 So thank you everyone for coming it's great to see so many faces and so many old faces and new ones as well. So as Mario said I'm going to talk to you about one specific very niche aspect of GDPR which is your privacy notices and I have to say I must have been psychic when I put this talk application through because I've never had something become so timely in the week of the talk that I was going to give it about. So as Mario said I'm Heather and I'm not going to have any very good time of it lately. This is the beach I'm going to sit on when this is all done. But all things considered I have been having a much better week than this guy. Did anyone watch the Zocco show the other day? I had snacks I ate them all. I almost got Gabor to deliver me some more snacks in Glasgow from Manchester. And I said this at my talk yesterday and I'm going to say this again. I would like to thank Mark Zuckerberg from the bottom of my heart and I mean that because I have been writing and speaking and cajoling and begging for years to try to get people to think more proactively about privacy online offline and in businesses and he's come along and done the best possible introduction to this talk I could ever have hoped for. So if you watch the Zocco show the other day one of the things he said to Congress was long privacy policies are very confusing and if you make it long and spell it all the detail then you're probably going to reduce the percent of people who read it and make it accessible to them. So one of the things we've struggled with is to make something that is as simple as possible so people can understand it as well as giving them controls in line in the product of the context of when they're trying to actually use them. Taking into account that we don't expect that most people will want to go through and read a full legal document. Mark Zuckerberg there. So funnily enough that's what I'm actually going to talk to you about today. It's about the way that your privacy policies are about to change big time and what you need to do to make that happen. So let's talk about what is changing and why. Well the fundamentals of why we need privacy policies don't change. Under European data protection law which we have lived with since 1995 one of the basic principles is the right to be informed. The right to be informed about what is being done with your data, how, why, and what your rights over them were. We've had these rights as I said since 1995 in the original European data protection legislation which is the data protection directive. We know it in the UK as the Data Protection Act of 1998. That was the piece of legislation that enacted it into our domestic law. So anytime in the past 20 years someone has said to you Data Protection Act for better or for worse that's what they've been referring to. Now as you all know from the excellent talk yesterday we are in the middle of an overhaul and modernization of that European data protection directive which is called GDPR and that becomes enforceable on the 25th of May also known as the Speaker's Dinner for WordCamp Belfast. So the right to be informed stays with us. That doesn't change. What does change is what you need to be informed about and how you need to be informed about it. So why do we need this change? Well if you were watching the Zucko show the other day one of the senators got a little testy with him they all got a little testy but he said your user agreement sucks. The purpose of the user agreement is to cover Facebook's rear end not to inform Facebook's users of their rights. And he was saying that like it was news. But to those of us who live and work with these issues all of us were watching that going that's how it's always been. And there's a reason for that. As you all know for better or for worse the bulk of digital and tech whether it's software, social media platforms, anything have been built or are based in the United States. And the United States does not have a culture of either cultural or legal recognition for privacy. At least not like we have it over here. I'm doing an entire conference talk in a month just on these cultural differences. But what you need to know about that is that the US domination of tech meant that privacy was seen as a contractual matter. Not a cultural one. It wasn't a matter of your fundamental human rights. It was a matter of your user agreement with the company. So that's why we have had privacy policies that were a bunch of contractual gibberish in the footer written by a lawyer. That is actually exactly what they are. They're contracts about your behavior towards the company. But that isn't what privacy is supposed to be about. The focus is not supposed to be to quote Senator Kennedy, the company's rear end. So that is why we have GDPR changing that fundamental understanding. GDPR reshapes, redefines and refreshes those privacy notices. The focus is now the data subject. That means the person that the data is about. And their rights over it. The focus is no longer the company's rear end. No more privacy policies that are contractual gibberish about your obligations to the company merely by using their website, much less giving them your data. The entire relationship is being inverted. The privacy policy, the privacy notice is now about the company's obligations to you. So who needs a GDPR-style privacy notice? You do. GDPR, remember, applies to all sites, apps, organizations, companies, businesses, services, which are collecting or processing personal data within Europe. But also applies to all of those same things which are collecting or processing personal data about Europeans. And again, this is not new. If you are not in the European Union, but you serve customers in the European Union, even if all you're doing is data, even if a single cent is never exchanged, you are still beholden to these European privacy rules. And