 good morning everybody so I'm here with you today obviously to talk about GDPR compliance what it is and how it affects you it's not the most fun topic but I'm gonna try to make it interesting for you guys so I wanted to begin today with a little bit of an introduction about myself I'm the CEO of host tuplex I've been in the hosting industry for about 20 years I started my first hosting company when I was about 13 and a few more along the way we are a managed WordPress hosting provider I'm also the chief information officer at mandala it's a cryptocurrency exchange I primarily oversee all the security operations the audits and defending and thwarting off any cyber security attacks I'm also very passionate about data privacy obviously with why I'm here with you today and educating clients on security I'm a huge college football fan especially in the Big 10 I went to the University of Iowa and a big word camp enthusiasts I wanted to preface this session with you today by saying that I'm not a lawyer my guidance or advice is only to allow you to become more familiar with GDPR and help you understand the concepts that are behind it however for the most detailed rules and regulations I highly recommend seeking the advice of counsel now I want to begin today by sharing a quote that comes straight from the official EU GDPR website and that says that GDPR represents the biggest shakeup of data protection in over 20 years now you may ask you know what is GDPR even stand for so GDPR stands for the general data protection regulation and its primary objective is to give citizens back control over their data now believe it or not you're actually under surveillance right now your cell phone that's in your pocket is tracking your every move the apps that are on your phone know where you are your supermarket loyalty card knows lets companies know about your age your sex your purchase habits they can even estimate your beard length and they know your favorite items before you realize they're your favorite items and GDPR aims to address these issues or at least make you aware of them now while this is an EU law affecting EU citizens my hope is that other countries adopt similar laws perhaps ones that are a little bit more refined now how many of you have heard of movie pass good most of you so for those of you that don't know movie passes a movie subscription service I think you can see X number of movies per month I feel like it's constantly changing for $10 a month and anyways the CEO of movie pass was recently giving a lecture speaking in front of a Hollywood audience and this was maybe earlier this summer and he was essentially bragging about their data collection practices and he was saying that they're tracking users three hours before and after they had left the movie theater and you know companies like movie pass you know they're taking our data they're creating a data profile of us and they're tracking us and the problem was that the movie pass CEO you know he didn't explicitly disclose to his customers that they were tracking us or at least not until he was in front of that Hollywood audience and this is where a law such as GDPR would come in and allows for transparency it requires that explicit consent and you know now I want you to imagine what would happen if this data would get into the wrong hands how many of you have heard of Ashley Madison good most of you as well so for those of you don't know Ashley Madison is an online dating service that offers an apparent escape from the banalities of marriage it's marketed primarily towards married individuals and their company motto is you know life short have an affair so so about two summers ago Ashley Madison was informed by a group of hackers known as the impact team that they had their company members user data and the impact team essentially said you know if you don't take down your website we're going to release all your users data and I think they gave them about 30 days to comply and the CEO decided you know not to he didn't believe them or for whatever reason he you know he didn't take down their website and lo and behold two months go by and they release the data of 36 million users now immediately after the attack social networks in the media were overloaded with these pejorative overtones which mostly came from the unfaithful users of the website which we happen to know now we're mostly men and who are also all the sudden these data privacy activists and on the other hand a lot of people consider them these hackers to be these benevolent donors to society and at the end of the day you know this one data leak upended the lives of hundreds of thousands if not millions of people and my takeaway here is that these examples don't apply to sites just like Ashley Madison it applies to your profile on Facebook your purchase habits at your grocery store at hospitals at credit your bureaus at banks and my point is that privacy and data privacy should be a fundamental right that we as individuals have a recent study in the EU showed that three out of four EU citizens don't feel in control of their data and in fact 90% of the EU is concerned about data collection without their consent in which contributed to not shopping online 35% payment security concerns 28% trust concerns and 29% privacy concerns and with all these ubiquitous data breaches that are occurring every day this really begs the question you know how are we going to grow an economy if we don't have trust and continuing on the objectives of GDPR its goal is to strengthen the individual rights when it comes to data privacy and to unify data protections and facilitate the flow of personal data now a little history about GDPR it was initially proposed back in January of 2012 the regulation went into effect in May of 2016 and it was just enforced a few months back in May of 2018 now there are some really really steep fines for those are that are non compliant it's 20 million euros or 4% of your annual revenue whichever is greater the law itself is really quite long and vague it's 260 pages 99 sections