 Can everybody hear me OK? Excellent. So how many of you are excited to talk about GDPR? So I'm here with you today to talk about GDPR, what it is and how you can become compliant. I want to begin today with a little bit of an introduction about myself. My name is Sam Jadley. I am the CEO of Host Duplex. We are a managed WordPress hosting provider. And I also am the director of IT operations at Mandala. Mandala is a cryptocurrency exchange. And I mostly do the security operations for them. My passions are educating clients on security, optimization, and performance. And I'm also very passionate about data privacy, hence why I am here with you today. I am a huge college football fan. Mostly in the United States, the Big 10 conference. I went to the University of Iowa. And I am a huge word camp enthusiast. And so I'm very excited to be with you guys here today. Now, I wanted to preface this presentation by stating that I am not a lawyer. So my guidance and advice is only to allow you to become familiar with GDPR and to help you understand the concepts behind it. However, for the most detailed rules and regulations, especially as it pertains to your own needs, I highly recommend seeking the advice of counsel. Now, I wanted to begin today with a quote that comes straight from the EU GDPR website. And that quote states that GDPR represents the biggest shakeup of data protection in over 20 years. And GDPR, for those of you who don't know, stands for the General Data Protection Regulation. And its primary objective is to give citizens back control over their data. Now, believe it or not, when it comes especially to data privacy, you right now are under surveillance. Your surveillance, sorry, your cell phone that's in your pocket is tracking your every move. The apps that are on your phone know where you are. Your supermarket loyalty card has data that lets companies know your age, your sex. It can even estimate your beard length. They'll know your favorite items before you even know that they're your favorite items. And GDPR aims to address these issues or at least make you aware of them. And while this is an EU law affecting EU citizens, my hope is that other countries will at least adopt similar laws and perhaps ones that are a little bit more refined. Now, how many of you have heard of MoviePass? So I know in Canada, I guess the equivalent is called Cinamia. And so I have a story for you about MoviePass. So the CEO of MoviePass was speaking in Hollywood to an audience. This was a few months back and he was essentially telling them or essentially bragging about their data collection practices. And he was saying that they are tracking users before and after they leave the theater. And they were planning, I'm assuming, on using these for location-based marketing purposes. Now, companies like MoviePass are taking our data and they're creating a data profile of us and hence tracking us. And the problem with this situation with the MoviePass CEO is they hadn't explicitly stated to their customers that they were tracking us. And at least it wasn't until that forum. And so this is where a law like GDPR comes in and it tries to protect us or at least make it transparent to us from these companies to us. So now imagine if a scenario where the data gets into the wrong hands of somebody. Now, how many of you have heard of Ashley Madison? So for those of you who don't know, Ashley Madison is an online dating service that offers an apparent escape from the banalities of marriage and it's marketed primarily towards married individuals and their company motto is that life's short, have an affair. So about two years ago, approximately it was about August, I think, of 2016, Ashley Madison or their CEO, Noel Biederman, he was informed by a group of hackers that are known as the Impact Team. And they came to him and they said, we have all of your data. And if you don't shut down your site in 30 days, we are going to release the data of all your customers. So the CEO, he either didn't believe them or he didn't care. And lo and behold, I think about two months later, the data of all 36 million users was released to the public. And immediately after that hack, the media and the social networks were essentially overloaded with these pejorative overtones who essentially came from the unfaithful users of the website who happened to mostly be men who were all of a sudden becoming these data privacy activists. And others, on the other hand, were considering these hackers to be these benevolent donors to society. But at the end of the day, this one data leak had upended the lives of hundreds of thousands, if not millions of people. And these examples don't apply just to sites like Ashley Madison. It applies to your profile on Facebook, to your credit card companies, to credit bureaus, to your purchase habits of the grocery store. And my point is that privacy and data privacy should be a fundamental right that we as individuals have. Now, a recent study showed that three out of four EU citizens didn't feel in control of their data. In fact, 90% of the EU, or their EU citizens, were concerned about data collection without their consent. Now, when it comes to e-commerce, this provided many reasons why people were concerned about shopping online. 