 My first introduction of myself, Herman Maas, technical background, worked in Escobar DBA stuff for seven years as an executive consultant for the most prominent job in my life, with financial decisions at that moment. Three years now at the dark side, online marketing, one of the team leaders of online marketing agency, E-Tecto, we're in Belgium, we're hiring, so don't think too much. I'm a blogger, I'm a blogger since 2002. Yes, hi, test, test. Okay. So blogger since 2002, I will give some history about it because also nice to give history lessons about WordPress. You can find me everywhere with add daily bits. B2, who does know B2? Some people, some people still know B2, it's the core of WordPress. In 2003, I was using B2 as a CMS system for my blog, my first blog, it was Namre.be, Herman, my name, backwards, too complicated, I switched to dailybits.be, more easy to explain to people. B2, I was using it in 2003, project CMS system and the project stopped, no development anymore, no bug fixing, nothing anymore. At that moment, some guy, Matt Moulinweg, said from me, I will take the source code of B2 and I will do a fork, a branch, and I will start something new, WordPress. So I was using the core WordPress code at that moment. Afterwards, I did the stupid thing that everybody is doing, I thought I can create a better CMS myself. I think everybody is thinking that at one moment in his life as a developer. So I created my own CMS, used it for four, five years. It was a kind of stable, it was not secure, it was doing its job. And in 2010, I switched to WordPress and I'm now running all my websites, I think I have 20 websites, just smaller ones, bigger ones, it's all on WordPress. So today, GDPR, most boring talk of the conference today. Every conference, it's mandatory that they have to have a talk about GDPR. HR, technology, web design, digital, everybody needs to talk about GDPR. So we will do it and after that we stop talking about GDPR today. I will make it as practical as possible. So I have fun tips for you. I'm sure that some tips, everybody will start taking their laptop and will start digging into Google because we have big problems in WordPress, I can say that. I have some fails, I have some tips, I have some tricks. It's a little bit chaotic, my presentation, but that are the nice ones. First, really easy, protect your data. GDPR is the new privacy regulation, will kick in place somewhere in May 2018, in two months. It's about protecting personal data. And protecting personal data, the first thing you do with the WordPress website is update all the things. I think we all know that, we do that on all our production websites, on our staging and our development websites is another story I will explain about this one. And I have in my presentation a lot of the sponsors of today. And one of the sponsors is Yoast, I used it a lot because I'm doing a lot of GDPR security audits. And the first thing I'm doing with the WordPress website is go to the source code of a WordPress website because the guys from Yoast are always printing their version number. And that's for me a clear indicator if there are updating plugins or not website. If they don't update the Yoast SEO plugin for two years, I know that all the other plugins are also outdated. Big chance for that. Fun stuff with Yoast is they have always hard releases and then they have bug fix releases on the hard releases and bug fix releases on the bug fix releases. So they have a lot of version numbers so you can really pinpoint when they are updating their plugins. I don't know if you know this website, I use it also a lot. It's easy to find the team, the plugins website is using. It's also really nice, especially when you use these kinds of services to see where the security problems are from a website that's outdated for two or three years. Guys from Manchester, I'm a big fan of it. I'm using it already for many years. It's really my dashboard. It's my dashboard for all my websites. And yeah, it's also for our clients. We use it a lot because it's really, I have 20 WordPress websites. I want to update them all, especially with the save update option now. So you have really a more safer way to update all your plugins. Of course, when you're using this kind of tool, always use two-factor authentication. I think we know that we have to use two-factor authentication on Dropbox, on Gmail, on your Facebook, LinkedIn, all the other tools. Also on Managed VP, whenever you have a dashboard with that amount of websites into the dashboard, please use two-factor authentication. While I'm talking this, who is working as a freelancer of an agency creating websites for clients? Please raise your hands. A lot of the people here, GDPR is an income stream, really. It's the one moment that now even management is giving budget to security. It's giving budget to support packs, to support things. So let's really go to your clients, say the magic word, GDPR, and you can sell them monthly support packs to update their WordPress, to update their plugins, so updates the whole website, to secure the website, to scan security scans. Make use of it. That's now really the moment I had to talk on Thursday, all CEOs, all company owners, and now GDPR is really for them also a topic. And they are now investing