimate interests for processing that genuinely requires consent, you’ve built your compliance on an invalid foundation. Match the basis to the processing accurately.

Eight Rights Your Visitors Can Exercise

GDPR grants individuals specific rights over their personal data, and when someone exercises these rights, you must respond within one month. Extensions to three months are possible for complex requests, but you must inform the requester within that initial month that you need additional time and explain why. Responses must generally be provided free of charge unless requests are manifestly unfounded or excessive.

The right to be informed requires telling individuals what data you collect, why you collect it, who receives it, how long you keep it, and what rights they have — at or before the point of collection. Your privacy policy satisfies this requirement, but the information must be concise, transparent, intelligible, and easily accessible using clear and plain language. Impenetrable legal jargon buried fourteen clicks deep doesn’t qualify as transparency.

The right of access lets individuals request confirmation of whether you process their data and obtain a copy of it. WordPress includes a built-in Export Personal Data tool under Tools in your admin dashboard. Enter the requester’s email address, WordPress sends a confirmation email to verify identity, and upon confirmation generates a downloadable ZIP file containing all associated data. The download link remains valid for three days. WooCommerce and well-coded plugins register with this system, ensuring their stored data appears in exports.

The right to rectification allows individuals to correct inaccurate data or complete incomplete information. WordPress user profiles enable direct editing for registered users. For other data, you need a process to receive and implement correction requests.

The right to erasure — commonly called the right to be forgotten — lets individuals request deletion when data is no longer necessary, consent has been withdrawn, or processing was unlawful. WordPress provides a built-in Erase Personal Data tool following the same verification workflow as exports. However, this right isn’t absolute. You cannot delete data required for legal compliance, like tax records for completed transactions, or data necessary for establishing, exercising, or defending legal claims. Your privacy policy should document what you can and cannot delete upon request.

The right to restrict processing allows individuals to freeze their data — you store it but cannot use it — during disputes over accuracy or while you verify objections to processing.

The right to data portability enables individuals to receive their data in a structured, commonly used, machine-readable format and transmit it to another controller. This applies only to data processed based on consent or contract through automated means — essentially, data someone actively provided to you through digital systems.

The right to object operates in two distinct modes. For direct marketing, the right is absolute — when someone objects, you stop immediately with no exceptions, no balancing tests, no compelling grounds arguments. For processing based on legitimate interests, you must stop unless you can demonstrate compelling legitimate grounds that override the individual’s interests, rights, and freedoms.

Rights related to automated decision-making protect individuals from decisions made solely by automated processing that produce legal or similarly significant effects. Most WordPress sites don’t trigger this protection unless they make consequential automated decisions — algorithmic credit assessments, automated job application screening, or similar high-stakes determinations without human involvement.

WordPress Core Privacy Tools You Should Configure

WordPress version 4.9.6, released in May 2018 to coincide with GDPR enforcement, introduced privacy features that every site owner should understand and configure.

The Privacy Policy Page setting under Settings in your admin dashboard lets you designate or create a dedicated privacy policy that WordPress automatically links from login and registration screens. The Privacy Policy Helper accessed through this setting suggests text covering common data processing activities, providing a starting framework rather than a complete policy. Plugins can register their own suggested content through WordPress hooks, so your privacy helper may include recommendations specific to your installed plugins.

The Export Personal Data tool under Tools handles subject access requests. Enter the requester’s email address, WordPress sends a confirmation email requiring the individual to verify their identity by clicking a link, and upon confirmation generates a downloadable ZIP containing all associated data from WordPress core and compatible plugins. This verification step prevents random people from requesting exports of data belonging to others.

The Erase Personal Data tool follows the same verification workflow for deletion requests. Enter an email, confirmation goes out, and upon verification WordPress removes associated data from the database. One important limitation: this erases data from your live database but doesn’t reach into backups. If you restore a backup from before the erasure, that data returns. Document this limitation in your privacy policy and establish procedures for handling backup retention.

The Comment Cookies Checkbox under Settings → Discussion adds an opt-in checkbox letting commenters choose whether to save their name, email, and website for future comments. WordPress sets cookies storing this information that persist for approximately one year when the box is checked. Prior to this feature, WordPress set these cookies automatically without asking.

These tools provide infrastructure for compliance but don’t constitute compliance themselves. You still need to create your actual privacy policy content, configure the tools, ensure your plugins integrate properly, and establish processes for handling requests that arrive through channels other than the built-in tools.

Cookie Consent Demands Technical Implementation

Cookies present a distinct compliance challenge because the ePrivacy Directive works alongside GDPR. The ePrivacy Directive (2002/58/EC, amended in 2009) determines which cookies require consent. GDPR defines what valid consent looks like. Together, they create requirements more stringent than many WordPress site owners realize.

Strictly necessary cookies don’t require consent. These include session cookies enabling login functionality, shopping cart cookies maintaining items during checkout, security cookies protecting against cross-site request forgery, load balancing cookies distributing traffic, and cookies storing user cookie preferences themselves. WordPress core cookies fall mostly into this category — authentication cookies for logged-in users, session management cookies, and comment cookies when explicitly opted into by the visitor.

