Everything You Wanted to Ask a GDPR Expert but Were Afraid to Ask
If you’re like 99.9% of developers, site managers, agencies and freelancers, the last thing on your list of priorities for the past 2 years has been GDPR compliance. You have a million other tasks on your plate and dumping energy into government regulated data protection laws seems like a complete waste of energy. Especially when you’re not living inside the European Union…those laws don’t affect you, right?!
If you follow WordPress news, GDPR compliance is starting to consume just as much screen real estate as the controversial new post editor, Gutenberg. And rightly so.
May 25th marks the deadline for compliance to the General Data Protection Regulation and these new rules apply to any online presence collecting information from residents inside the European Union – and compliance is the responsibility of the site owner.
Needless to say this has massive implications for WordPress users around the world.
But have no fear, some forward thinking members of the WordPress community have been preparing for some time and even started working on core compliance, hooks and resources for the rest of us to learn from and implement.
We asked one of these amazing and generous contributors to break from his busy schedule and provide insight to our team, members and readers. Without hesitation he agreed and his input has been invaluable to our team. GDPR may have more implication on the sites you manage than you think.
So without further ado, we welcome Kåre Mulvad Steffensen perhaps better known as @dejliglama to the WPMU DEV blog.
Joshua: Thank you for taking the time Kåre! Tell us a little bit about yourself, your work and your role with WordPress.org.
Kåre: I’m a developer, turned project manager and to some extent product owner over the years. After a long stretch in my own company working with WordPress full-time since 2009, I’ve recently joined the fastest growing WordPress crew in Denmark at Peytz.dk, where my role is digital consultancy – of course with a huge and overshadowing focus on WordPress. ;)
Peytz presented an opportunity for me to further my involvement in the WordPress community. I’ve been co-organizing the danish WordCamp for some years, and in the shift from self-employed, I found time to read the EU General Data Protection Regulation and started asking around on the WordPress Slack channel to see what was being done. Not much was going on publicly, so together with Peter Suhm from WPPusher.com, I created the gdprwp.com project which I then brought with me into Peytz.
Joshua: Why is this specific topic (GDPR compliance) so important to you?
Kåre: Living in the EU and being quite invested in WordPress (and inhabiting a natural tendency to ask simple questions about what GDPR will mean for both end users and WordPress site owners running any combination of plugins) with my initial poking around in the community, I realised that this was a good place for me to get involved.
I’m not saying that I should build it, nor take the credit for what is being built. I have no coding-hand in that at all. I’m quite happy with the fact that some of our ideas are now being baked into WP core by both core developers as well as developers from around the community.
Our involvement has also given us at Peytz the opportunity to bring our developer Jesper V Nielsen (@jesperher) closer to some of the people behind WooCommerce which he is focused on internally. I believe working close to the WP community and people behind the plugins you use is always a good thing.
Joshua: What do plugin and theme authors need to know or include in their plugins to help those that use them be compliant?
Kåre: First of all, you need to answer YES to the following question: Does your plugin collect or handle personal information? I know that personal information in itself can be confusing, what is that anyway? The one-line answer is any piece of data that by itself or in combination with other pieces of data, can identify a natural being.
- Name; yes
- E-mail; yes
- City; well if it’s a small enough city and you store it in combination with a name then yes!
- Comments; yes
Specifically on how to make your plugin compliant, Allen Snook @Allendav has written a guide. It is a work in progress and will land somewhere on Make WordPress when we get closer to a first release. For now, it lives here: https://github.com/allendav/wp-privacy-requests/blob/master/EXPORT.md
In more general terms, Heather Burns @webdevlaw and Pascal @casiepa is doing a good job collecting and documenting what you need to know on GDPR here: https://github.com/gdpr-compliance/info
I think it’s vital to mention that a WordPress installation does not become GDPR compliant by simply upgrading to the WP version containing the GDPR hooks and filters. Using plugins with these hooks and filters, you could still miss pieces of personal data that are being stored on your site. It is the owner of the website who is responsible for a GDPR compliant website. We’re simply providing the tools to make this work feasible to handle in a day-to-day scenario with users asking for their data, ratification of data or the “dreaded” and misunderstood right to be forgotten.