in security, in web development, and use it for you. So you can earn money with GDPR. So data security is just now an intro and all the fun stuff that will come. Data security for losers, especially when you go to the European website about data protection, I did it yesterday, and you see that even there, the HTTPS implementation is broken. So even the website that's talking about the data protection that you have to protect everything, the HTTPS implementation of the form has an insecure endpoint. So basic security, always difficult. I don't know if you know this tweet, maybe some technical guys know the story about this. It was Trustico, it was a big story on Twitter this week. It's a big company with HTTPS certificates. They had some problems and then a Twitter user said, hey, they have a form on their website and you can fill in a URL and then it will test your website. But you can also give comments and it will be executed as a route on their web server. So whatever you filled in in the form, it was executed as a route on their web server. Within five minutes, the website was down. So I think that somebody wiped out the website or shut it down or something. So basic security really for you for losers. Within WordPress, basic stuff. When you don't do this kind of stuff, yeah, yeah. Search for another job or something, remove admin user, install a security plugin. WordPress is my plugin that I'm always using. I will give a nice example of it. Check your subdomains, that's a big one. Whenever I'm doing audits, the first thing I'm doing is just checking subdomains because big companies, for example, I did an audit of a big international company this week, really company, I think, 100,000 employees they have. And the first thing I found was subdomains. Subdomains within Google indexed and it was a really nice one. It was remote dot and then the company name. And what could you do on that subdomain? You could create support tickets in their internal support ticketing system. And you could call the specific support guys using that website. So write a script on that website and their whole support ticketing system is really flooded with support tickets. So that was not that nice to have it just indexed in Google that everybody could find it. I never trust a plugin. That's really the moment, the Monero coin mining stuff. You see it a lot now with outdated plugins. They are sold. Somebody is implementing a Monero miner into that plugin is releasing a new version. Everybody is just updating their plugin and suddenly all the websites are mining Monero coins. So never trust the plugin. Always do your homework about a new plugin. There's WordFence. I did talk two weeks ago for students in Gent and after the talk I was driving home suddenly all those kinds, not vacations from WordFence were popping up. So someone in the audience was trying to hide my website and I was lucky that WordFence was blocking everything. And the funny stuff was it was really with IP address from that school that he was doing it. And I think the group was with 20 students and there was one technical student in the whole group. So I did a small mail to the teacher of this group to say there's a guy that's doing scanning on the websites of all the speakers. It's maybe not that nice. This is a nice one. Do you know what's in Google? Combo is one of the sponsors here. Whenever you're going to Combo for a shared web hosting package, you get a URL webhosting.be. And that's a temporary URL you can use. It's an alias I think. And it's a mainly staging service, development service are still all on the webhosting.be URL. Whenever you go to Google, you type in siteable the point webhosting.be you see we have nearly 200,000 results with that temporary webhosting.be URL. So it's all staging environments, development environments totally indexed within Google. Deplicate content as you know, not that nice and also staging environments and development environments are never that good secured. It's still with the admin user outdated plugins and they have a lot of also sometimes production data on it. So that's really something you have to make sure that you test it, that you screen your staging environments and your development environments if they are not indexed by Google. This is also a nice one. You can find really, I think 300,000 CVs in Google from WordPress websites. This statement in URL uploads gravity forms file type the point PDF, CV, gravity forms. Who is using gravity forms in the audience? Well, gravity forms, a lot of use tool. It's also used for websites to create a form to apply for a job. And you can upload your CV. And what nobody knows is that Google is also indexing all those CVs, all those uploaded documents. So that's really a big problem for GDPR. So people are applying for a job at your company on your website and their personal data, their mobile phone number, their birth date is suddenly indexed by Google. Make sure that you scan this thing. Make sure that you scan your uploads folder of gravity forms if it isn't indexed within Google. Small thing, but test it and check it. And I found it by doing an audit of a big company in New York and all the CVs were also indexed. And I can say it was not for junior applications, the CVs were really high potential people