35% had payment concerns, 29% had privacy concerns, and this really begs the question, how are we going to grow an economy if we don't have trust? Now, continuing on the objectives of GDPR, it's trying to strengthen our individual rights when it comes to data privacy, and its goal is to unify data protections and facilitate the flow of personal data. Now, a little bit about GDPR and its history. It was initially proposed in the EU back in 2012. The regulation actually went into effect in the summer of 2016, but it wasn't actually enforced until a few months ago, May 25th. Now, when it comes to GDPR, there are some really, really steep fines for those who are not compliant. That fine is 20 million euros, or it is 4% of your annual revenue, whichever is greater. Now, the law itself is quite obscure and vague, probably on purpose. It's 261 pages, it's in 99 sections, so it's very long, it's not fun to read. But one thing I do want you to take away from this when it comes to GDPR is that a lot of people have this mince conception, and they think, even when they come to events like this, they think it's only applying to WordPress. So I want you to know that it's CMS agnostic. This applies everywhere to every kind of platform out there, WordPress, Squarespace, whatever you name it. This applies to everything. Now, some of you may say, okay, I hear you talking about the EU, Sam, what does this have to do with us in Canada? Well, the EU is really taking the lead on data privacy, and they are able to assert their jurisdiction on this via something called the long-arm jurisdiction, at least is how I understand it, or extraterritoriality. And this is where a local court can assert jurisdiction from the EU to other countries and companies who process the personal data of EU citizens, and this applies everywhere to anyone that processes any data from anybody who is an EU citizen. Now you're gonna say, Sam, I don't have any EU clients, right? This doesn't affect me. Well, you might be surprised. There are lots of different ways in which you may collect an EU citizen's data. They don't actually have to be your direct client. This can be, you can be collecting data in the form of contact forms. If you have a mailing list with their name, if they go on your website, and they just write a comment with their name and their email address, you are actually storing the data of an EU citizen. The same goes for live chat. If you have a live chat form on your website and somebody starts talking to you and you are actually storing that data, again, you're collecting an EU citizen's data. Now what are some types of their personal data? It could be something as simple as their name, their address, their national identity number, their social security number. Obviously all of these would be the personal data of an EU citizen. And other things to think of are, their genetic information. A lot of times, you know, there's sites like 23andMe, people are storing their genetic information and even one piece of that tidbit of information would be relevant to this. Also things like race, ethnic origin, other health data, location data, your IP address, there's even metadata that's hidden in photos. If that's uploaded online to a platform and that can be traced back to an EU citizen, that really relates exactly to this law. Now GDPR has eight data subject rights and the first one is the right to access. So this is very similar to how you would obtain your own credit report. So the GDPR states that we must provide access to an EU citizen's personal data and there should be no fees when they request or exercise this right. And you, as a company, would have 30 days to comply. Next is an important one, it's the right to be informed. So the individuals have the right to be informed about the collection and their use of their data. It is the what, the why, and the how. How is their data being processed and why is it being processed? Not only that, we have to provide a clear and concise information about what you are doing with their personal data. All information you supply to an individual should be concise, it must be intelligible, it must be easily accessible, and again it has to be free of charge. Now this is an important one, the explicit consent. So when it comes to GDPR, and if users are, say a user is signing up on your website and they are signing up for a mailing list, say. Now with GDPR, if you have a checkbox that says I wanna sign up to your mailing list and if it's selected by default, that can no longer happen. With GDPR there must be explicit consent, the user must check the box themselves. Now when it comes to Canada, there is, I know a law in Canada, the Canadian Anti-Spam Law, and when it comes to consent and digital marketing, GDPR is more strict than the Canadian Anti-Spam Law. So I believe under the Canadian Anti-Spam Law you can market to customers or clients for up to two years after receiving implied consent, but that's different than GDPR because with GDPR it has to be explicit. Next is the right to rectification. This is essentially the right for individuals to have their inaccurate personal data rectified. The request can be made verbally or in writing and you as a company again have 30 days to comply. An example of this would be say you have a name or something in their system that isn't accurate or say it was misspelled. The data subject first has to request access and if the data was indeed misspelled then they have the right to have that data rectified. Now this was last night actually on my way to Montreal. This is on my declaration form in the airport. It actually states right here