and well I definitely wouldn't say it's the perfect law by any means in my opinion I think it's at least a step in the right direction now a lot of people are concerned about how this affects WordPress and I think it may be affecting WordPress only but in fact it's CMS agnostic this applies to everything to every platform there is out there Shopify you know whatever so please don't run away from WordPress just because of you know GDPR so you might say Sam you keep saying you know EU EU EU you know what does this have to do with us right well the EU is taking the lead on data privacy and in fact they are able to assert this over us using something called long arm jurisdiction or extra territoriality and this is where a local court can assert jurisdiction over someone at another state or in this case from the EU to other countries who process the personal data of EU citizens and so essentially it really applies everywhere to anyone who is processing the data of any EU citizen I may say you know Sam I don't have any EU clients you know why does this matter well you may be collecting EU user data and may not even know it and they don't have to be your client this can come by way of a contact form mailing lists comments on your website somebody's inserting their email address in there through live chat beans obviously if they're a direct client other CMS and integration systems that you have built in into your website now what counts as personal data that could be things such as your name your address obviously your social security number or national identity number any type of genetic information that also includes your race your ethnic origin any other health data your geolocation data your IP address data any any type of identifier that can be tracked back to you counts as personal data now I wanted to review the eight data subject rights these are the rights that are included in GDPR the first one is the right to access this law states or this right states that we must provide access to an EU citizens personal data it's really similar to how you would go and obtain your own credit report and it states that no fees should be requested when you are exercising this right and when somebody does request this right you have 30 days to comply next is the right to be informed which states that individuals have the right to be informed about the collection and the use of their data it is really the what the why and the how you know what are you storing why are you storing it and how are you storing it and this right also states that you must provide an individual with clear and concise information about what you are doing with their data all the information you apply to them should be easily accessible it must be easy to understand it must be intelligible and it must be free of charge the next one is a really important one it's explicit consent this means that there can be no room for misinterpretation everything must be done with clear and affirmative action and essentially nullifies implied consent or opt-out consent and in your sign-up forms your newsletter forms order forms you can no longer pre-check that box that says you know please add me to your mailing list the user themselves have to check that box on their own they must explicitly consent to doing that and it also the the right also specifies it must be as easy as it is to withdraw as it is to give consent so you must have those mechanisms in place next is the right to rectification and this is essentially just the right for you to have your inaccurate data to be rectified or corrected similar you have 30 days to comply as a business owner next is the oh sorry I forgot as I was traveling to Montreal a month ago they actually had a law already on their books they already have a federal law in place as part of their privacy act and I was on the plane they gave me a customs form and it's you know right here it says you know the individuals have that right to make corrections of their personal information so you know Canada's already ahead of us here at state side California just passed the California Consumer Privacy Act other states are trying to pass similar legislation Illinois Colorado I believe has one on the books so my point being that it's inevitable you know so whatever you do prepare for it now GDPR has already you know set the standard so it's better that you meet these requirements now next is the right to object the right to object essentially says that GDPR gives the individuals right to object to the processing of their data so say that you don't want a company to be sending your data to a third party or a marketing company you can actually request that and say hey I don't want you to be sending my data anywhere else and so that's this right gives you that ability to do so another important one the right to data portability it essentially states that you can request your data from a company and it must be in a machine readable formats so they must give you all of your data it can't be something that's that's mail to you it must be in like a CSV file an excel file a JSON file something that you can take to another provider elsewhere if you want to do that and in fact WordPress as a version 4.9.6 created additional GDPR tools to allow you to easily export and import or erase a user's personal data and they've now in fact also allowed you to designate a privacy policy page that can be shown on login and registration pages another is the right to restrict processing say that if in fact a customer is contesting data or inaccurate data on your website or on your platform they have the right to restrict the processing to be sent elsewhere and that gives them this right another really important one the one that's probably going to be the most used is the right to be forgotten and this allows for the ability to somebody to request the erasure of all their data from your platform so if you know i come to you and say hey i don't want my data on your site anymore this this gives me that right and you as a business owner have 30 days to comply