that all their personal data was within Google. It was in the US. Luckily, I found it, we solved it because I think it would be a nice messy thing for that company in New York. And this is one of the hacks. Also, I had with one of our clients, it was with the Drupal website but it could also happen with the WordPress website and that was really a fun hack. It was last year in April and it was about the Real Madrid versus Barcelona game at that moment. And it's about illegal livestream feeds. So what they are doing is create a PDF documents about all the illegal livestream streams they have for that thing. And they will upload those documents on high authority websites during the weekend. Nobody is seeing that. And those public URLs are pushed into Google and because of the website is that high of authority, the PDF will rank really high when you search for illegal livestream Real Madrid, Barcelona on that weekend. And this is the case for a Belgian company, a client of us, and on one weekend they had nearly 500,000 people coming from Google to that PDF on their web server. The web server went down, I can say. It was a PDF of one megabyte. So it was really big traffic for just a smaller website. So make sure that uploaded PDFs on your web forms are not indexed or not public and that they can't be just indexed by Google because this was a really nice example, but can go wrong. Opt-ins are for losers. I think that opt-ins is something we will see more and more now with GDPR. This kind of stuff, I'm creating somewhere a user account and I see that everything is checked. That's really not the case anymore in GDPR. So don't make everything checked that you're selling all the data to external companies. No user has to check it by themselves. They have to give you permission to use his data. Really fun to see that even Manchester United is saying you must opt-in again to continue receiving email from Manchester United. That's two weeks ago. What did they do? They removed all their database of email addresses from fans and they have started a new campaign to get the specific opt-ins for all the things they want to do with personal data. That's really a thing I'm not recommending for my clients, I must say. That's really drastic decision to just throw away everything you have from your clients and your fans. But yeah, Manchester United, they did a big contest about it and they do a lot on it as you see to just now get the right opt-ins. I get a lot of questions about the Brexit and GDPR. I can say that the UK will be, they are almost ready with everything from GDPR, Belgium not. So UK will take the GDPR law in their own law and I must say Brexit won't change anything for it. We'll come back later on that topic. Commercial law, also a really important one and I think a lot of people in the room will say, huh, not doing that for my clients. You know what's mandatory on every website. For example, you have to know have on every website company address, contact details, and also the company VAT number. I think a lot of the people here in the room are creating websites for their clients without the VAT number of that client somewhere visible on the website. So make sure that you have that in place. Check it also when you have a WhoCommerce or a webshop in WordPress. Make sure that you have a stupid link to this thing, the online dispute resolution platform. It's a European platform. You have to mandatory link from your webshop to this thing. I don't think no consumer in Europe knows about this and will use it, but it's really a law in Europe that you have to link to this platform. So make sure that you have somewhere a link. We just outsource everything. Also something I hear a lot. We just outsource to Ukraine, Kiev, White Russia, India, whatever. Outsourcing is really easy. But what the GDPR is doing is GDPR created a big wall around Europe. And Europe is now the perfect garden for all your personal data. That's the theory behind the law. So it's a big wall and within the garden everything is fine. So you can work together, France, Germany. You can move personal data to those countries. Not a problem. But there is a big wall around the garden. There are some specific doors to other countries that are the safe countries. And that's Argentina, Israel, Jersey, New Zealand, Switzerland and Uruguay. That are safe countries for our personal data. So whenever you're moving data to Switzerland, for example, the EU is saying, OK, that's allowed because they're doing OK stuff with all privacy of personal data of European citizens. Fun stuff is that all the privacy commissions, this is the British privacy commission on their website, they're all linking to the updated list of the safe countries. Of course, the link to the updated list of safe countries doesn't work anymore. So the page doesn't exist anymore and they redirect it. They put a redirect to the homepage of the European Commission. You can't find it anymore. So that's really the chaos we have now at the moment with GDPR. Even the privacy commissions in Europe can't link to a specific updated document with all the details you need as a consumer or a company. So that's really a big mess. We see one country missing on this list, I think. We all know that one, United States. United States is not a safe