the individuals have the right to access and or can make corrections of their personal information under the Privacy Act. So at least in Canada you guys have this Privacy Act whereas we in the US, I in the US do not. At least not yet. Some states have some laws. Next is the right to object. So you as a company must tell individuals about their right to object and the GDPR gives individuals the right to object to the processing of their personal data and first it's not exactly an absolute right. It can only occur in certain circumstances. For example say when it comes to direct marketing somebody can say well hey I don't want you to be sending my data to a third party and a user has that right to object and you have to abide by that. Next is the right to data portability. So this allows individuals to request and reuse their personal data and download that personal data in a machine readable format. So it must be say in a CSV file, an Excel file, a JSON file but what it cannot be is something in paper form because essentially the purpose of this is so that the user can download their data and take it to another provider should they want to do that. And under WordPress I believe under 4.9.8 they created some additional GDPR tools to allow WordPress users to easily export and import and erase the data of that user. Next is the rights to restrict processing. Now a data subject can restrict processing of their personal data when they believe it's not accurate. Hence you can store it but you cannot process it and this can apply in certain circumstances such as when the accuracy is contested by the data subject. The next is the right to be forgotten sometimes called the right to erasure. So you as an individual EU citizen have the right to request for the erasure of personal data, of your personal data without undue delay. And you have again 30 days to do so. So this is probably the most simple one but one of the most important ones of the eight data subject rights. Lastly is the right to not be subject to automated decision making. So say you're applying for a credit card and generally I think most systems now use a machine or an algorithm to make that credit decision and GDPR allows for a person to say I don't want a machine to make that decision I want a human to make that decision. And in short GDPR doesn't really forbid profiling but it requires the transparency of all these operations and you have to extend that to those rights to the user. Now the whole point here is I want you guys to be keep calm and prepare for GDPR if you haven't already. Some tips for you guys to while you're preparing number one, perform a privacy impact assessment. You wanna see it's basically the why and how. What are you storing? Why are you storing it? And how are you storing it? You know look and see where are you holding your data? Is it locally? Is it on the cloud? At which hosting provider are you hosting it at? And what third parties are you using? Are you using MailChimp, are you using iContact, SendGrid? Look at the different providers you're using and make sure you have agreements set up with them, make sure you discuss with them or reviewed their GDPR privacies and make them in line with yours. And also an important thing is to perform a security audit because most of all you don't wanna be hacked, right? So perform a security audit and see what you're doing with your data and review your own security policies at your hosting provider and I'm gonna provide some tips with you for that here in a minute. And lastly after you've prepared, of course, update your privacy policy, send an email to all your clients letting them know that you've updated that and that you are now abiding by the GDPR rules. Now on these tips, what can you do to protect yourself? Number one, make sure you have SSL enabled on your website, enable this form of encryption because you don't wanna be transmitting unencrypted data, you don't want somebody to be able to read that data in clear text and especially now I believe July 1st, Google started putting in the top of their browser and may say if your site's not secure, it doesn't have SSL enabled, it will say not secure at the top. So you can do that and you can do that now quite easily with a plugin called really simple SSL, makes it super simple. The only thing, the prerequisite for that is you need to make sure that you have an SSL certificate, you can generally get that from your hosting provider, some hosting providers offer it for free, others are usually for a small fee but I would highly recommend it and once you have that certificate, just use this plugin, super easy and it changes all the hard coded links in your website and makes them HTTPS friendly. Some other tidbits and tips for you guys, make sure you talk to your host, one thing that you can do to enhance your site a little bit is to try and keep your database server separate. This makes it a little bit harder for a hacker to say download your database. It's not a foolproof way, but it makes it one step harder for them, it's kind of like adding an extra deadbolt to your door. Next is move your WP config file, move it out of that public space, that's one thing you can do, just move it into the directory below it and that'll also help, it's also like another deadbolt. And one thing you can do is change the permissions on your WP config file, set it to read only or have it read right by the user only so that it can't be changed