Every other cookie requires prior consent before being set. Analytics cookies tracking visitor behavior, marketing cookies enabling advertising targeting, third-party tracking cookies from embedded content, and social media pixels all require affirmative consent before loading. The critical word is “prior” — you must block these scripts until the visitor actively consents, not set them and then ask forgiveness.

Valid cookie consent matches GDPR’s requirements: freely given, specific, informed, and unambiguous through clear affirmative action. Cookie banners with pre-checked acceptance options don’t comply. Cookie walls that deny site access to visitors who don’t consent don’t comply. Dark patterns making rejection harder than acceptance don’t comply. France’s CNIL demonstrated enforcement priorities clearly in 2022 by fining Google €150 million and Facebook €60 million specifically for manipulative cookie consent interfaces that steered users toward acceptance.

Popular WordPress cookie consent plugins include Complianz GDPR, CookieYes, and iubenda. These tools can auto-detect cookies, categorize them appropriately, block non-essential scripts until consent, and record consent for documentation. However, plugins only work when correctly configured. You must verify that all cookies your site sets are properly identified and categorized, that non-essential scripts actually cease loading until consent is given, and that your cookie policy accurately describes what you’re setting and why. Installing a cookie consent plugin and leaving it at default settings doesn’t constitute compliance.

Documentation Requirements Aren’t Optional

GDPR’s accountability principle means you must demonstrate compliance, not merely claim it. When a supervisory authority investigates a complaint against your site, documentation provides your defense.

Your privacy policy must include specific information: your identity and contact details, what data you collect and why, the lawful basis for each processing activity, who receives data (described by category if not by name), any international transfers and their safeguards, retention periods for different data types, all data subject rights and how to exercise them, the right to lodge complaints with supervisory authorities, and whether providing data is a statutory or contractual requirement with consequences of not providing it. WordPress’s Privacy Policy Helper provides a starting framework, but you must customize it to accurately describe your site’s actual practices.

Your cookie policy should list every cookie your site sets, including its name, purpose, duration, and whether it’s first-party or third-party. Cookie audit tools help identify what your site actually drops — running one often reveals cookies site owners never knew existed, loaded by plugins or embedded content they installed without reading the privacy implications.

Records of Processing Activities (ROPA) document all your processing operations as required by Article 30. Organizations under 250 employees technically enjoy an exemption, but that exemption evaporates if processing isn’t occasional, poses risk to data subjects, or involves special category data. WordPress sites process data continuously through visitor tracking, form submissions, and user registrations — not occasionally. A simple spreadsheet works: for each processing activity, document its purpose, lawful basis, categories of data involved, categories of data subjects affected, recipients who receive the data, retention periods, and security measures protecting it.

Data Processing Agreements with every processor must exist in signed form before they handle personal data from your site. These agreements establish processor obligations and provide documentation that you’ve met Article 28 requirements. Collect and organize these agreements so you can produce them if asked.

When You Don’t Need a Data Protection Officer

Article 37 mandates Data Protection Officer appointment only under specific circumstances: when you’re a public authority or body, when your core activities require regular and systematic monitoring of data subjects on a large scale, or when your core activities involve large-scale processing of special category data like health information, religious beliefs, or criminal records.

Most WordPress site owners don’t meet these thresholds. Your core activity is selling products, providing services, or publishing content — not data processing. Unless you operate a site that monitors millions of individuals or extensively processes sensitive categories, you don’t need a DPO. You may voluntarily appoint one, but voluntary appointment triggers all mandatory DPO requirements including independence, direct reporting to highest management, and protection against dismissal for performing DPO duties. Don’t appoint a DPO casually.

Data Breaches Demand Rapid Response

If your WordPress site suffers a data breach likely to risk individuals’ rights and freedoms, you must notify your lead supervisory authority within 72 hours of becoming aware. “Becoming aware” means when you have reasonable certainty a breach occurred — not when first alerted to a potential issue, but when investigation confirms the breach’s reality.

Your notification must describe the breach’s nature, approximate numbers of individuals and data records affected, name and contact details for your DPO or other contact point, likely consequences of the breach, and measures taken or proposed to address it. You may provide information in phases if complete details aren’t immediately available, but initial notification must happen within that 72-hour window.

If the breach creates high risk to individuals — their data could enable identity theft, financial fraud, or significant harm — you must also notify affected individuals directly without undue delay. This notification must use clear, plain language and include the same information given to the supervisory authority. Exceptions exist when data was encrypted rendering it unintelligible, when you’ve taken measures eliminating the risk, or when individual notification would require disproportionate effort (in which case public communication substitutes).

WordPress sites face breach risks through compromised admin credentials, vulnerable plugins, SQL injection attacks, hosting provider incidents, and stolen backups. Security measures preventing breaches matter more than response procedures, but having a response plan ready reduces panic when incidents occur.

