DOTW: AMA with our GDPR Expert! Ronnie Burt (Participation = 3 Hero Points)

Update: AMA has ended! Thanks to everyone who participated and big thanks to Ronnie for doing this :slight_smile: feel free to continue discussing below but no guarantee that Ronnie will still be responding to any.

Next DOTW: WHAT WP PLUGINS OR SERVICES HAVE YOU REPLACED AND WHY?

-------------------------------

We have a very special DOTW this week. An AMA with our very own Ronnie Burt!

Ronnie has been with the company for eight years and does a lot of the behind the scenes businessy stuff - especially with CampusPress, Edublogs, and our Enterprise Hosting :slight_smile:

Most importantly for this AMA, Ronnie is our resident GDPR expert and responsible for getting all of our products and services compliant.

As the GDPR enforcement date of May 25th draws near, we see more and more concern around it within the community so we thought this would be an excellent opportunity to have an open discussion and Q&A for it.

If you haven’t been following GDPR at all, then I suggest you check out the recent blog post we just published on it - GDPR: How it Affects WordPress Site Owners and Developers

AMA = Ask Me Anything or in this case more of an Ask Ronnie Anything.

Doesn’t have to be about our compliance either, it can be about any concerns or questions you have regarding the compliance of your own services too or even not GDPR related at all :smiley:

Ronnie will try to check in on this thread regularly over the next 7 days and do his best to answer all your questions.

-------------------------------

-At least one comment = 3 Hero Points (must comment within 14 days of the thread creation date)
-DOTW = Discussion of the Week
-Last DOTW: What new features would you like to see in Hustle?

Ask away!

  • Matthew

    Time to block all British IP ranges from my servers?

    How will this affect the basic eCommerce store or blog? I have seen the notifications about cookies on many sites lately, does this represent the new GDPR requirements?

    I most worry about getting into compliance, and ensuring clients are as well, I would not say that I view this as a bad thing, I kind of like the idea, but am concerned that I might not bring an eCommerce or business firms site into compliance correctly.

    • Ronnie Burt

      Technically, all the of the cookie notices and cookie requirements are a totally separate law from the GDPR, and the cookie law is in the process of being updated for the EU. We should know more about the direction that is taking later this year.

      As far as the GDPR is concerned, my understanding is that for cookies, you just want to list the cookies and their purposes in your Privacy Policy and then make sure you have records of anyone signed up, or that you are storing personal information on, of when they agreed to the privacy policy.

      The big things to keep in mind that will take you far:
      - be clear with your terms of service and privacy policy
      - have a list that you share of any 3rd party services you use that might also have your customers' data
      - protect your customers' data and only do what you tell them you will. So, don't sell any lists (unless you told them you would), and put reasonable security measures in place to protect all of the data you have.

      The biggest part of the GDPR is transparency - just be frank and upfront about what you are doing, and that will carry you far!

  • Julian

    Great subject, one that concerns us all.

    I take it that WPMU DEV keeps a close eye on what's going on here and will make use of any standardized WordPress core solutions?

    One thing that I recently thought of that I think is going to be very hard to manage is if we need to remove personal data from a backup. If someone requests their data to be removed, it'll also have to be removed from any backups. How's Snapshot going to manage this? Any thoughts?

    • Ronnie Burt

      Hi Julian,

      We are definitely keeping a close idea on the GDPR elements that will be soon making it into WordPress core and all of the discussions going on about it in the WordPress core slack community. In fact, that's a big part of why we haven't made our finalized public announcements about our plugins and services because we want to do it in the way that is standardized within WordPress. But the clock is ticking :slight_smile:

      As for backups, I heard a far better expert than myself talking at a conference recently about this very topic. Until he explained it, I did not understand that just because a customer requests data to be deleted, you very well may have legitimate and legal reasons to keep some or all of the data. For example, a lot will depend on local laws and regulations, but some places require you to keep detailed financial records on customers for 7 years or even more. That info might be safely kept in your backups, or in your payment processor. And you wouldn't need to delete it all. This protects you, in case that customer later decides to file a chargeback, dispute, or complaint with something like the Better Business Bureau. You are perfectly within your rights to keep what you might need to protect yourself if that makes sense?