big question everyone always asks is what happens after you know what? We are staying in GDPR after that thing. We're not going to talk about it because there is a code of conduct for speakers language. So if you think you don't have to do this stuff anymore because of that thing we're not going to talk about, you're wrong. You have to keep doing this for as long as you plan to serve European users or customers, regardless of what happens after that thing. So in all the years that I have been supporting businesses and agencies and even just everyday clients on digital regulation matters, the one question they have always asked me is where can I get a template for the privacy policy? No, you can't get a template. In fact, I've always used this question as the sort of shibboleth to understand the sort of person I'm dealing with. Because if you are asking for a privacy policy template, what it tells me is you don't understand this at all. I'm aware of one plug-in company. Some of them are in the room that deliberately put a spelling error in their privacy policy to see how many other plug-in developers copied and pasted it. And you can understand why they did that. It was sort of proof of what a joke the old-style privacy notices have been, that all you had to do was copy-pasta some legal gibberish, search and replace your name, and think that you were legally compliant. These days are over. You actually have to think about this stuff now. Privacy notices become an open, transparent, accountable dialogue between you and your users about what data you're collecting, why you're collecting it, how you're collecting it, what you're doing with it, how you protect it, where you store it, and what their rights over it are. So the first step in your privacy notice process has to be not being afraid of that. That sounds a little intimidating, I know. But you have to approach this as a positive exercise. It's an opportunity to refresh your practices, to renew the ways you deal with your customers, and to recommit to serving them on a much more open, transparent, and yes, ethical level. The days of privacy policies that the short, that the small print committed you to every misuse of your data under the sun, as we have seen in the past week with Cambridge Analytica and Facebook apps and developer permissions, they are over. We can't prevent those things from happening, we can't prevent the misuses and abuses of our data from happening, but we now have something at our back, and that is gonna be the privacy notice that you held to create. So how do you actually draft this beast of a privacy notice? How do you approach it? Well, for me, there's three different aspects that you need to think about. What you say, in other words, the content, how you say it, in other words, the voice you use, and how you display it. In other words, the UX and design, and they're all equally important. So let's start with the first one, which is content. What information should you include? Now remember, the way the European Data Protection Regulation works is that the same rules are applicable to everybody, whether you are a one woman business or the largest corporation, the same set of rules applies to you. Obviously, everyone's privacy notices aren't going to be the same. There's some information that you don't need to display because it simply isn't gonna be applicable to you, but regardless of who you are, these are the essential facts you're going to need to have in your privacy notice. Who you are. I mean, literally. What's your business's name? What's your registered address? Where can you be contacted? Where are you registered? Are you an American company? Are you a European company? What personal data you collect? We're not gonna go into an entire overview of GDPR and what constitutes personal data and what constitutes sensitive personal data. I've already covered that ad nauseam elsewhere, but you need to list all the personal data you're collecting as well as what categories of personal data is. This customer data is this sensitive data is this medical data, et cetera, what categories. You need to detail the consent or legal basis you collect it by. Remember under GDPR, you have to have either active opt-in consent or a justifiable legal basis for all the data you hold. I want the data is no longer good enough. We're gonna save all these email addresses because we might want to use them for an email campaign someday. That's not good enough either. You've got to list the reason you're collecting it. You've got to list who the data is shared with, including third parties, whether that's partners, whether that's third party service providers, even things like your web hosting. The days of privacy notices saying we may share your data with carefully selected third parties are over. You have to actually list them all by name. And what you have to do, ideally, is link to their privacy policy so that that user can see what they're doing with the data you're passing to them. The most famous example is PayPal. They have amended their privacy notice to list the 600 third party providers they share your data with. Some of that's data security. Some of that is things like, what do they do, the random fraud checks. Some of that is advertising and marketing. The fact that they share data with 600 third parties shocks a lot of people, but that's not new. What's new is that it all comes out into the open. You have to detail how long you retain that personal data. Again, one of the key principles of GDPR is that you have to create a data retention and deletion schedule for all the data you hold. Minimization should be a big part of that. Don't collect data and don't need it in the first place so that you have to delete it later on. But there's no hard and fast rule. There's no right or wrong. GDPR doesn't tell you how long to keep data, but you have to create