 So I'm going to do a quick talk just about this project that we did very recently. I think it started in autumn, I jumped in in January. This was a project to develop a couple of fixes and resources for WordPress Core. So this was our roadmap. We cannot make WordPress sites compliant, but we can provide site administrators and users with the tools they need to help them bring their sites into healthy compliance. Any given WordPress site is a combination of core and plugins and themes and no to our life, there's different ways that they're capturing information, processing it and sharing it. And we can't save people from themselves. All we could do was deal with core and also at the same time set a best practice example for others to follow. So we were working towards Friday's deadline of GDPR to that definition, but throughout the journey, we did discover various other issues that are equally important as general privacy principles but didn't necessarily fit into that rubric of GDPR. So we've sort of bookmarked all those issues and held those thoughts that we're now going to start coming back to. So that was our roadmap. We did have a few constraints for this project. Number one, as I said, we cannot make WordPress sites compliant. We can only deal with a couple of things in core. No tool achieves compliance in and of itself. GDPR is about your business processes. It's about how you work internally, how you collect information, how you process it, how you share it, how you train your staff, how you delete the information. You can't automate that. And no tool removes the user's responsibility for compliance. Everyone wants the magic plugin. Everyone wants to just push a button and say, I'm compliant, that is not how it works. So we were very, very keen to keep it about personal responsibility while giving people the tools they needed so that they didn't have to be developers or lawyers or both. I always tell people there's no such thing as compliance. There's no such thing as being GDPR compliant. It is only a best practice journey. The quickest way to fall out of compliance is to think you are. It's about how you do things every day, every week, in your month. I encourage people to even put calendar reminders like every three months just renew our processes, look at what we're doing. So we steered away from anything that actually offered compliance even though you kind of had to say, we called it GDPR compliance for lack of a better term. It was a hard sell because the WordPress project as a whole is allergic to anything legal. It is an international borderless project. So you can't really work to any one set of legal rules or restrictions or constraints. It's also very largely American dominated and a lot of American developers don't want to deal with politics or law in any regard. But the way to sell the project was to sell again about best practice, not about taking a European box. And to be fair, no open source CMS project has given GDPR or privacy really proper resourcing. They are now, I'm speaking at a Drupal conference next weekend about this project. So we were sort of the least worst. Which is kind of a backhand compliment, but nobody really got on this as they should have, but we did the most. I've just repeated. So we had four aims to the project. Number one was to add tools to core, still take compliance and privacy in general. Number two, add tools for creating a privacy policy. Number three, create some guidelines for plugins on compliance because anything you're doing now really is a retroactive fix. What we want to do is look at how can we better define things so that you don't have to go back and delete that data because it's never captured in the first place. And add some documentation and help for site owners on how to use these tools. Again, we don't want people to be developers or lawyers or both to have to understand this. So we shipped 496 last week. Yay. And I know you've all updated because except for Queens, we're apparently running 3.7.1. So she's throwing behind that. I actually only set up one platform with Queens on WordPress and mainly because it was so easy to find it. And I moved jobs. Oh, jobs? Okay. You're all free, Dr. It sounds like you're hearing Tim Dash screaming across the audience. So when you look in your WordPress dashboard now because you've all updated, you will see privacy notice tool, a data export tool, and a data eraser tool. So here's the tool to export personal data. So if somebody files a request to see what data you hold about them, this tool will collect all that data in an exportable file. And this is a good example of how we had to sort of wrap our heads around how to do this. You can always export a block, which is your post in your pages, but when you're coming to the personal data, we had to build in the hooks so that this tool could get the data. And we had to build in that functionality into core and hopefully plug-in so that that data could be sent. So it was about building back and forth functionality on the front-end. And again, this is about best practice, giving developers the tools so that this becomes the development standard from now on. So this is what you'll see. You'll see pending, confirmed, failed, and completed. And we put in that it has to be a request through the administrator through a dashboard to protect against abuse from people saying, I am this person. So it works like a comment. And the same for eraser. So if somebody requests their data to be deleted, this tool will basically do the same thing and remove it from the database. So remember that the right to be forgotten is not absolute. If somebody requests to have their account deleted and, for example, you have a little commerce shop, you may be required to keep their sales records for seven years for tax purposes. You don't have to delete their sales and purchasing records. Don't do anything thinking you are complying with this law, which will actually cause you to be in violation of another law, whether that's taxation or otherwise. Another question I got is abuse. I do suspect someone has been misusing systems, abusing users, and they file a right to be forgotten request to try to delete the evidence trail. You don't have to do that. So this was my baby, my good care final one, the Pryosy Notice Tool. One of the requirements of GDPR is the right to be informed. So you have to inform your users of everything you are doing with their data. So this is to kill those awful legally worded nonsense gibberish privacy policies that are the size of a novel. But that's a gift and a challenge because people have to write these on their own now. They can't copy and paste someone else. They can't download a template. They can't get a lawyer to charge you 2,000 pounds honest of God, 2,000 pounds for a page of legal gibberish that bears no resemblance to what's happening on the site. So we can't write these privacy notices for people, but what we could do is provide them with number one, the tool to do it, and number two, the prompts so they know what to do. So we've provided a starter tool for a GDPR-ready privacy notice, and as I said, it's not a template. There's headers and there's prompts and there's a tutorial linked to in the dashboard, but it's just that. We're building in the functionality to feed in info from plugins and themes, for example. So your comment form entries, oh my God, the newest Windows feature update is ready to install. Not now. Because, example, your