 How many of you are excited for GDPR? So today we're going to be talking about GDPR, continued preparations and compliance. And I'm going to be offering you some security tips as to what you can do for GDPR. I want to begin by introducing myself. My name is Sam Jadalee. I am the CEO of Host Duplex. We are a managed WordPress hosting provider. I myself have been in the hosting industry for about 20 years. I started my first hosting company when I was about 13 and a couple more in high school and in college. I'm also the director of IT operations at Mandala. We are a cryptocurrency exchange. And I mainly perform the security operations for them and protecting our assets and thwarting us from any attacks. Excuse me. My passions include educating our clients on security. I'm very passionate about data privacy, obviously, why I'm here with you today. And I am a huge college football fan, especially the Big Ten conference. I went to the University of Iowa and I am a huge word camp enthusiast. Now I wanted to preface this presentation by stating I'm not a lawyer. My guidance or advice is to only allow you to become familiar with GDPR and the regulations, especially as it pertains to your needs. I highly recommend seeking the advice of counsel should you have any specific questions. Now I wanted to begin this presentation with a quote that comes straight from the official EU GDPR website. And that quote is that GDPR represents the biggest shakeup of data protection in over 20 years. Now you may ask what is GDPR or what does it even stand for? So GDPR stands for the General Data Protection Regulation. And its objective is to give citizens back control over their data. Now believe it or not, you are actually under surveillance right now. Your cell phone that's in your pocket is tracking your every move. The apps that are installed on your phone know where you are. Your supermarket loyalty card lets companies know your age, your sex, they can even estimate your beard length. And they'll know your favorite items before you realize they are your favorite items. GDPR aims to address these issues or at least make you aware of them. And while this is an EU law affecting EU citizens, my hope is that other countries enact similar laws, perhaps ones that are a little bit more refined. Now how many of you have heard of MoviePass? Good, quite a few of you. So for those of you that don't know, MoviePass is a movie subscription service. It's $10 a month and you can see however many movies you want. Now the CEO of MoviePass was recently speaking in front of a Hollywood audience. This was about a few months back. And he was essentially bragging about their data collection practices. And he was telling the people in the audience that they track users for up to three hours before and after they have left the theater. And I would assume this is probably for some sort of location based marketing. Now companies like MoviePass are taking our data and they're creating a data profile of us. And the problem was was that the CEO hadn't explicitly told us until he got to that in front of that audience. And this is where a law like GDPR comes in and it allows for transparency. Now imagine if that data got into the wrong hands. How many of you have heard about Ashley Madison? So for those of you that don't know, Ashley Madison is an online dating service that offers an apparent escape from the banalities of marriage. And it's marketed primarily towards married individuals and their company motto is, hey, life's short, have an affair. So about two summers ago, Ashley Madison was informed by a group of hackers known as the Impact Team. And they told the CEO that if you don't take down your site within 30 days, we are going to release the data of all your users. And a couple months go by and the CEO I guess just didn't believe it or he didn't really care. And two months go by and the hacking group releases the data for 36 million users. Now immediately after the hack, social networks in the media were overloaded with these pejorative overtones which essentially came from the unfaithful users of the website which happened to be mostly men. And others consider these hackers to be these benevolent donors to society. But at the end of the day, this one data leak upended the lives of hundreds of thousands of people, if not millions. And my takeaway here is that these examples don't apply to sites just like Ashley Madison. It applies to your profile on Facebook, your purchase habits at the grocery store, at hospitals, at credit bureaus, at banks. And my point being that privacy and data privacy should be a fundamental right that we as individuals have. Now a recent study showed that three out of four EU citizens don't feel in control of their data. In fact, 90% of EU citizens are concerned about data collection without their consent. And this clearly is affecting e-commerce. And this study is a few years back and they were saying that 35% of people had payment security concerns, 29% had privacy concerns. And I was assumed by now, especially with all these ubiquitous hacks, that these concerns are probably only rising. Now this really begs the question, how are we going to grow an economy if we don't have trust? Well GDPR's other goals include strengthening individual rights when it comes to data privacy. And its goals are to unify data protections and facilitate the flow of personal data. Now GDPR comes with some really steep fines for those people who are non-compliant. It is 20 million euros or 4% of your annual revenue, whichever is greater. The law itself is 261 pages. It's quite long, it's 99 sections long. It's very obscure, it's vague. And while I definitely wouldn't say it's the perfect law, in my opinion I think it's at least a step in the right direction. Now you may say, Sam, what does this have to do with us? You keep saying EU, EU. Well, the EU is taking the lead on data privacy. And they are able to assert this law over us with something called long arm jurisdiction or extraterritoriality. And this is where a local court can assert jurisdiction over someone in another state, or in this case, from the EU to other countries and companies who process the data of EU citizen. So essentially it applies everywhere to anyone who processes the data of EU citizens. Now you're gonna say, Sam, well, I don't have any EU clients. Well, it may actually not matter because you don't need to have EU clients. You could be storing this data in the means of a contact form, a mailing list, comments, live chat. So again, they don't have to be your clients and you could still be affected. And some of the personal information that would be affected or included in that is your name. If they send their name to you, their address, obviously their social security number or their national identity number. Also genetic information. Anything that can be tied back to the user. And that includes race, ethnic origin, other health data, location data, the metadata from photos on your phone, IP address, all of that can be considered personal data. Now GDPR includes eight data subject rights. I'm gonna share with you some of the ones I think are at least the most important. That first one is the right to access. Now the right to access states that we must provide access to an EU citizen's personal data. It's really similar to how you would obtain your own credit report. It states that no fees should be requested when exercising this right and a company has 30 days to comply. Next is the right to be informed. Individuals have the right to be informed about the collection and