and document rules for how long you keep this. So if you are one of the exhibitors downstairs and you're collecting entries for a prize draw, ideally, your privacy policy should say, we will keep all of these business cards you pop into our fish bowl for the purposes of the prize draw and delete them in a month. If you keep all customer data infinitely, that's fine. Something a lot of people get confused about is thinking they have to delete everything. You don't have to throw out the baby with the bathwater. Any information you're required to keep for legal purposes, such as for your taxes and your audits, you can keep that. If a customer asks to have their records deleted, you're allowed to still keep their purchasing records for tax and auditing purposes. If there's a legal concern, such as misuse of your platform or the police suspect criminal activity, by all means, you can keep that, but you need to clarify in your privacy notice generally how long you keep all these categories of data and why and when the data is deleted. And remember to think of things like your archives and backups as well. You need to list what consent and user access rights people have over their data. Remember under GDPR, the existing rights are greatly strengthened. The right to data portability, also known as the blog export, we're working on an actual data export for WordPress, which I'll talk about later. The right to be forgotten, which would have your data deleted. Those rights, people need to know what rights they have and how they can invoke them with your organization. And of course, how they can contact you. Just this morning I tweeted, how Facebook's American privacy notice, the contact address for concerns is postal. If you have a question about Facebook's privacy notice in America, you have to write them in the post. That's not right, but so what they should have is something, even if it is just an email address, I would strongly recommend you set up a designated email address to deal with privacy and user access related concerns and list how people can contact you for privacy matters. Those are the things that all of us are going to be expected to display in our privacy notices if we're collecting or processing European personal data. If your business is larger than that, or as you grow, there are additional pieces of information that users are going to expect to see. One is that if you are doing a project or offer a product or service that you deemed it necessary to carry out a privacy impact assessment, you should say that, that you have that document. Some organizations are even choosing to make their PIAs public as part of the privacy notices. You don't have to display any information that would violate commercial sensitivity, commercial confidence, confidentiality, NDAs, but one of the things that had me stuffing snacks in my mouth watching the Zucko show the other night was that the senators were all complimenting Mark Zuckerberg on his great entrepreneurial spirit as an American, but then they're asking him for his privacy impact assessments. Now think about that. Because of the lack of privacy legislation in the United States, the only thing the United States Congress has to get Zuckerberg on is European privacy law and the documentation he's required to produce for it. That's how important your PIAs are. I could probably do a whole talk just on that. Another thing you're going to want to detail if you're a larger, more complicated business is how you protect your data with your technical and security measures. This goes far beyond the HTTPS padlock icon. Again, you don't have to disclose any information that would actually jeopardize your security, but maybe people want to know that their data is encrypted and rest in a transit and that it's stored within the European Union and it's not sent to a web host in the United States. It's never even heard of European data protection law and that's another big thing. How you protect your international data transfers. Remember that one of the fundamental principles of European data protection law has always been that if you transfer data outside the European Union to a non-EU company or country, they have to certify that they are protecting that European data to European standards. Now, in practice, most of this deals with the United States who have the privacy shield system. So at the very least, you should check to make sure that all the US partners and service providers, you're sending data to either as business partners or cloud storage hosting or even just your social media sharing or privacy shield compliant. What data breach procedures are in place? We can't ever prevent data breaches. We can do everything that is humanly possible to try to make sure they never happen. And one of the things GDPR requires is that you prepare for them in advance. So the example I used yesterday is that worst comes to worst, you have a data breach which could be something like the Yahoo breach or it could be something, you may have all seen, the Grinder app leaking patients HIV status in plain text. When the regulator comes knocking, one of the questions they're gonna have for you is what data breach procedures did you have in place to prevent that data from leaking in the first place? And if your response to that is oh, you then have two problems. You've got the data breach and the fact that a regulator has you in records saying you weren't prepared for it. List what third party parties you receive data from what does that mean? Profiling automated decision-making and practices tends to mean advertising but it can also mean something like applying for a flat or a loan. Let's not talk about that. And again, if you work in a regulated industry you may be required to display certain information. Certainly in the WordPress Glasgow Meetup we have a lot of people who work in financial services