      If you will overwrite the backup in a given and known time frame, just letting the customer that requested the data deletion know that you have removed from production and it will be fully removed from any remaining backups in 'x' amount of time, in my opinion, should be sufficient. Especially if that 'x' amount of time is something like 30 days.

      If there are parts of the information about a customer that you have a good reason to keep that is beyond their personally identifying information, then you can also anonymize their personal info and keep the rest. For example, if you want to keep records that you had a customer that bought a particular item, you can change the customer name to Jane Doe and zero out the IP address. But keep what was purchased and when, as that wouldn't identify the customer.

      The right to be deleted might be the most complex piece of the GDPR, and there will be a lot of good faith and trust in place that it actually happens.

      • Julian

        We are definitely keeping a close idea on the GDPR elements that will be soon making it into WordPress core and all of the discussions going on about it in the WordPress core slack community.

        Fantastic :thumbsup:

        For example, a lot will depend on local laws and regulations, but some places require you to keep detailed financial records on customers for 7 years or even more. That info might be safely kept in your backups, or in your payment processor. And you wouldn't need to delete it all.

        Indeed, sometimes you are legally obligated to keep a record so I suppose in those cases it's fine to keep the data. This just needs to be communicated very clearly with the user.

        just letting the customer that requested the data deletion know that you have removed from production and it will be fully removed from any remaining backups in 'x' amount of time, in my opinion, should be sufficient

        That actually sounds like a workable solution and it's something that Snapshot can do already. But I wonder if the guys who wrote the law think the same way :slight_smile:

        The right to be deleted might be the most complex piece of the GDPR

        You can say that again :grimacing:

    • Tony G

      Follow-on to Julian : From what I've read, the GDPR has some technical issues. As everyone rushes to be compliant with what's there now, it's quite possible that some of those issues will be shaken out over time and the regulations will be modified. That makes it a choice as to whether we pursue full compliance or whether we try to get away with "reasonable" compliance until the unreasonable parts are more in alignment with reality.

      As Julian mentioned backups.... Consider a site where someone says something about illegal activity, or they express severe depression in a way that looks like it might translate to hurting others (vague enough there?). Then the user says they want to be permanently unregistered. How does the site comply with the user's request, while preserving history which might later be required by authorities?

      EDIT: Apparently Ronnie Burt posted notes simultaneously with my own...

    • Ronnie Burt

      DigitalPowerups - well, you might be fined only if you don't keep the customer's data safe, if you refuse to delete the customers' data when they ask, or do something beyond what you say you will do with the customer's info. The transactions themselves wouldn't be against the GDPR, I don't think. But you raise a good point. I've heard directly from higherups in the current US administration that they have no idea the answer to what government in the EU really can do to you here in the US.

      In theory, there are treaties and agreements in place that if they want you bad enough, the US government may be compelled to help them. They can also do things like use public records to identify business owners and place them on lists keeping them from entry into their country. I suspect it will be the big fish that are really gone after, but I also wouldn't want to be the small fish that gets made as the example either.

      My hunch is that the most significant penalties and fines will come when a data breach is discovered, but no immediate attempt at notifying the impacted customers was done. So the company (US or otherwise) will be accused of attempting to cover up the breach. Having a notification policy in place, and following it, with records of what you do, will go a long way.

      • Tony G

        With the example cited, it's not just UK ability to impose fines in other jurisdictions, it's their ability to do discovery to determine if there has been a violation. We don't just stand to lose money in post-judgement penalties - it can be costly in terms of human resources to dig through some records to show good-faith handling of data. As a small business owner I would be crippled if I needed to personally take the time to go through records and system logs to show that someone's data is not there, or that it's there but secured in a way that at least I believe is adequate for these purposes.

        On the other side of that, it will be more costly for the UK to initiate a discovery process that involves collaboration with foreign authorities. They need to be highly motivated. I seriously doubt they will use such costly resources and processes to pursue any but the most aggregious of violations.

        I'm not suggesting that small businesses should feel comfortable in ignoring GDPR, believing that they're too small for prosecution. I think the spirit of this is something that we should all get behind as both providers and consumers. I'm heartened by the advice from Ronnie Burt here that yields an impression that the UK has a similar perspective.