use of their personal data. It is the what, the why and the how. How is their data being processed and why is it being processed? It is also about providing people with clear and concise information about what you are doing with their data. All the information you give them must be easily accessible, it must be easy to understand, it must be intelligible, and it must be free of charge. And the next important thing is that they must give explicit consent. There can be no room for misinterpretation. So this essentially nullifies implied consent. So you can no longer have that pre-filled check box on your sign up forms that say, yes, sign me up for my newsletter. The user has to explicitly check that box for themselves. And next is the right to data portability. This is the right where individuals are able to download their data and take it elsewhere if they need to. And they must be able to download it in a machine-readable format. That can be a CSV file, an Excel file, a JSON file, but it cannot be something, like you can't mail them letters of their pieces of documents. It has to be in a machine-readable format. Next, and most importantly, is the right to be forgotten. So users must be able to request for the erasure of their data, and you must comply with that in 30 days. It can be verbal or it can be in writing. Now, how can you prepare for GDPR? Number one, you could perform a privacy impact assessment. That's, you can see the what, the why and the how. What are you storing? Why are you storing it and how are you storing it? Where do you hold your data? Is it locally? Is it in the cloud? Is it at your hosting provider? And what third-party providers are you using? Is it MailChimp, iContact, SendGrid, what have you? So make sure you look into all those. And also, perform a security audit. I'm gonna share some tips with you here on security here in a moment, but if you perform a security audit, you can at least see what you're storing. And lastly, update your privacy policy, notify your clients, let them know of the changes that you have made. Now, so security tips, this one is pretty obvious. Number one, enable encryption. Add an SSL certificate to your site if you already have not, because if you're storing personal data, at least you want the transmission of that data between that client and your server, you wanna make sure it's encrypted. And most hosting providers now, a lot of them offer SSL certificates for free. If not, it's usually a minimal fee. And an easy way you can enable that is with a plugin called really simple SSL. It makes it super simple. It automatically changes all those hard-coded HTTP links to HTTPS and makes it very easy for you. Another one I see really common all the time among WordPress agencies, developers, even site administrators, a lot of them will just create a backup file and they'll name it backup.zip where they'll do wpconfig.bak and they store this right in that public space and they'll forget to delete it. And hackers look for these things and so you won't believe how many people do this. And so if they just type in a URL and they add wpconfig.bak, they can download all your credentials for your database, your database server and they can essentially see how your server is configured. Next, check email headers. You know, my mom, three months ago, she gave me a call and she says, Sam, I got an email from the FBI. I'm like, mom, the FBI is not gonna email you. So make sure you look at where those emails are coming from. Make sure they're from legitimate sources. Some helpful plugins. Again, really simple SSL. Another one is WP Security Audit. It's a great plugin that tells you what an administrator is doing. It logs all their actions. You can see if something, somehow created a new admin account. It puts this in the database and it can send you an email about it. Excuse me, another one is WP GDPR Compliance and GDPR Both. They integrate with a lot of popular plugins like Contact Form 7, so it helps you become GDPR compliant. A great site to check out. Another one is called Cookie Bot. Cookie Bot, you could enter your URL. It'll tell you if your site is GDPR compliant and if it's not, it gives you a list of vendors that you're connecting with so that you can also update your privacy policy with as well. Now, what to do in the event of a data breach? Number one, contact your host, review your logs, have them look at your logs, have your IT person look at your logs and also contact all the third parties that are using if you've ever had a breach and have a plan of action already in place. GDPR requires that if you've had a data breach and once you've found out about it, that you must notify your designated supervising authority within three days. Now, what are some unexpected consequences of GDPR? There's a lot of talk about this. It's hindering innovation because of all the added work we have to do in going through all these lawyers and so it's especially affecting a lot of small businesses. It is also blocking the blockchain. The blockchain itself is supposed to be immutable. It's supposed to be unmodifiable. Nobody can change it. And with GDPR, being able to erase and that information, obviously, that could be a problem. There are also a lot of companies that are denying access to EU visitors. So they just don't want to deal with GDPR so they're just blocking the entire continent. Now, if an EU citizen is here in the US visiting and they still submit their information to you, you're still just as liable. A lot of people are worried about the death of free services because of this law. People are concerned that maybe Facebook may go away or Gmail may go away because of all this, but at the same time, I would think that we also should know what is going on with our data, how it is being processed. Now, I have a book I want to share with you. It's called Data and Goliath. It's by Bruce Schneier. And if you haven't read this, I highly suggest you do so because it is very eye-opening, especially to those who are not privy to IT cybersecurity. And I wanted to give you a few examples from the book and how it, in fact, relates to GDPR. Now, Bruce states to us, he describes to us the many unknowing ways that we cooperate with surveillance. For example, our supermarket loyalty cards take our purchase data and they provide us discounts, same with Facebook. They take our data and provide us targeted advertisements and we cooperate with corporate surveillance because it promises us convenience and we cooperate with government surveillance because it promises us protection. And the result is that we have this mass surveillance society of our own making. And every morning, when you put your cell phone in your pocket, you're making an implicit bargain with the cell phone carrier. You're saying, I want to be able to make and receive phone calls in an exchange I will allow that company to know where I am at all times. And that bargain isn't specified in any contract, but it's inherent in how the system works. And today, GDPR is changing that. In summary, I just wanted you to know that this is not just the EU. They are able to apply this law again by way of long arm jurisdiction and even if you don't have any EU clients, you may still be affected. And you must obtain consent. And again, you want to provide that information in a clear and concise manner. And most of all, be prepared, get prepared now so that you're protected. Thank you all for listening. If you have any questions, you can find me on Twitter or email and I'll also be at the happiness bar after this to answer any questions.