and that industry is very heavily regulated. So they're required to display all sorts of information over and above the regular privacy notice. So that is what content you need to include in your privacy notices. Let's talk about what language you should use. This is important, the voice. Use plain English. The days of legalese gibberish are over. No more walls of text that look like contracts. Short paragraphs of plain English. Clear sections, I wanna see lots of headings and tiny short paragraphs. User-centered language. It's no longer about the company's interests and their needs, it's about the user. Here is how we protect your data. Here is how you can invoke your rights. It's no longer this nonsense about you agree not to upload viruses to our site and all that. This is important, if you are developing a service or an app or anything that targets children, you have to write a privacy notice in the language that a child can understand. So all of your children and nieces and nephews are gonna get roped into AB testing. The Tetris app sucks up and leaves an incredible amount of information and its privacy notice is 400 pages long. And that's legalese text. Another thing to think about is language for vulnerable people. So if you develop a service or a website for people with mental health, rough sleepers, people who are asylum seekers, people who may not be accessing a site in the state of mind they should be in, don't exploit them, don't subject them to abuses of their data because they're not in a position to understand the text in front of them. And this is something we'll really talk about in the UX section, but choices and options. Privacy notices are no longer, here's what we've got, that's your lot, take it or leave it. You have to give people choices, you have to give people options granular over this thing, that thing, and I'll tell you what I mean in the UX section, but it's no longer a contract remember, it's a dialogue and dialogues are two ways. Here's what I don't want to see you using, hokey language, howdy, are we gonna go there? We're not gonna go into howdy. Sarcasm or attitude, if you've got a problem with the European data protection legislation, shove it. This is about people's fundamental human rights, it's not about you displaying how wonderfully witty you are. No lilies, no matter how much your corporate lawyer might want to throw some in there, no legalese whatsoever. Likewise, no internal jargon, none of your abbreviations, don't assume people know this stuff. No more company-centered language about who you are and how great you are, you are now a servant to your users. No more threatening contract terms, we will do this, you agree to do this, you agree not to do this, it's not a contract anymore, and no more take it or leave it. If you're not willing to serve your users and customers with anything other than a threatening one-way contract, you probably shouldn't be in business. So we talked about voice. Now let's talk about UX and design. How should you format your notices? They should be layered. You should use lots of just-in-time information, use icons and symbols, think about mobile and responsive design, give people choices and options, and give people unbundled granularity. Now what did I mean by all that? I'm gonna show you some examples through my outstanding PowerPoint skills. So what do I mean by a layered notice? Something like that, something beyond paragraphs. I am personally a fan of drop-down accordions. You may personally be a fan of something else, but the clearer you can make each section the better. So here would be an idea for something like a layered accordion. Who are we? What information do we collect? Why do we collect it? Privacy information shouldn't only reside on one page. Things should be clarified in as many places as is rationally possible throughout a site. So you'll want to think about things like just-in-time notices, like your tooltips. So if I was filling out a subscription form, my name, my Twitter handle, email, maybe I would want a tooltip at the bottom of a form indicating why you're asking me for my email, what you're gonna do with it, and maybe a link to the full privacy policy if I wanted to find out something more. One of the things that data protection regulators would really love to see you doing, and this is where this honestly becomes exciting to me as a potential design challenge is the use of icons and symbols. So think about ways that you could develop a visual language for privacy. This is just PowerPoint icons. You could probably do a much better job than you really could, but something like account details, ad preferences, privacy preferences, download my data, that's just some ideas to start. You can't make it simple enough, really. I want you to think about designing for mobile and responsive. I'm sorry, you can't really see that. On the left, that's a mockup that the Information Commissioner's Office did of an idea for how a privacy notice should display on mobile. Nobody should have to read a legal document on the desktop, much less the mobile, to understand the privacy rights. The one on the right is my actual phone, and that's Twitter's personalization and data settings. So I'm sorry if that's hard to see on the screen, but I've got six options just here, there's more, but at the top, I can switch them all off universally. So that's a really good example of really good granular control. Speaking of granular, that's a really good example of it. It means choices and options for everything in everything. So here's one you might have seen lately, Jetpack. Jetpack just shipped this the other day. So if you go into your Jetpack dashboard, scroll down to the bottom and click on Privacy. It's no longer just a link to Automatic General Privacy Policy, it's this, we are committed to privacy. Read about how Jetpack uses your data in a link