country for our privacy. So what did they invent? They did invent the privacy shield. Privacy shield is a framework and every company in the United States that wants to process personal data of European citizens has to apply for that privacy shield framework. And there is a website and you can search and for example, Automatic is on that list. So they have applied and they say we are compliant with all the rules in Europe and we will process personal data from Europe on the way that Europe is saying that we will. A lot of the startups, a lot of the tools in United States don't know shit about privacy shields. That's something I'm now discovering from my clients. I'm researching, I'm saying, ah, they use that tool. I will ask the guy from that tool, hey, what about the privacy shield? And they say privacy shield, GDPR. We don't know anything. So we are now seeing we have also an office in United States to go to the United States to also give talks about GDPR. Because all the tools in the U.S. they don't know anything about GDPR at the moment. And they have to comply. Otherwise they will lose all their European companies, all their European clients. Integrate all the things. I'm a marketing technologist, so I'm working in a technical marketing team. We are doing integrations with everything. Integrations with all kinds of stuff, tools, HubSpots, MailChimp, Campaign Monitor, whatever CRM system. We're integrating everything. And that's a big problem for GDPR. Because where is my data? And where is the data of our consumers about from the customers? This kind of stuff, integrating who commerce with all systems, CRM system, everywhere. And there is one big problem for GDPR. Because we are integrating data, and the data is distributed everywhere. And then we have the user rights. So in GDPR, as a consumer, as a citizen in Europe, we will get more and more user rights. We will have the user rights to see which data you have as a company for me, or to erase the data or rectify the data. And that's a big problem whenever we have this kind of stuff. So imagine that a consumer, a customer, is now asking from, hey, which data do you have for me? I want you to remove my personal data. And then guessing work starts. OK, so it's also in the WordPress, and then it's distributed to Mailchimp. And it's also in the CRM system, and it goes to the ERP. And we are sending his address also to the shipping company. And that's a big problem in GDPR. Just knowing which tools, which integrations you're using. And I will come back on that topic later on. Because giving priority to documentation is now the thing that companies are doing. And that's one of the biggest fails you can do. It's this kind of stuff. I meet companies now, and they have really a full-time guy, and he's documenting everything. And he's writing documents in the WordPress, and how is it working, and documenting everything. And it's just now a temporary function in the company. And you know what happens with documentation is the moment you stop documenting, the documentation is useless. So we all know that everything will change. And for example, we are doing website development, we're creating an application. And for GDPR, we are using privacy by design. So we are really thinking about everything, privacy by design, the checkbox maybe needs to be just open, not checked, and blah, blah, blah. So during the first phase of a project, we're really complying to all the rules. And the website is going live, and then the shit happens. Because one week after go live, you get an urgent call of the customer, and he says, yeah, there's a bug, you have to fix it. Or if you have a feature request, and you are just building it at that moment, and you are not thinking anymore about all the privacy rules. So all the projects, first moments before go live, they are really okay with all the privacy rules. And after that, it's really, yeah, it's the normal operational stuff. So bug fixing feature requests. Your support team is just doing the thing as fast as possible. And then your documentation is useless after that. So documentation, I got myself the minimal recommended GDPR documentation for every company. Just some specific things. As a company, just document these things. They are really important. Which sensitive types of personal data do we have? Medical, financial, or are we just a B2B company? We just email addresses. That's a total different context. So make sure that you know how much sensitive data do we have, and yeah, are we really processing sensitive data? And where is the data somewhere? Is it distributed? Mailchimp, campaign monitor, CRM system, team leader, whatever, HubSpot, SAP, just make a list in Excel, whatever, with all the integration, all the tools you are using. And also, who has access to the tools? That's really an important one. Your ex-employee, your agency, an ex-partner who was working with you, an intern that left the company three months ago, do they still have access to all the tools? In which country is our data? Where is the web hosting? Is the web hosting somewhere in white Russia or in India or in South Africa? It's not on the safe country list. So make sure that your web hosting, that you know where is the web hosting located. Privacy statement, it's really, yeah, every