and lastly it's the right to not be subject to automated processing so this is like you know when you are applying for a credit card you you send in your application and usually within 60 seconds a computer algorithm is making that decision for you and and it comes back with a result well with this right it says that you know you could have your application process by a human it's not going to be done by a computer algorithm now i want you to remember to keep calm for as you're learning all of this and prepare for gdpr and i wanted to give you a few tips on how you can prepare it and do so number one perform a privacy impact assessment it's essentially the you know the what the why and the how what are you storing how are you storing it why are you storing it look at where you're holding your data is it locally is it on the cloud is it your hosting provider what what third parties are you using are using mailchimp are using send grid or using i contact performing a security audit will actually give you a lot of these answers and and lastly you know update your privacy policy and notify your clients now i want to share with you a few tips on how you can protect your site from any sort of breach number one is a really simple one that not only protects you but it protects your clients this is involving the transmission of data between you and your clients so you want to make sure that you have ssl enabled on your website as of july i think it was july 1st google chrome started labeling websites as not secure for those that don't have https enabled so and now there's a plugin that makes it really easy if you're not already using ssl it's called really simple ssl so first you want to make sure you have an ssl certificate from your hosting provider or any other certificate authority you can some hosting providers give it to you for free otherwise they you know you can get it for a small fee and after you've got that installed just install this plugin in your wordpress site and it makes it super simple it changes all http links to https another tip and this helps with a little bit of adding obfuscation you know talk to your host you know look at keeping your database server separate this isn't you know a guaranteed safety feature but it just adds another layer of obscurity and and can help protect your site another important thing is you know look at your wp config file make sure you have restricted permissions on it because you know this file contains all of the important information about your site it contains your database username your database password i'm going to essentially is a layout offers a layout of how your website is where it's stored and how everything is made so make sure you have the the proper permissions on that another one which i see really often especially with developers people themselves even hosting providers and any sort of administrators oftentimes they create a backup of somebody's website and they leave that backup file right in the public space of the website and they'll name it you know backup.zip so you could you know if somebody does that you know you might go to my website say mysite.com and hackers look for these files they'll literally they have a bot that searches for mysite.com slash backup.zip so whatever you do you don't make sure after you take that backup make sure you remove it because it's it's so common. Another thing i've seen i had another client recently i saw who had done this is they had their wp config file and they took a backup of it and they named it wpconfig.bak and when you do that bots also look for this and so they can literally download your entire database set of credentials and they can read it in full text so make sure that you don't do this or if you do just at least move it out of that public space. Next is you know protect your wp admin interface you know WordPress itself has a lot of good inherent security features but this adds another layer of protection it helps protect you from brute force attacks so it's it's a it's a really good thing to add to your website. Another one is you know check your email header so if you if you ever receive you know a wordpress password reset request email if even in your own daily life personal life you know make sure that you're checking the email headers my mom called me three months ago and she's like hey Sam just like i got an email from the FBI i'm like mom the FBI is not going to email you so you know make sure that you know you check it make sure it's coming from a legitimate domain. Next is huge enable two factor authentication so wordpress has there are some plugins you can use they have a google authenticator plugin this protects you in the event that your password credentials your login credentials are compromised so there are these breaches happening all the time across all sorts of companies across the globe and if you have this this will at least protect you and what it does is it generates a random code on your phone and you can type that code in into your website there are also some hardware devices like a uber key but both work fairly well and you know please do this for gmail facebook you know do this for every website because it will really really protect you. A question i often get is you know do my plugins have to be GDPR compliant and the answer is yes if that plugin is storing any sort of data you know you have to make sure it's GDPR compliant and it's your responsibility to ensure that that plugin can also export and delete user data if necessary so if if you're unsure you know contact your plugin author make sure that it is compliant some really helpful plugins i wanted to share with you again really simple SSL the one that we discussed another one is WP security audit it's a really great plugin that will keep a log of everything that's happened in your WP admin interface if somebody creates an admin user if a bot creates an admin user if somebody changes a password it's all stored and the plugin actually can even keep this data on a separate database server to make sure that it's