to the policy and what that is to Jetpack sync. And then the telemetry opt in, send information to help us improve our products. And you can switch it on or off, but did anyone spot the problem with it? It was switched on. Remember under GDPR, these things should be switched off by default. The user must switch them on. So, A for effort. I usually get a little pushed back at this point in a talk about I don't want to do that. Well, what happens if I don't want to include a GDPR compliant privacy notice? No one's going to hold a gun to your head and make you do that. But as things change and certainly again, thank you Mark Zuckerberg for getting people thinking about these issues. I genuinely feel that the absence of a GDPR compliant privacy notice is going to become an albatross around your neck. At best, it will tell people visiting your site that maybe they shouldn't trust you. At worse, they're going to wonder why you're not disclosing what data you're collecting and why you're collecting it and who you're sharing with it. What are you up to? It's going to cause contractual issues with your suppliers because remember we're all pulling each other socks up now about our privacy and data protection. You can be as compliant as humanly possible to the Hilt but if you're passing data to some marketing agency that's throwing your users data everywhere and someone finds this out, they try to raise a complaint and they see that the person you're passing their data to doesn't even have a privacy notice on their website. The regulator will hold you both equally responsible and that is how enforcement works. European users can raise a case with their data protection authority for us in the UK, it's the ICO. They can liaise with the Privacy Shield Office in the States if they're not in the US. So you're going to find that the lack of a privacy notice for whatever rationale that you choose not to use one will ultimately come back to haunting. So just take the time and do it. So we have some interesting challenges within the WordPress ecosystem on how to make privacy notices happen for 30% of the open web. And this is something that genuinely kept me up at night because a WordPress site is a combination of three things, it's core, it's plugins and it's themes. And then it's things like contact forms and social sharing buttons and no two are alike. So we needed to find a way to allow everyday users, not those of you in the room, just the everyday users just using it for their business or their school or their project to create an honest, open, transparent, accountable privacy notice that reflects all the information that's being collected and passed through active things like contact forms and through things like plugins. So for the past couple of months I've been participating in a project which is the GDPR core compliance project which involves volunteers, automaticians, involves automates, legal department, just a lot of people who are committed to putting some fixes in to making WordPress a little bit easier to deal with in terms of GDPR. There's four strands to the project. One is privacy standards in core which is actually pretty, pretty good. There's just a couple of tidy up things we're working on. Examining the plugin developer guidelines with privacy in mind, I'm going to be, that's this week's homework for me. They're not as strong as they could be. We've already accomplished something that had been bothering me for years and I don't know why this took me so long to do it but as of this week you are no longer able to say that a plugin makes a site legally compliant in anything. Not GDPR, not accessibility, not contracts. You can say that a plugin can help with a compliance process or an aspect of it but the days of activating this plugin and your legally compliant are finished. So there's 250 plugin developers in the repo who are getting letters this week, emails. Third strand of the project is creating documentation focused on best practices and online privacy. We have a dedicated website coming as soon as I can humanely finish it which is pretty interesting when you live in a flat with no internet. And the fourth aspect which is what we're gonna talk about now is what I just spoke about which is how do you create a privacy notice reflective of all the plugins because no two sites are alike? So we're creating tools which will allow site administrators to number one, generate a privacy notice, not a legally gibberish privacy thing and take that information. So we have a few track tickets for the geeks. The one in bold went in this week. We actually like stopped talking and actually put the track ticket in place. You don't know about this but the goal of all that is so developers will have clear plugin guidelines about what's expected of them and what they shouldn't be doing because you can't pull up developers from doing things that you didn't clarify in the first place. We're gonna give them the ability to add information about a plugin's data flows in the plugin repo and we hope that as time goes on those tightened privacy standards will just become a normal part of the plugin development framework. And that in turn will allow users to generate a privacy notice out of the box. So when you start a new WordPress install you see there's a couple of pages thrown in by default, home and about and now it's gonna be privacy notice as well. And we're going to allow those users with the tool to automatically pull information about data capture and flows from the plugins into a privacy notice draft. But it's not gonna do the job for them. It is still the site administrator's responsibility to manually review the privacy notice to provide the information that's required of them and to finally hit publish on their own time. The point is we've done something so that everyday site administrators don't have to come developers or