The EU's General Data Protection Regulation (GDPR) - What You Need To Know. Presented by Andrew Marks at the Brisbane Northside WordPress Meetup on 16th May 2018.
2. What is GDPR?
• A regulation in EU law on data protection and privacy
for all individuals within the European Union.
• It also addresses the export of personal data outside
the EU.
• “The GDPR aims primarily to give control to citizens
and residents over their personal data and to simplify
the regulatory environment for international business
by unifying the regulation within the EU.”
3. What’s That Mean to You?
• You do not have to be based in Europe for it to
apply.
• Fines up to 4% of annual global turnover or €20
million (whichever is greater)
• Definition of ‘personal data’ widened to include
identifiers such as IP address and device identity.
4. It Gets Worse…
• Organisations need to attain explicit consent to
process user data.
• Individuals have more rights over their personal data
(“right to be forgotten”)
• Organisations will need to keep a record of personal
data processing activities, capturing the lifecycle of
the data, plus the name and contact details of the
data controller.
5. Feeling Overwhelmed Already?
Don’t be too worried:
It’s estimate that two thirds of organisations
aren’t prepared (i.e. risk fines by being non-
compliant.)
6. What About WordPress?
• WordPress 4.9.6 includes 4 new tools for GDPR
compliance.
• It helps you collect info needed for your Privacy
Policy based on your theme and plugins too.
• And, it provides a way to retrieve, edit, and
export the data you collect.
7. The 4 New GDPR Tools
1. Auto creation of a Privacy Policy page based on your
theme and plugins.
2. Ways for site admins to list and export data collected.
3. Optin to obtain consent on comments to retain data.
4. A method for visitors to request and edit data held on
them.
8. 1. Privacy Settings
The Privacy Settings are a sub-
link under the main Settings
tab. Here you will have the
opportunity to link to your
existing Privacy Policy, or have
WordPress create a default
page for you.
9. Default Privacy Policy Text
To be used as a
starting point –
it won’t be
perfect. It’s up
to you to
ensure this
document is
accurate.
10. 2. Export and Remove Personal Data
The new functions in WP
4.9.6 are under the Tools tab.
You, as the site admin, will be
able to retrieve data on a
user based on their email.
11. This Is Not All The Data Though
In fact, this may be useless for anything other than blog post comments.
You are also tracking IP addresses for analytics. Those IP addresses are also
stored off your site at:
• Google Analytics
• Your web host
• CloudFlare
• Other vendors, like ad agencies and such
12. How Do Users Access Their Data?
One of the big GDPR compliance stipulations is
that your site visitors should be allowed to see,
edit, and remove all tracking info you have
collected on them.
I can see some major problems with this:
13. Situations That Could Cause Problems
• potential security holes this functionality may
open on your site
• visitors self-anonymising their data
• loss of shipping and other purchase related info
for member and e-comm sites
• what happens when the data is held/shared with
3rd party vendors?
14. 3. Optin Consent for Comments
Fairly straightforward (if ugly). I
can’t see where you can edit that
wording just yet, but seeing as this
feature will be on every WordPress
website, I guess people will figure it
out.
15. 4. Visitor Request for Data Held
I can’t find this feature in WordPress 4.9.6 beta.
But it may be that the WP tool is not enough to
satisfy full GDPR compliance on this matter:
• WP only tracks users via email address
• 3rd party vendors, analytics etc?
16. 6 Steps to be GDPR Compliant
1. Document all the ways you collect personal data on your
site and any 3rd party vendors you share it with.
2. Determine your legal basis for the right to process that
personal data with regard to the Lawful Grounds rules
section of the GDPR.
3. Create policy documents based on the data collection and
processing rights determined in the previous step. These
could include your Privacy Policy, Terms of Service, and
more. They will vary by site.
17. 2. Asd
3. Asd
4. Determine the best places to post your new policies on your
site.
5. Determine the best ways to gather consent from visitors and
supply requested info on how you track them, as well as a
way to anonymize that data on request. This will likely
involve plugins.
6. Develop a system to safeguard all data you collect.
6 Steps to be GDPR Compliant cont.
18. GDPR Plugins
There are 2 main functions you need on your site:
1. A way to notify visitors that tracking is in play and a way for
them to give consent and that consent to be recorded.
2. A way to retrieve the consent list and modify it. Some
plugins only allow you as the admin to do this. Some plugins
allow the visitor to do this, and those are the scary ones, as
they allow visitors to make changes to your database.
19. Notification/Consent Plugins
Even if you only use Google Analytics, or any other sort
of analytics or cookie tracking, you need to notify
visitors and get their consent.
• EU Cookie Law
• Cookie Notice by dFactory
• Cookie Consent
• CookieBot
20. User Data Request Plugins
These are plugins that allow users to request the data you
hold on them. In my opinion, these types of plugins:
• may be overkill for most U.S. bloggers
• will likely only show the info you hold directly on your site, not at
your vendors
• may be a security issue and allow visitors to make changes to your
database
Two plugins: GDPR Tools & WP GDPR
21. Finally…
This law seems ham-fisted and will likely be refined
(EU’s ePrivacy Regulation may exempt analytics
cookies), but the protection of user data is a good
thing.
Remember when AU Govt. passed a law to store all
our meta data for two years..?