by say a global user on your server. This is a really common one I've seen a lot of people do, is remove any backup files you have from your public spaces. So sometimes people create a tar ball, they'll create a compressed file of all their website and they'll just put it right in the same folder of where their website's hosted. So somebody could guess your website name and just add it, append it to the very end of your URL and they can just download your entire site. So just if you back up your site, just make sure it's not publicly visible because I see that so often. The same with, there's another one. If you have say a WP config file, I see so many people in developers, they'll change it to WP config dot BAK as a backup and you have no idea this is something easy that hackers look for, they'll just type in WP config dot BAK and it reads as a text file so that file is just completely transmitted and clear text to that end user and they can read your database, they can, or sorry, your database username, your database password, they can see your database server name, they have all this information readily available to them. So make sure you don't label them even if it's there, just get rid of it or put it in a different place so that it's not publicly visible. Another option, one thing to do is to protect your WP admin area. Now WordPress itself is inherently very secure but there are bots out there on the internet that are constantly attacking your WP admin area and one way to mitigate this is by adding another authentication layer on top of that and this will really stop those bots from attacking your website and not only that, it stops from all the resource usage, it keeps your resource usage way down so I highly recommend doing that. It's a simple thing you can do in most control panels. If you have any questions, I'm happy to help out with that later. Another important one is check your email headers. I've seen a lot of times where somebody will get a WordPress password reset email, essentially like a phishing email and it sends them to another place. The user thinks they're resetting their own password and in fact they're not. My mom, this was a few months ago, she got an email and she calls me and she says, Sam, I got an email from the FBI. I'm like, Mom, the FBI is not gonna email you. So just beware of those things because it's so easy to get hacked in that way and we were actually, one of our other clients, they're a smaller financial institution and they had their CEO's number ported over to another company. So essentially that user was able to take the CEO's cell phone and he was able to recover or he was trying to attempt to recover at least their passwords because his phone was the backup, right? So just beware, there's a lot of different ways people can do things and break into your website. And lastly is two factor authentication. This is a really easy one because if your site credentials say your username or password, if they're ever compromised, this is one way to mitigate that and it's so simple. So there's apps out there. It's called Google Authenticator. I know they have a plugin for WordPress. I highly recommend doing it, not only for WordPress, but for Facebook and Gmail and all the other applications out there because it's a very easy way to protect yourself. You know, essentially what happens is you just open an app on your phone and you type in a six digit code that changes every 30 seconds. You type that in once and it logs you in. So I highly recommend it if you haven't done it already. Now you may ask, Sam, do plugins have to be GDPR compliant? Yes, yes, they have to be compliant. Here's your responsibility to ensure that all your plugins can export and delete user data, but I'm sure that probably most plugins are not GDPR compliant, but your best bet right now is to use plugins that are from reputable sources because most of those probably hopefully will be GDPR compliant. And if not, you know, get in contact with the author, see what you have to do to make it compliant. And some helpful plugins in review. We mentioned really simple SSLs one. Another really good one is WP security audit. It is a great plugin that will basically show when users have logged in, say an administrator has created a new plugin, or sorry, a new admin user. It will send an email to the other admin users that somebody has created a new user. And if somebody deletes one, it's just the same. It provides a log of basically every action that's taken in your WP admin, and it puts it into your database. And not only that, I recommend setting up the email notification so that, say, a hacker manipulates the database in any way. At least you have a record of it in your email. Another great plugin is the WP GDPR compliance. That plugin integrates with a lot of other plugins like the, I believe, Contact Form 7, so that it makes it a lot simpler to comply with GDPR, and that's a really great one. There's another one called GDPR. It's very similar. It just has a different name, but very similar again. Now, there's a website out there. It's called Cookiebot. And essentially, you can type in your URL, and it will tell you if your website is compliant. Now, I've actually tested a few really famous websites that I'm sure GDPR are compliant, and it says every site I've tested says it's not compliant. But it does give you insight into who your vendors are. For example, if you're using live chat, or if