Enforcement Reaches Far Beyond Tech Giants

The comfortable assumption that GDPR enforcement targets only Facebook and Google is demonstrably false. While Meta holds the record for the largest single fine at €1.2 billion for unlawful data transfers, supervisory authorities pursue violations across the business spectrum.

Spain’s Agencia Española de Protección de Datos has issued over 932 fines, with the majority hitting small and medium enterprises. A Polish business received a €22,000 penalty for failing to inform customers of their data rights. Estonia’s Allium UPI OÜ, operating the Apotheka loyalty program, paid €3 million following a breach affecting 750,000 individuals. In the UK, GoSkippy Insurance was fined £60,000 for unsolicited marketing, while Lifestyle Marketing paid £140,000 for selling personal data without consent.

The pattern holds across jurisdictions: supervisory authorities investigate complaints from individuals, and those complaints frequently target small businesses with visible compliance gaps — missing privacy policies, ignored access requests, unsolicited marketing emails, and inadequate security. The organizations least likely to have compliance resources are often most likely to have compliance failures that generate complaints.

Fines scale with organizational size under Article 83’s “up to €20 million or 4% of turnover” formula. A €5,000 fine that barely registers as a rounding error for a multinational corporation can devastate a freelancer or small business owner. The ceiling exists for the largest violators, but enforcement absolutely reaches the smallest ones.

Five Misconceptions That Create Compliance Gaps

Certain beliefs persist among WordPress site owners despite being demonstrably incorrect, and each creates genuine compliance risk.

The belief that GDPR doesn’t apply outside Europe ignores Article 3’s extraterritorial reach. The regulation applies when you offer goods or services to EU residents — even free content counts — or when you monitor their behavior through analytics and tracking. Indicators of offering to EU residents include language options for EU languages, prices displayed in euros, references to EU customers in marketing, shipping options to EU countries, and geo-targeted advertising reaching European audiences. Sixty-three percent of GDPR fines by total value have hit US-based companies. Location doesn’t provide immunity.

The conviction that “I don’t collect personal data” misunderstands what qualifies. IP addresses are explicitly identified as personal data in GDPR’s Recital 30. Cookie identifiers become personal data when combinable with other information to identify individuals. Your comment system captures names, emails, and IP addresses. Server logs record visitor activity. Embedded YouTube videos and social sharing buttons load third-party tracking. Even loading Google Fonts from Google’s CDN transmits visitor IP addresses to Google’s servers. The question isn’t whether your WordPress site collects personal data — it does — but whether you’ve accurately identified what you’re collecting.

The assumption that plugins handle compliance confuses tools with outcomes. Cookie consent plugins work only when correctly configured, with all cookies properly categorized and all non-essential scripts actually blocked until consent. No plugin creates your privacy policy content, signs your Data Processing Agreements, maintains your Records of Processing Activities, or responds to data subject requests on your behalf. You remain the controller bearing compliance responsibility. Plugins provide helpful infrastructure, not compliance itself.

The idea that consent is always required overlooks five other lawful bases. Processing customer data to fulfill WooCommerce orders uses contractual necessity, not consent. Security logging uses legitimate interests. Tax record retention uses legal obligation. Applying the wrong basis creates operational problems — if you claim consent as your basis for order fulfillment, you face chaos when customers withdraw consent for data you actually need to ship their purchases. Match the basis to the processing activity accurately.

The hope that small size provides protection denies documented enforcement reality. Supervisory authorities investigate complaints regardless of the target’s size. Small business fines regularly appear in enforcement records across every EU member state. Being small doesn’t make you invisible — it often means having more obvious compliance gaps that complainants notice and report.

Moving Forward With Compliance

GDPR compliance for WordPress sites isn’t about achieving perfection — it’s about demonstrating genuine effort to handle personal data responsibly. The regulation codifies reasonable expectations: tell people what you collect and why, have legitimate reasons for collecting it, keep it secure, don’t keep it forever, and honor requests from individuals exercising their rights.

Start with understanding what your site actually does. Audit the personal data flowing through your WordPress installation — core functionality, every active plugin, embedded content, connected services. Most site owners discover processing they never consciously implemented.

Create documentation that accurately describes your practices. Your privacy policy should tell the truth about your data processing, not copy generic text from a template. Your cookie policy should list cookies you actually set, not hypothetical examples.

Implement proper cookie consent that genuinely blocks non-essential scripts until visitors consent. Installing a cookie plugin matters less than configuring it correctly.

Establish relationships with your processors. Sign Data Processing Agreements with hosting providers, email services, analytics platforms, payment processors, and every other third party handling data from your site.

Build processes for handling data subject requests. Know how to run WordPress’s export and erasure tools. Decide how you’ll verify requester identity for requests arriving outside those tools. Understand what you can and cannot delete when erasure requests arrive.

The WordPress site owner in Portland who received that access request from a German visitor learned these lessons the hard way. The better approach is learning them before complaints arrive — when compliance is a project you undertake rather than a crisis you manage.