Kåre: As a rule, you should not copy and paste policy text. With that said, the team is working on getting GDPR into core and is working on a general guide for what should be added into your policy text.
The idea is to have a page type, like the “frontpage” and “blog” page, that will collect policy texts from WordPress core and plugins that may provide policy text. Any plugin that handles personal data will be able to write a plain text explanation of how their plugin handles personal data. @melchoyce has made some great designs for the tool that will gather the plain text for policy text. https://core.trac.wordpress.org/ticket/43620
Joshua: Perhaps to some extent it already is, but do we think that being GDPR compliant or subscribing to certain privacy practices could be part of plugin and theme reviews for WordPress.org? Sort of like Accessibility-ready themes.
Kåre: Personally YES! I think this extends beyond EU and should be part of any code review. Privacy by design is nothing new, and GDPR simply puts focus on something we should already do. If a review team spots personal data being handled in a plugin or theme, the next step would be to see if the WordPress core GDPR tools are correctly implemented and if they cover all personal data handled by the plugin or theme.
Joshua: Many of our readers manage multiple (often hundreds) of sites. What types of plugins, services have you seen to be the biggest offenders of the new laws that site managers should be on the lookout for in their own sites.
Kåre: Thankfully the major plugins that handle data such as WooCommerce, MailPoet, Gravity Forms and Ninja Forms all realize that their plugins can be used to handle personal data, and are actively looking into what WordPress core is doing – all at their own pace. I’ve had great talks with many of the authors behind these plugins, as well as frameworks such as Redux which is a place we also need to look.
As long as we haven’t got a “GDPR compliance badge” on the plugin repo (or on your website admin plugins page as a site manager) be aware how each plugin on your site is storing, collecting and managing data. again, this is not new. Get in contact with plugin support and ask, if you’re not sure.
Part of the WordPress success in becoming GDPR ready, is to have the entire community of developers embrace the GDPR functionality, and this happens if people ask for it in the plugins they use.
Joshua: Can you think of anything that could easily be overlooked when preparing for GDPR?
Kåre: Things that can be overlooked when preparing for GDPR is data that, when you look at it, is out of context from the bigger picture. The city example from earlier could seem harmless at first, but given that I’m the only one named Kåre in the city that I grew up in – the combination of data makes city personal.
The problem for plugin and theme developers is that that might not be obvious when you look at the plugin isolated, but together with other plugins, that data might be something you would need to put into a WordPress GDPR hook or filter.
Joshua: Are there any site owner/manager checklists you can suggest to our readers that could help them prepare in a systematic way?
Kåre: I’ve seen many checklists, most of them looking at GDPR from a legal standpoint, and few looking at it from a technical one. I don’t think checklists are the solution, so my answer would be no.
Don’t look at this as something you can tick off, but rather ask yourself the simple question; what personal data, alone or in combination with other data, does my WordPress installation handle. Where does it go, and for what reason?
- What data
- Where is it stored
- For what purpose
- For how long
Joshua: This has been extremely insightful and we really appreciate your time! Is there anything I missed?
Kåre: Lol, well – will the tools in WordPress be ready in time for 25th of May?
I’d like to think so. I mean, I believe that we will have the technical parts ready for a first version. Obviously, there can be more time put into fine tuning and adding solutions in a second version.
We must not forget that the regulatory is new to the world, and we will see legal cases that will shape how we best comply with the law, and therefore we will need to adapt after the 25th of May.
My biggest concern is that new functionality of this magnitude normally goes into major releases, but the next major release is destined to be Gutenberg. So how GDPR and Gutenberg release plans coincide is something that I’d like us to be clear about soon.
On a personal level, I’m happy with where the GDPR tools of this first release are going, and I’ve started to look into some of the tools that should go into a second release – probably after 25th of May ;)
Joshua: Thanks again! This has been really valuable for our team and we are committed to working with the core team to get WPMU DEV products ready for our users. Thank you for your time and contribution to the WordPress Community.