you have an ad vendor that you're using, it actually will lay this all out in a nice readable format for you, and you can at least use that for your privacy policy or notifying your clients. So it's really helpful and informative when you're creating your privacy policy. Now, what should you do if you have a data breach? Number one, contact your host. They're probably the ones that are gonna have all the logs for all of this. So you'll wanna review your logs. If you aren't the most tech savvy, have at least your host to do that for you. I would say there are options in a lot of the hosting providers to archive logs because generally, I think the default for most hosting providers is they delete these logs after a week or after 30 days and they don't keep them. So if my recommendation would be to either ask them or log it into your control panel, if they use C-Panel, there's an option that says archive my logs and then it'll archive it every month so that it at least keeps all those logs. Next, contact your third parties. So if you have a breach, contact SendGrid, contact MailChimp, whoever it is, and see what it is that you have to do. Next, have a plan of action. So pretend that this scenario just happened now, right? Have a plan of action so that you know what your steps are. You know who your third parties are that you need to contact. Next, you must notify your supervising authority within 72 hours. So the EU designates a supervising authority for each region. And of course, so if should a data breach happen, you have three days to comply from the moment that you find out that you had a data breach. Now these supervising authorities, their powers include auditing websites so if they check and they see that you're non-compliant, they'll issue a warning. I think at the beginning it won't be as bad. I don't think they're gonna find you right away, but they'll issue corrective measures to be followed with certain deadlines. And if you continue to fail to comply, then of course there'll probably be some sort of find at that point. Now, excuse me. On these data subject rights, I just wanna review them really quickly for you. So you have the right to be informed. Essentially the right to be informed is to let you know why, the what, why and the how, how is your data being processed, what it is. And the right to access is must provide, essentially must provide access to your EU citizens personal data. You must do it without a fee. The right to rectification is that you must rectify any inaccurate data. The right to object is the users have the, when processing the data, sorry, you must tell individuals about their right to object. And so if you don't want to have that user send their data to a third party, you have to be able to do so. Again, the right to data portability, make sure that you can transmit, send that user all their data, and the right to restrict processing, the right to be forgotten. You wanna make sure that you can erase the user's data upon request, and again, the right to not be subject to automated processing. Now I wanted to share this book with you. I highly recommend it. It's called Data in Goliath. It's by Bruce Schneier. It's one of my favorite books, and I suggest you read it because it's really eye-opening. And I wanted to give you a few examples of how, of what the author states that might in fact be related to GDPR. And so Bruce, he describes to us in many different ways how we unknowingly cooperate with surveillance, just like the free email services we have at Yahoo, at Gmail, or those supermarket loyalty cards that I mentioned earlier that provide us with discounts. He says that we cooperate with corporate surveillance because it promises us convenience, and we submit to government surveillance because it promises us protection. And the result is a mass surveillance society of our own making. And that's direct from the author. And he also states that every morning when we put our cell phone in our pocket, you're making an implicit bargain with the carrier. So you may say, I wanna be able to make and receive phone calls in exchange. I want that company to know where I am at all times. And that bargain isn't specified in any contract, but it's inherent in how the service works. And today GDPR is trying to change that with, especially with transparency. So in summary, I really want you guys to learn that this is not just the EU. GDPR applies everywhere, and that's by way of the long arm jurisdiction. So even if you don't have any EU clients, you may still be affected. And again, you must obtain consent, explicit consent. I want you guys to remember that. And remember that when you are specifying this language, it must be clear and concise. Ironically, that's not how it is in the law. But be prepared, most of all. Thank you all for listening. If you have any questions, you can find me on Twitter, it's my email, or after. Thank you so much. I don't, sorry, the question was, is HTTPS mandatory by GDPR? And I don't think it's mandatory, but I would assume. They're, you know, if you're storing e-commerce, there's other requirements like PCI compliance, we'll tell you that SSL is required. But regardless, I would, you know, make sure that you have SSL, you know, enabled. I don't, to my knowledge, I don't think that they say that it's a requirement, but, you know, it's a better practice to at least do so. So the question was, is, if I already had mailing list subscribers, do