isolated there are some other two other GDPR plugins and i'm sure there are there's several more out there now one's called WP GDPR compliance and there's another one called GDPR and some of these actually integrate with like contact form 7 and several other plugins to make sure that your GDPR compliant on your contact forms as well now cookie bot is a great website it makes it checks to see use of your website cookies and ensure that your online tracking is compliant with GDPR and it's a great tool so you insert your website it's not foolproof i've seen sites that are fully compliant and this says that they're not compliant but what it does is at least it gives you a breakdown of all the third parties or at least some of the third parties you're using so if you if you don't catch something you can actually use this and you can see hey i'm using live chat hey i'm using you know some other third party and this may give you a list of those vendors that you're using now what to do in the event of a data breach number one you know contact your host make sure that you download all your logs from them save them because oftentimes hosts will rotate their logs and they may only keep depending on the host they may keep logs for a day they may keep logs for a week a month six months so you may want to check with them you may want to check with them after this actually and see how long they are keeping the logs next you know contact your third parties you know check with all your third party vendors see what they're doing you know and notify them if there is a breach and have a sort of plan of action in place you know know what your steps are know what you're going to do and should a breach ever occur and you've actually confirmed it you have to notify your designated supervising authority by the EU and you have to do that within three days and those powers they oftentimes they carry out audits on your website they can issue warnings for non-compliance and they can issue corrective measures to be followed with with certain deadlines and you know they're not going to find you that you know 20 million euros right away you know it's obviously for the most severe cases but you know but but they do help you know keep things in check and I'm assuming that slowly over time they're going to be enforcing this more and more now to recap on the the data subject rights I just wanted to review with them with you with them really quick number one the right to be informed the right to access the right to rectification the right to object and we also have the right to data portability the right to restrict processing the right to be forgotten and the right to not be subject to automated processing now there are some unattended consequences when it comes to GDPR a lot of people are saying well it's hindering innovation you know they're gonna have to spend a lot more money now on attorneys you know spending hundreds of dollars an hour and it's going to be really hard for startups for small business owners now that they have to be compliant with all of this a lot of people are also you know concerned about the blockchain you know the blockchain itself is immutable it can't be edited and you know people are storing all sorts of data now on the blockchain and you know GDPR's you know right to erasure right to be forgotten states that you know this data must be able to be erased and so the blockchain obviously has a conflict with that and so people are concerned about that another is now with GDPR I've seen companies just completely blocking the entire continent of Europe they're just denying access they're like hey you know we don't want any european clients we're just going to block that and that is affecting their ad revenues so there's a lot of things concerned with that also the death of free services you know people are concerned you know that gmail is going to go away or you know yahoo's going to go away or you know all sorts of these things and and so obviously you know it's a concern when it comes to data privacy so there are some things to think about when it comes to that now I want to share a book with you that I highly recommend it's called Data and Goliath it's by Bruce Schneier and if you haven't read it I highly suggest you do so because it is extremely eye-opening especially to those who may not be privy to IT cyber security and I wanted to give you a few examples from the book and how it in fact relates to GDPR and this is actually before GDPR was even enforced the author Bruce Schneier he describes to us you know the many unknowing ways that we cooperate with surveillance you know for example you know like I mentioned before our supermarket loyalty cards they take our purchase data and they provide us with discounts you know we have free services like facebook that take our data and provide us with ads and Schneier says that you know we cooperate with corporate surveillance because it promises us convenience and we cooperate with government surveillance because it promises us protection and the result is this mass surveillance society of our own making and that's a direct quote from the author likewise every morning when you wake up you put your cell phone in your pocket you're making an implicit bargain with your cell phone carrier you're saying you know I want to be able to make and receive phone calls in an exchange I'm going to let this company know where I am at all times and while that bargain isn't specified in any contract it's inherent in how the system works and GDPR today is changing that now in summary my takeaways are that I want you to remember that this is not just the EU this applies you know everywhere this applies to the US as long as it's an EU citizen it applies and they are able to enforce this with long-arm jurisdiction or extraterritoriality and even if you don't have any EU clients you you may still be affected you may still be taking in that data by way of a contact form comments and again when people are submitting their data you must obtain consent make sure that you know you don't