comment form entries are stored on the database, but a site administrator might not know that, and that could get them in trouble, as we certainly saw. So, again, we don't want people to have to be developers and go into the gubbins of their sites and find out what's on the database, what's this. So we want to build it in, so that if a plugin is capturing personal data, that will show up in the privacy notice tool, saying comments are stored here, whatever is stored here. And again, the admin is responsible for publishing this. We only provide the page and the tool and the prompts. The admin still has to write it and hit publish. So you will see this, privacy policy page. Why did we have a hard time with this text? So we explain what this is for, what you do with it. So check out our guide, is the link to the tutorial that I wrote. That was very hard to find. So that guide will tell you what you need to write and what you need to write it. We have it so you select an existing page or create a new one. Okay, here's my guide for the start of it. So this text template will help you to create the website's privacy policy. And I've had some really good feedback on this that people are finding it very, very helpful that they appreciate that we're not going to do it for them or we're going to tell them what to do. So yeah, this is a bit of a whole screen chat. So we have a bit of a UX debate about, I mean we know full well that people don't get published with that text in. So we try to put in a tweak or two so they get the hint. So I'm really, really proud of that because we've made it possible for everyone with the WordPress website to provide their users with the clarity and the transparency that they need to trust the site. And we've probably put a lot of lawyers' noises at joint two, which is worth it. So the next area of work we focused on was guidelines for plug-ins on privacy. So some great members of the team wrote some good documentation for developers. So that when they're developing a plug-in that they know how to feed in these hooks and functionality for the privacy notice for the data export tool. We're looking at the plug-in guidelines and what they say and don't say. Again, any work being done now is just a fine fix as to whatever's been done. So this is something we're going to turn our attention to now, keeping in mind that it is a very contentious issue. Some people don't think we should be telling developers how to develop plug-ins and some of us. If you look at them right now, they're very fit on the ground about what they say about various privacy issues. So we're going to take a look at that. This I am really, really proud of. I work with Mika Epstein on the plug-in review team to get compliance removed from guidelines so that you can no longer say that a plug-in makes your site compliant in anything. Any plug-in that's telling you this will make you GPR compliant, this will make you cookie-rock compliant, you can't say that anymore. You can say that the plug-in assists with aspects of the journey as it should. You can say it provides tools and workflows to help parts of it, but you cannot say this will make you compliant. So Mika did a scrub. The first, I think she got about 1200 plug-ins with the word compliance in them and after she removed all the false positives, she got it down to about 250. One of them has half a million installs. So she's had to be in touch with 250 plug-in developers about changing their descriptions. They're still welcome to keep their plug-ins in the repo, but they're not allowed to say this will make you compliant. It's not just GPR and cookies and privacy. I have seen a plug-in that was a bunch of wizards that promised to spit out a watertight business contract for you based on whatever information you put in. The idea that a WordPress plug-in for free that you found in the repo could guarantee your business's legal compliance, who's the idiot who wrote that and who are the idiots who installed it? That's not what plug-ins are meant to do. Somebody else on the compliance team found a plug-in that was offering to make a site ADA compliant, which is the Americans with Disabilities Act, and the plug-in was not ADA compliant. So I've been ranting on word count stages about this for about eight years, and I'm so glad we've sort of killed the problem with the root. So the next area we took a look at is documentation and help, which I would be writing right now if I wasn't here with you. We've provided some information for users, information for site administrators, and information for developers, both on things like how to use the hooks and the plug-ins and then more broad things like how to conduct a privacy impact assessment. And Automatics Legal Department has started a site called Privacy.log, which is sort of modeled on their transparency report as well, just being a little more clear about how the project and how the product uses data. So what is next for the project? It's important to remember that GDPR does not mean privacy. So the core group that did the GDPR compliance project is we are continuing as a permitted privacy subgroup. So I think we need to edit this now because there's a new one for privacy as a principle, not as a means of meeting the requires of one specific law. Small P, privacy as a concept. But this is something I think difficult about and I'm going to continue to be difficult about it because it's worth it. We have to define what privacy means. Privacy can mean many things to many different people. There are legal aspects. There are cultural aspects. So before we just start throwing track tickets around, I want us to work on defining what falls under the group of privacy. Is it consent? Is it transparency? And possibly it spans to an open source standard. I've been given the contact addresses of some people in the Drupal community who I'm going to be meeting with next week in the Netherlands to see if maybe we can get this common language going. And you're welcome to join us. Our office hours are 1,500 UTC on Wednesdays in making WP Slack. Right now the Slack group is called GPR compliance. We're going to change it to privacy in about a fortnight just in case people are confused. So we have, as of this morning, 91 privacy track tickets open. Most of which are bug fixes some of which are enhancements and we have two tickets placed in 5.0 out of way to register if you request information or anonymization of the private data, make the export delete functionality available in network whites for super admins. So we have a couple tickets we're going to look at. Those are bug fixes, as to admins and unit tests. There's issues like portal imagery. We are going to continue poking a stick into that behind. So next up for me, as Abba said, is I'm running a three hour workshop on developing for data protection privacy in Belgrade. As I said, you technically have to register in advance, but if you're there and you're not on the slide, we'll get you in. I want to encourage you to stay in this room after this session for Dave Potter's talk about, it's kind of a privacy by design talk about building and responsible data process workflows so that you don't have to clean up these messes to begin with. So please use the tools for what they are worth. Please get involved in the privacy core group. We are having some tickets. We are having our first ever WordPress Contributor Day in September. Not as part of our camp, just come by. Thank you very much. Very good.