lawyers. So what I want you to think about if you develop plugins is how you in turn can make that job easier for the everyday site user. And it's the same questions you should have been thinking about for your GDPR processes anyway. What personal data is your plugin collecting? Whether that's cookies, whether it's telemetry, whether it's form entries. Why is it allowing the admin to collect that information? Again, the consent or legal basis. If it's just to carry out the contract it's fine if it's for something else. And remember legitimate interest is not the first port of call, it's the last one. Is data passed to third parties? Remember your social media logins are passing everything to third parties and I want you to disable them and burn them in a fire. What personal data is stored on the website database and what data is your plugin passing remotely if you're using a software as a service, if it's a cloud storage? Where is all the information data maps are about to become a lot more important than they used to be? What consent mechanisms are provided for users? If you do nothing else give them consent mechanisms. Give them those sliders to opt in and opt out of telemetry, telemetry. Ask them when they install the plugin if they want to switch on the telemetry. Don't have it switched on at the start and make them switch off. Give people privacy dashboards, give them control panels, give them account settings, give them options. What privacy settings does the plugin admin have and what privacy settings does the everyday user have? What data is your plugin transferring outside the EU if you're using something like a software as a service or a cloud storage? And what is it causing the end user, I mean the administrator to pass outside the EU? So what is my practical advice having spent a couple of months helping actual digital businesses do these documents? That's a good tip. They are documents, they are living documents. Nothing about GDPR as a checklist or a tick box. This isn't about running through a list and patting yourself on the head on the 25th of May and saying, yay, we're compliant. I always tell people there's no such thing as compliance. Compliance is a process, it's a journey, but you're never gonna reach the destination. Believing you're compliant is the quickest way to fall out of it. Review your privacy notices regularly, refresh them regularly. Literally put reminders in your calendar every quarter. Review them, change them. Separate them out from general terms and conditions. You're perfectly welcome to still have a long legal document of things like your conditions of sale. I have genuinely worked with businesses where the client is insisting on keeping a legal lease terms and conditions because the client paid a lot of money to a lawyer for it. And if you'll have to justify that spend, that's fine, but separate it out. This has to be done across teams. You just seen me explain how it's a matter for UX, legal, marketing, and leadership. Get your leadership on board with this. Ideally, all your GDPR documentation should be signed off by your management, not by your lawyer, by your management because that makes them accountable. Get real people to test your notices. They look brilliant on your screen, but rope your friends into reading them. If they can't understand them, if there's something that confuses them or they feel a little bit deceptive, your customers are gonna feel that same way too. As I've said, your privacy notices should supplement your user settings, your account options, your dashboards. They should be a repository of information, but those options and choices should be there. And your online notice is a reflection of your offline business. Privacy notices are just one part of GDPR. And this is why it's so important to get it right internally, externally. You can be following all the rules in your business and you put in one dodgy plug-in and it throws it all out of the window. So you need to think more holistically about the way data flows into, through, and out of your business online and offline. So where can you learn more? We have a privacy resource blog coming as soon as humanly possible. When in doubt, go with the UK data protection regulator, which is the ICO says they have really good plain English resources on their website. They're there to help. They have a hotline. Call them with your questions. If you want a second opinion from a data protection regulator that will still be within the European Union, which is a really good idea as we look towards the future, my first fallback is the CNIL in France who publish a lot of English information on their website. My second fallback is always the Data Protection Commissioner in Ireland and they're important because remember all the tech businesses in Europe are headquartered in Ireland, which used to be for tax purposes. But that makes the Data Protection Commissioner of Ireland the de facto privacy regulator for all of Europe. So if you want a second opinion past the ICO, go with the CNIL and go with the DPC. And what better way to spend a hot summer's day in Europe than my three hour workshop in Belgrade about designing and developing for data protection and privacy. You have to sign up in advance just for headcount purposes. And I can pass the link to you later. So I hope, I know everything I've just talked might seem a little intimidating and overwhelming, but I want you to believe that this just might be the healthiest thing you can do for your business all year. You for the first time possibly have to ask about what data you hold, where you hold it, why you hold it, what you're doing with it, how you got it, what consent you got for it, and what rights people have. It's about taking back control. It's about empowering data. It's about preventing wrongs for ever happening in the first place. Don't suck it up. Thank you.