        Consider what happens outside of the US after this goes into effect: A user/client in your own country asks "You're not GDPR-compliant? Why not? What exactly are you doing with my data that you don't want to make it GDPR-compliant?" This could be considered as universal a "right" as clean air and water ... which of course many people don't have but there are great efforts globally to correct that.

        • Steve - Just Think BiG

          There's already an agreement in place between the EU and the US to facilitate the bringing together of their respective Data Protection rules allowing for the transfer of data between the two. Essentially, it lays down a framework whereby EU based companies holding data on US citizens and US based companies holding data on EU citizens apply, essentially, the same levels of protection. It's called Privacy Shield and you can find out more about that here.

          Whilst you probably don't need to worry about this, specifically, yourselves, I would imagine that hosting companies, email marketing companies and all third party data processors based in the US or the EU that you're likely to use are compliant.

          All you need to worry about is being transparent on your website as to why you're storing data and how it will be used, coupled with providing the respective tickboxes (un-checked) for your visitors to give their consent.

  • Creative Blogs

    As someone who hosts Wordpress sites for around 150 UK schools GDPR id going to have a big impact on what I do. First, really dim, question: when someone fills in a comment form in Wordpress they enter an email address. At the moment, there is no box to tick to say that you're consenting to the site owner to store your email address. To my understanding, that would make most comment systems (not just Wordpress) non GDPR compliant. Am I right in thinking this? And, is Wordpress core going to address simple stuff like this?

      • Tony G

        TL;DR Get it in writing.

        I've also thought about this common concept of multi-tiered relationships. A discussion on that topic was started at StackExchange and refers to specific GDPR clauses and text. What follows is my perception based on the text and common practice ... but this might not at all be what they actually intend in the GDPR. This is specifically one of those areas that I think they need to shake out, sooner rather than later.

        One could pursue responsibility all the way up the chain, and in litigious America we (as a whole) tend to do that a lot. There are reasons for that practice, and similarly over time protections have been created against it. So now, in USA law, there's lots of precedent about vendors and manufacturers not being responsible for modifications to their products. If you open the box, you void the warranty. I dunno how indemnification like this plays out internationally.

        IMO, you should only be responsible to your clients. They are responsible to their clients. If they want to be GDPR-compliant, they can manage that process themselves or they can pay you. But they must bear the expense of their compliance. That's not a cost that you or they should feel obligated to bear. You just need to be compliant in case your clients want their data removed from your databases. The cost for that effort is entirely your own. Ultimately of course, business expenses are funded through whatever revenue mechanisms you have.

        If one believes the host is responsible for their client's data then they need to keep following that chain: If you backup data in a data center, are they responsible for your client's data? Can your client include Western Digital in a suit for their responsibility to protect consumer data in hard drives? This whole concept gets ridiculous past the first vendor/client relationship. You can't be responsible for what your client does, only for what you do.

        I believe we need to clearly define our responsibilities and liabilities with our client bases in privacy policies that speak specifically to them. That includes defining responsibilities that we will accept as a paid service. For anything beyond that we need to secure indemnification. Clients in turn must accept those terms to continue doing business with us. And that answers your question.

  • Steve - Just Think BiG

    I run a number of business mastermind groups and have been doing a lot of research on GDPR to help support my members.

    @Creative Blogs - According to my research, all forms should have a tickbox to gain permission re GDPR and consent to contact, where appropriate. This is one area where I'd like WPMUDEV to be proactive, so that we can add the appropriate tickboxes (which can't be pre-ticked if they're to be compliant) to all forms. This goes for standard contact forms, as well.

    We need to remember that all countries have their own data protection laws and one thing GDPR has done is to bring more convergence to these - particularly in the EU - but that also applies to other countries.

    @DigitalPowerups - Regarding selling the odd download to a passing visitor from the EU, my instinct is that you ought to be GDPR compliant, but as Ronnie Burt says, being transparent is most important and complying with the requirements of your home country will almost certainly stand you in pretty good stead.

    Some general guidelines that I've given to my members include;

    Make sure your policies are compliant and up to date.
    Make sure that all contact forms have the appropriate consent tickboxes - one for each method of contact you may use: i.e. one for email, one for phone, one for post and one for sms - but only if you intend to use those methods. If you only use email, you only need the one tick box.
    Make it very transparent as to how contact details will be used.
    Everything needs to be unambiguous and demonstrable: That's transparent and you need to have records to show how/when someone gave you consent.