I have to ask them again to resubscribe? And the consensus from what I understand and speaking with other lawyers is that, yes, it's recommended that you contact the users again in your mailing list, asking them to apply, or basically agree to your mailing list. And if they do so, then they do so. And for those that don't, then you would have to remove them from your mailing list. Right, so, so that's a great comment. So he was stating that if users previously have given explicit consent, then they would at least abide, that would be okay. But if it was under implied consent or they had not, then you'd probably have to re-ask them again. But also you mentioned if it's in paper form, as long as you have proof of that, then I would assume it should be fine. Under Canadian law, right? Right, so as the gentleman mentioned, and again, I'm not a lawyer, so I can't provide you with 100% accuracy. But he said that if you assume, if you had double opt-in and those users explicitly consented to it, then I would assume it's okay. But again, I would, you know. Right, they can, but again, I think they have to explicitly consent to joining your mailing lists. As long as they're in your mailing list and they had explicitly consented to it, and you have that unsubscribe option, then I think you would be okay. But I think that would, again, they have to be explicitly consented to your, to the mailing list. Now I know that WordPress, the last version, I think it was 4.9.6 or 4.9.8, they enabled some GDPR tools so that authors and users, if they want, they can go and download their own specific data or delete that data or an export and import that into a machine-readable format and take it somewhere else if they wanted to. I'm assuming it's still being worked on right now. I haven't seen, or at least not to my knowledge, I don't know if there's anything for the commenting system quite yet, but I think that's my understanding of where that stance is currently. Let's go ahead. Yes. So the question was is, how do companies address the fact, for example, when it comes to health companies who are required to comply with their own laws, say that they have to store records for seven years, how can they comply with that when it comes to GDPR's right to erasure records? So I think the law, there are exceptions for that. I would assume that's probably one of them. I would assume that would supersede GDPR, especially when it comes to health issues, but I know there are exceptions to the rules, especially when it's required. Again, I would probably seek the advice of counsel, but I definitely know there are exceptions to the rule. So the question is the degree to which you're liable, I guess, for a third party or a design agency? Oh, the agency's responsibility. I guess you would have to have an agreement with the client itself. I know we have a lot of clients of ours who work with an agency, and they've been working heavily on GDPR right now, so I know that they're not maybe liable for, say, introducing the topic, but that would probably be on the customer side, but it's the customer's obligation to, of course, be GDPR compliant, but should I guess there be a sort of liability or an issue that arises because of the development or design, then maybe that would probably fall upon you, but that's at least my understanding. So the back. You know, when it comes to Canadian law, I probably wouldn't know too much. Sorry, but the question, again, was if a company had provided explicit consent, I guess consent before him in a contract, would it apply? I would assume if it's in a contract of some sort and they've made signatures, I would assume it would apply, but, again, probably ask your lawyer about that. Please, in the back, go ahead. I'm sorry, can you repeat that? I'm sorry, I missed the last part. So the question is, does GDPR affect the simple use of Google Analytics? I would believe it does. I think Google at least has their own rules and I know they have certain ways of extracting that data, but it does have to do with that personal, person-specific data, so I think it would be, again, a question you'd ask your attorney. Please, go ahead, sir. It's a responsibility for both of you. So the question is, sorry? Right. So the question was is if you have an agreement or if you're taking Google Analytics data and you have Google Analytics built into your website, are you responsible for that? And so, in part, yes, I would assume partially because the user is visiting your website and I know at least Google has some agreements to handle that, so both of you, I believe, would be, both Google and yourself would be both liable in that sense. I would assume so, yes. I mean, it's best. I know right now they're probably not going to go crazy on it, but yes, I mean, they should be compliant and I'm sure they are. Yes, in the back. So the question was, is it obligatory to have a privacy policy for, I'll say, a new WordPress installation? I would say that you should have a privacy policy if you're storing data or if you're taking inclined data. If you're not doing anything and you just have a blog and you don't have any comments or anything commenting system or anything like that, then I don't think it would be necessary because you're not taking in any data. But if you are storing on EU citizens' data or really any data, then you should probably have some sort of privacy policy on your site. I think that's it. Thank you all for coming.