Guidance on complying with the new EU GDPR regulation. A look at GDPR definitions, what it entails and a roadmap to start your journey on compliance as well as some handy WordPress GDPR links to plugins.
2. General Data Protection Regulation
Privacy law from European Commission protecting
rights of all EU citizens (28 member states) and
their personal data.
Approved April 2016.
Becomes effective May 25, 2018.
@DeveloperWil #wpsyd
3. Replaces 95/46/EC Directive of Data Protection
(1995) and is more extensive than 2011 Cookie
Law which is being replaced by EU ePrivacy
Regulation (EUePR/EUPR) soon after May 2018.
GDPR and EUPR will compliment each other.
Ref: GDPR Regulation and official PDF
@DeveloperWil #wpsyd
4. Probably the biggest shake up and most
important change in data privacy in the
last 20 years.
This is a BIG DEAL
@DeveloperWil #wpsyd
5. The EU GDPR is a law.
Use the information here as guidance.
Seek your own legal advice for modifying your
business operating policies and procedures.
@DeveloperWil #wpsyd
6. Facebook and Google already hit with $8.8 billion
in lawsuits on day one of GDPR.
“.. accusing the companies of coercing users into
sharing personal data.”
Ref: https://www.theverge.com/2018/5/25/17393766/facebook-
google-gdpr-lawsuit-max-schrems-europe
@DeveloperWil #wpsyd
7. Designed to protect the rights of EU citizens
Essentially impacts everyone with web access
unless you
– Actively block all 28 EU states IP addresses
Highly Impractical
– Actively track and block all EU citizens on the web
Highly Ilegal …unless you work for the NSA :-P
@DeveloperWil #wpsyd
8. “I am an Australian citizen with a WordPress
website – does GDPR affect me?”
Most likely yes it does.
1. If any EU citizen can interact with your website
2. Have establishment in the EU
3. Offer Goods and Services to EU
– EU language translation, offer shipping to an EU
state, using AdWords targeting EU audience
@DeveloperWil #wpsyd
9. • WP community site allowing users to create a
user profile (login); name, email, website
• An eCommerce (WooCommerce, EDD) store that
sells products; virtual = email, physical = address
• WP site that uses analytics software (Google
Analytics, Gtmetrix); IP address, cookies
• WP blog with newsletter subscription and
comments; name, email, IP address
• Firewall plugins; IP address (hacker unlikely to sue!)
@DeveloperWil #wpsyd
10. Data Controller
A business that controls personal data. If you have
collected and now possess personal data, and you
determine how that data is now dealt with
(including giving it to a 3rd party), you are likely
considered a controller under the regulations.
e.g. You, CRM systems, Facebook/Google
@DeveloperWil #wpsyd
11. Data Processor
A 3rd party company that you might give your data
to, who will use or manipulate your data in some
way.
e.g. Mailchimp, Campaign Monitor, Stripe, Paypal
@DeveloperWil #wpsyd
12. Consent
• Freely given: can I refuse/rescind my consent?
• Specific: what is my data being collected for?
• Informed: what are my rights?
• Unambiguous: how is my data being used?
• Statement or clear affirmative action
– Silence, pre-ticked checkbox or inaction does not
equal consent
@DeveloperWil #wpsyd
13. Establishment in the EU
Where you have any real and effective activity, no
matter if it is minimal or substantial, through a
stable arrangement in the EU, you are likely to be
‘established’ under the regulations.
e.g. permanent representation (a person), office.
@DeveloperWil #wpsyd
14. Processing
Any operation which is performed on personal
data, whether or not by automated means, such
as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission,
dissemination or otherwise making available,
alignment or combination, restriction, erasure or
destruction;
@DeveloperWil #wpsyd
15. Data Protection Officer (DPO)
A data protection officer (DPO) is an enterprise
security leadership role required by the GDPR.
Data protection officers are responsible for
overseeing data protection strategy and
implementation to ensure compliance with GDPR.
@DeveloperWil #wpsyd
16. Applies to personal data (Art. 4)
Personally identifiable data (of a natural person –
think a Human Being), identified directly or
indirectly;
name, ID #, location, physical, psychological,
genetic, mental, economic, cultural or social
identity.
@DeveloperWil #wpsyd
17. Applies to any sensitive data (Art. 9)
Processing is prohibited for personal data
revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union
membership, genetic data, biometric data, health
data, data concerning person’s sex life or sexual
orientation.
Exclusions apply; legal, medical, national security ..
@DeveloperWil #wpsyd
18. Requires that consent is given (Art. 7)
People must be given a true voluntary choice
whether or not they consent to give you their
data.