    One interesting point to note is that, contrary to what many people believe, you don't need to re-establish consent from people already on your list. The fact that you've been sending them email and they haven't unsubscribed is deemed as unambiguous and demonstrable consent.

    This is a really interesting topic and i'm sure it will evolve as time goes by and GDPR become enforceable.

  • Jaxom

    Hi Everyone

    I am based in the UK and we run client servers both in the EU and in the US and are very aware of the upcoming GDPR.

    According to what my legal person has said the most important part is more about people being able to know and request or be able to remove the data that you hold.

    1.) All check boxes must be UNCHECKED and no presumption of approval is allowed, the person must check the box themselves.

    2.) You must have a visibly accessible form that allows people to request what information you hold on them and a removal request form and/or (plugin coming) a delete all button on there user account.

    3.) Yes, comments must have a check button but there is already a plugin in the repository that adds the check box to comments. https://wordpress.org/plugins/wp-gdpr-compliance/

    4.) As an E-Commerce site you will need to put in the "Terms of Use" a caveat that you are required by law to maintain all transaction records for up to 5 years (or whatever the business laws are in your country) but those will need to be transferred to paper to be fully compliant.

    5.) You must also have a way of Immediately informing all users of a breach in the event that your site is hacked and you must notify all users of any changes to your terms of use.

    We are using WP Email Users plugin on all our sites to inform clients but woo commerce has that ability as well.

    If your site has no members and no way to become a member and no way to comment then you do not need to be GDPR Compliant.

    I hope this helps make it a bit easier to understand.

    jaxom

  • Creative Blogs

    Seems to me from reading through this thread that adding the relevant tick boxes to forms and comments etc is relatively straight forward. Some of this stuff will no doubt work its way into Wordpress core and there are some decent plugin options around, too. Research on what plugins collect and process is down to the host and most of the major plugin developers - Gravity Forms, WPMU, Wordfence etc seem to say that they're all over this and as hosts we'll be able to refer to their statements. the big problem left to crack is the necessity to allow a user to request data download and/or deletion. Sure you could easily knock up a form to request this, but the mechanics of enacting this are quite another matter. I've only seen one premium plugin that claims to offer this. Has anyone else got a solution for this aspect?

  • 247web

    fabio fava
    FYI We store IP addresses for tracking e-commerce transactions (in logs) and for acceptance of online proposals and quotations - so we will have to put a clause into the privacy policy and checkboxes.

    Has anyone possibly drawn up a template of terms of use or privacy policy document that incorporates GDBP yet? It seems to me that there are so many bits and bobs to include - something is sure to get left out.

    Question: I have seen policy documents that start with something like "If you continue to use this website, it is a clear acceptance of our terms of use and our privacy policy" or something to that effect?

    That seems contrary to a user having to actively click a box to accept terms?

    • Ronnie Burt

      You are right, 247web, simply stating that "continuing to use this website shows acceptance" is no longer good enough. If you have users register or during checkout proccess for e-commerce transactions, you will want a clear opt-in.

      As for privacy policies - I know that one is being worked on that will be available in WordPress core itself so people can use and tailor to their own. But I can't find a draft of it anywhere, so we will have to wait :slight_frown:

      I'm not saying it is perfect, but Automattic (the company behind wordpress.com) has licensed their privacy policy under a Creative Commons license: https://automattic.com/privacy/ - essentially open sourced and with attribute, can be used by others too :slight_smile:

  • Dustin Benner

    I have been "Avoiding" this thread since it came out. Not because I want to not be GDPR compliant but because time. We are a small US based hosting company/web development firm and we host clients from around the world. In fact we have many EU customers. This thread has certainly helped me get an idea of what I need to do.

    While we host EU customers the vast majority of web design projects are local customers and in most cases are aimed at local business here in our city/state. Very few really are looking or even targeting EU customers. That being said I am wondering if the site is really not intended for anything more then local traffic and local businesses how much do I need to worry about making sure all of our managed clients are GDPR compliant?

    Thanks!