website needs a privacy statement. Don't make a privacy statement of 20 pages, just make a short one. Really clear, that are the rights, we are storing it at that place, and whenever you have questions or problems, this is the way you can contact us. Emergency plan, really important. There's today a talk about getting hacked. It's always fun to say, but it's like that. You have two types of companies, the companies who are already hacked and the companies who don't know it. Everybody at one moment will get hacked. It's just the way it is. And then we have a last one, the data processing agreements. That's a way between companies to say, hey, I have data, you're processing my data, make sure that you're doing it by the rules and I trust you with my data. And as a company, you will get a lot of requests about this. For us, it's now that for a big company, we have to hire an internal person just for this, for all the data processing agreements we get. Because it's really incredible, all the big companies now will ask you to alter freelancers, all the companies, all the parts they are working. It's just a document that you say, okay, with the data, I will process it that way. Whenever I get hacked, I will notice you in 24 hours, for example, we won't hire subcontractors without telling it to you. So it's this kind of document. Whenever you have questions or if you need a template or an example about it, come talk to me today. For example, MailChimp, when you're using MailChimp, it's really an easy one, they have a nice generator. So you can go on the MailChimp website, you can just say with that account, that are my details, generate, and it will create a data processing agreement. And with that, you're already safe, that you're using data from your clients and you're storing it on MailChimp. With that document, you're saying from, okay, we know MailChimp will process the data the way it should be with the GDPR. So this is now the nice task we have to do with a lot of our clients, is to list all their tools, all their partners, and then search for all the data processing agreements. And for example, Commwill, we are a big client of Commwill, we are now in talks about the data processing agreement to sign it before GDPR will come in place. Everybody is equal, there's also a big fail because context is everything. So whenever you're using personal data, there's a big difference between B2B data and sensitive data of consumers. So make sure you know which types of data you're processing with your clients. For example, B2B, a boring B2B company, just with a form on their WordPress website, the risk for privacy is really low. But for example, you're creating a WordPress website for a doctor who's doing plastic surgery, and they have a form where you can request everything you want to get fixed on your body. The data of that form is really privacy. The privacy is really, it's a big risk. Whenever the database is coming into the open space of that doctor, it's a big risk. So you could have a really easy, basic WordPress website between one form, it will have a big privacy risk. And you could have a website of a multi-billion international company, just B2B with a low privacy risk. So it's not from small companies, big companies, no, it's the sensitive data you are processing. That's really important to know. Nice story about CRM systems. So, for example, you're building a CRM system for a client, and it's really, it's totally GDP compliant. It's secure, it's documented, everything is in place. And then the sales guys work with the CRM system. And the sales guys go to their clients, long-lasting relationship already, and they ask from A, how is your day today? And they say, the client is saying, oh, really bad day, I'm in a divorce, and I can't see my children anymore, and I have a new Thai wife, for example. And the sales guys going back to the office are saying, I'm documenting everything in the CRM, because that's really handy. The next talk I have with the client, I won't talk about the kids, about his family life, because that's really a problem for him. Here you see that a nice GDP compliant CRM system is now a total mess, because that one sales guy is entering data that's totally, yeah, for the privacy of that client, it's not, it doesn't need to be in the CRM system, company-wide visible. So you always have to make sure privacy is really thinking about the context and do you need the data at that moment, that specific data. Do we need, as a B2B, company need to know that that guy is in a divorce, that he can't see his children anymore. No, we don't need to know that. So that's a big problem with sales guys. Whenever I'm talking to sales guys, they say, and yeah, that's always a big shock in their eyes. Technology is the weakest link. That's also, everybody's thinking always, technology is the weakest link. No, that's not true. We are the weakest link in every company, it's just the employees. I have so many stories about it. These are two Belgian examples. So our former minister, Kiefer Hofstad is now in the European Commission also. He's leading the Brexit talks and in November, his Twitter profile was an Erdogan supporter, Twitter profile. How it was, it was just with the LinkedIn hack in 2012. His password was still the same as his