Need to add checkbox to all data collection forms
[✔]* I give consent to store and process my data
* = required
@DeveloperWil #wpsyd
19. Gives right to be forgotten (Art. 17)
Data controller must securely erase all personal
data they hold on requester without undue delay
When specific criteria are met – see Regulation.
– Data is no longer needed
– Purpose for collection has expired
– Data unlawfully processed …
@DeveloperWil #wpsyd
20. Privacy by design and default (Art. 25)
New “systems” collecting and processing data
must be inherently secure from concept.
You must build privacy and security into any new
apps, programs, websites, procedures etc.
@DeveloperWil #wpsyd
21. Gives right to know what info is being stored
You need to specify what data you will be
collecting and for what purposes up front and
before it has been collected.
Privacy Policy, Cookie Statement, T&C’s
@DeveloperWil #wpsyd
22. Gives right to access held info and data
portability (Art. 20)
You will need to provide all data held on requester
and supply that in a machine readable format for
importing into another system.
CSV, JSON, XSL file.
@DeveloperWil #wpsyd
23. • Notify authorities within 72 hours of data
breach and people whose data was accessed
• Data only used for reasons given at time of
collection and securely deleted after no longer
needed
• Parental consent required to process personal
data of children under 16 (Art. 8)
• Allows national authorities to impose fines on
companies breaching regulation
@DeveloperWil #wpsyd
24. If your business doesn’t comply with GPDR
• Get sanctioned up to 4% of the annual
worldwide turnover or fined up to €20 million
(the higher of the two), per infringement.
• Tiered approach to fines.
e.g. a company can be fined 2% for not having
their records in order, not notifying the
supervising authority and data subject about a
breach, or not conducting an impact
assessment. (Art. 83)
@DeveloperWil #wpsyd
25. Hire a good lawyer
A lawyer will provide you with tailored advice for
your business.
Ask friends and colleagues for recommendations
of lawyer contacts they have had a good
experience with.
Through Sydney Business Chambers
https://www.thechamber.com.au/
@DeveloperWil #wpsyd
Step 1
26. Review all data collection and processing
workflows
Work through entire WP site, document where
data is collected, processed and stored as well as
how long stored for:
– eCommerce check out page
– Payment gateways: Stripe/PayPal
– Email marketing: Mailchimp
– All forms on site: consent check box
– All generated cookies https://www.cookiebot.com/en/cookie-consent/
@DeveloperWil #wpsyd
Step 2
28. Offer data portability
Ability to export all personal data in a transferrable
and importable document. e.g. csv, xml
Update to WordPress 4.9.6 to take advantage of
new data export feature.
@DeveloperWil #wpsyd
Step 4
29. Encrypt your data
1. Encrypt your transferred data (web traffic)
using HTTPS
Going HTTPS has other advantages too.
2. Encrypt your stored data
Not legally required to comply with GDPR but
highly recommended.
@DeveloperWil #wpsyd
Step 5
30. Self-Certify Under Privacy Shield Framework
Consider certifying under the EU-U.S. and Swiss-
U.S. Privacy Shield Frameworks if you are US
Established.
Provides companies on both sides of the Atlantic
with a mechanism to comply with data protection
requirements when transferring personal data
from the European Union and Switzerland to the
United States.
@DeveloperWil #wpsyd
Step 6
31. Check WP themes, plugins, services & APIs
• Contact Forms
– Gravity Forms, NinjaForms, WPForms
• Comment & Marketing Services
– Disqus, Jetpack, Mailchimp, Active Campaign, AWeber
• Analytics, Tracking & Remarketing
– Google Analytics, Hotjar, AdRoll
• eCommerce & Payment Processors
– WooCommerce, Easy Digital Downloads, Stripe, PayPal
• Community Plugins
– LearnDash, bbPress, BuddyPress
• All third-party APIs e.g. Is Google Fonts GDPR compliant?
@DeveloperWil #wpsyd
Step 7
32. v4.9.6 Privacy & Maintenance Release
– Logged out commenters given choice to store data in
a cookie
@DeveloperWil #wpsyd
35. This plugin is meant to assist a Controller, Data
Processor, and Data Protection Officer (DPO) with
efforts to meet the obligations and rights enacted
under the GDPR.
GDPR https://wordpress.org/plugins/gdpr/
@DeveloperWil #wpsyd
36. With Stream, you’re never left in the dark about
WordPress Admin activity.
Every logged-in user action is displayed in an
activity stream and organized for easy filtering by
User, Role, Context, Action or IP address.
Stream https://en-au.wordpress.org/plugins/stream/
@DeveloperWil #wpsyd
37. WordPress’ most comprehensive real time user
activity and monitoring log plugin. It helps
thousands of WordPress administrators and
security professionals keep an eye on what is
happening on their websites.
WP Security Audit Log https://wordpress.org/plugins/wp-security-audit-log/
@DeveloperWil #wpsyd