    • Tony G

      (Using You and I here just for discussion)

      As I've noted further up, from what I can tell the responsibility for compliance stops with those who are given the data. If I store data on your server, you are not responsible for my regulatory compliance. My compliance is my responsibility to those who have provided me with data. This is at the application tier. You at the server tier need to assure me that my backups are encrypted and locked down, but you have no responsibility for purging my client's data when they ask because you have no relationship with them and no application level tools for removing that data. You, at a business application level just need to prove to me that you will protect my personal data. That is limited to removing my name and address from your business system, and purging my blobs of data from your servers. If you don't I can choose not to do business with you, and take my clients elsewhere.

      Unless someone can provide specific text that contradicts that, I believe that is the intent of this legislation. The thing I don't understand is how authorities can access old data for crime investigation if we're all committing to purge it on request.

  • Baldafrican

    This thread has certainly shown me that I ..in fact ...know nothing.
    We have been one those happy go lucky living in our own bubble kind of agency for some time now. Yikes it seems we have some work to do!

    Just to be clear, if you are using third party software to engage members (for eg: mailchimp for newsletters and stripe for payment) does the onus lie more so on their software or is it something that we still need to do on our side too? yes...we are THAT clueless

    • Tony G

      (Preface all of this with "I believe", and follow it with "verification desired")

      If I ask you to remove my data, can you guarantee me that it will be done? If not, you are not compliant. So what can you do about that? You need to do business with people who guarantee to you that they are compliant. If they are not, you can't pass the blame up the line if your client finds data they gave to you elsewhere. You are responsible for data that is entrusted to you. So what data do you give to MailChimp and Stripe? If your client asks you to remove their data, you need to be able to remove it from your data storage And have a process to request your upline provider to remove it from theirs.

      For MailChimp, I don't know what they have to say on the topic but I hope they say all data is transient and only stored during the period required to successfuly deliver a transaction.

      For payment processors, it depends on how you process data. You need to verify that they will remove data that you ask them to. But some sites do a complete pass-through of the financials so that you don't get the same personally identifying data that they do. In this case, your client is giving data to a third party. I believe we need to ensure that our payment processors are compliant so that they can extend to their clients the same rights as us. In other words, if Foo Processor doesn't allow people to request data removal, don't use them, because you can't provide a reasonable guarantee to your clients about how their data will be used - that IS a part of your guarantee.

      At that point, I don't know how it's handled. Consumers shouldn't need to be bothered with the details of what payment processors we use. I don't know if we can accept responsibility for data that we control and pass on responsibility for data outside of our control. On one hand it's reasonable that we can't guarantee what someone else will do. On the other hand I can easily see companies passing the buck with "we will remove the data that we have but you'll need to go to these other companies if you want them to remove data you provided to them". How does that work?

    • Ronnie Burt

      Moonworks - that's exactly what is being worked hard on to get into WordPress core itself. There will be a new Privacy page in the dashboard that plugin authors can hook into to put any relevant information about the types of personal info being stored/processed and where. And WP core will have better self-service features that can be enabled to see, download, and delete profile and personal information. They are still hopeful it will be out by the end of May...

  • Tyler Postle

    Hey everyone, due to the recent Easter long weekend(and the popularity of this topic) Ronnie Burt has agreed to extend the AMA another week :slight_smile:

    So any follow up questions or new ones, please do post them - he'll be checking in throughout the week. The next DOTW will go up on Monday, April 9th - that will be the end date of this AMA too but of course we'll leave the thread open for those who want to continue discussing, just no guaranteed responses from Ronnie after that date.

    I'm also going to be sending out the Hero points shortly then again on Monday for any new participants between now and then.

    Cheers,
    Tyler

    • Ronnie Burt

      Hi Jez - I know that the WordPress core team is working on a default privacy policy that site owners can use. I haven't seen the actual text yet, but I'm hoping it will be at least in draft form in the next week or so. The idea is that all WordPress sites will come with this default text on a draft /privacy page.

      Interesting thought about SSL and deadlines from Google. As I understand it, the GDPR doesn't directly require SSL, but it does require best security practices (which would include SSL). My gut feeling is that the two happening is more coincidence and a result of what we all should be doing anyway.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.