Twitter account in 2017. So with his old password, they just logged in into his Twitter and they could just change it. No two factor authentication, of course. How higher you go in a company, how less security is a priority. And this is just a picture from two Flemish singer guys. They were standing in the backstage of our biggest, yeah, Sport Palace in Antwerp, the biggest concert hall. And they were taking a picture and behind them is the internal wifi system for the backstage. So that evening, that system went down because everybody in the concert hall was using the internal wifi system. Some other things I'm now seeing is a client of us two weeks ago, his Gmail account was hacked. He had the Google Drive document with all his passwords on that Gmail account. So they sent in one week 300,000 emails using his mail platform. They logged in into his AdWords account and spent 5,000 euro on one day for fake ads to a fake webshop. They logged in into their Facebook account, spent also a couple of thousands of euro also on fake Facebook ads. They logged into his Twitter account and they exported all his connections and sent phishing emails on his name to all his connections. So you can see it was one guy on a conference in Thailand. It was a big affiliate conference. So you know the guys who are running over there. I wouldn't trust the public wifi on this kind of conferences, always use a VPN. So on one day, he lost, I think, 20,000 euro just because his Gmail was, his company Gmail was hacked and he had just a document with all the passwords. So that's a good lesson. The weakest link is always employee, always yourself. Make sure that you're using two-factor authentication that you have backups on another location. Whenever I see companies with still a server located really in the company and I ask from what's in the case that there is a big fire, then we have a problem. This kind of companies still exist. Make sure that you know for an immersion policy plan what we will do when shit happens. So that's really important. I'm here the whole day. Whenever you have questions about this topic please come to me. Whenever you have really boring questions, just send me an email because I don't want to talk about boring legal stuff today. So this was the end of my talk and have a nice day here in Antwerp. Thank you for your inspiring talk. I have a question for you. You told us a lot about the fails you've seen in companies. We can find them, actually, all ourselves. You handed out some tricks. The instructions, if you didn't put them down, you'd have them on. Yeah, I will put them on the slideshare and I will tweet it out today. Okay, you will tweet out the slideshare you were on the slides. One question for you. Will the companies be ready for GDPR? No, not one. For example, also Belgian government, nothing is in place yet. So we are two months of the deadline and not using place. In the Netherlands, for example, they have already an online data breach form. In Belgium, we have a 25 pages long protected PDF system. That's really, I think it takes four hours to fill it in. In the Netherlands, they have just an online form in two minutes, you can fill it in. The problem in the Netherlands is now that they get 50 data breaches every day and then they don't have the resources to process all the data breaches. In Belgium, they made it that hard that they don't have data breaches, notifications, so they don't need resources for that. Also companies, big companies are really doing a lot about GDPR, but no company is ready because there are so many details that are practical, not possible. For example, removal. Someone is asking from, hey, I want to remove all my data from you. For example, you're a B2B company and someone is mailing you, hey, I'm stopping as a client for you, a customer, we stopped the relationship and I want you to remove everything from me. All your emails with me, all your documents from me, all your backups, everything. And so as a company, you're just removing everything and all your emails and everything, you're cleaning everything. The moment you're confirming to that guy I removed everything, the guy is going to court because he wants to fight with you before a court and he has all the communications and you don't have nothing anymore about communication with that guy. So that are practical things. For example, also I want you to remove everything in your system, your backups, what with the backups? So you have to create another list with all the contact details of all the people you have to remove when you're restoring a backup. So it's really a mess. It's nice on paper below, but practically it's really, you can't do all those small details in the law. So you really have to just do the things you're seeing pragmatic from okay, security, data protection, privacy by design, but you know that nobody will be ready. And companies we are seeing, we are totally ready. I can ask them that many questions that you can say, oh no, we forgot that, we forgot that. So yeah, that's a big problem. Okay, thank you. It's very interesting, oh yeah. Any one have questions for her one? No questions? Good. No? I can imagine even PDRs. Oh, thank you man. Not for today. You have to think over it. Okay, thank you very much. Next. Thank you. Thank you.