have that that box you know pre-checked and you have to be clear and concise with what you are telling your your users your customers and again be prepared start now be prepared now because this is inevitable I promise you there's going to be a law coming in the US so get ready now that's it thank you all for listening if you have any questions sure go ahead sir so um one of the things I've sort of been doing a lot I run um I run two blue commerce websites and obviously those correct crookies to do their work right and um I've been noticing as I've been knowing about the web that a lot of websites have these pop-ups at the bottom of the bottom of their screens and say this website uses cookies do you want to accept and continue to be able to use this website right yes or no is that something that is that a gdpr thing and is that something that like worried about it is a gdpr thing and the question was is you know if they have a lot of websites now have these banners should we be doing that as well because of gdpr and my answer would be yes if you are using cookies and you're accepting cookies it would be advisable to do so um I think you can include in your usually in that in that bar it has a link to your privacy policy and if people accept um you know if they want they can view that privacy policy and see where you're you know who your third party integrators are so I would say it is advisable you know if you have if you're doing that there is a plugin I know there is but I'll have to get back to you on the name on that but I know there are some plugins for that sure right um I mean for your privacy impact assessment you just kind of want to see just assess you know for your own company or where you're storing your data what you're doing with it and then just disclose you know that type of information in your privacy policy um if is your question related to what if the EU asks you yes but I'm just kind of like how how how far back into the history of my site and my email and my retarded ads do I need to really explore um that's a great question um her question I guess would be to restate it is how far does she have to go back to be you know to be safe for many you know EU requests I would say you know be current as of right now you know make sure that you know at least you know who your third parties are who your vendors are that you're integrating with um you know you may want to ask an attorney or lawyer about that but I would say you know as of now you know that would you know be sufficient if if you know if you're still storing data at a third party you know if you know you are then you know and maybe you're not using them you know you want to obviously make sure that check with that vendor and make sure that all that data is gone and it's erased um but that would be my advice sure go ahead sir it's a great question um I believe google has some sort of integrated tools to to remove uh personal data um from their system that they're basically their you know GDPR compliant but no I don't think that that's in violation of GDPR no sure right right right yeah as long as you identify it's there and disclose it but um right but you know but it's not in violation as long as you're disclosing everything in your privacy policy and and you know to your users that you're doing that it'll be okay but um but right correct yeah you you want to look at all your plugins and any third party that you're using and integrating with via live chat make sure that they are all you know GDPR compliant and most you know large companies like google you know they should already have policies in place for that go ahead Sam so that plugin question about the cookie bar right just there's one that just simply called the cookie bar easy enough thank you so it's kind of a two part question sure I had a when I was pronouncing we got this notice of GDPR but can you tell one part of the question why would you say first where do I start because I know that they should do a full website assessment but for somebody right I mean it would depend upon the request you know say somebody wants to erase their data um you know obviously this would be a good way for them to get started yeah um into GDPR for a website market even told me shut down me right um you know yeah I mean they could they could do that you know if they wanted to I think you know similar steps you know just perform that assessment you know at least that will give them insight to how they're storing their data what their infrastructure is like um that's probably I mean they're going to need to do that so you know if they get that first request I would think that that's what they should be doing and then once they do that they can follow with a step of you know erasing the data or restricting the processing whatever that request is it is known it is very similar so I know the right to erasure is there but there's other restrictions in terms of some of it is not the same I don't know if there is a right to restrict processing but but there are similar guidelines it is very GDPR like in and of itself sure go ahead there are GDPR templates in websites you can use I can't remember off the top of my head but I can I can google it and we can discuss it after if you like but I know there are maybe he can share something and there there is a for those who are interested in following GDPR there is an attorney who I highly recommend just following online she gives great advice her name's Lisa Hawk she's with Everlaw she's on a podcast one of the Andres and Horowitz podcasts their adventure capitalist firm in Silicon Valley and that's Hawk with an E on the end she's really great she's been involved in a lot with GDPR security and compliance please sir so you could be in some other foreign country where it's something that's legal and they're going to come to trouble to rescue and bring it back to the United States and now we see the EU doing the same thing so where do you see this going I mean how ridiculous can this get because who knows what some other country might pass and how and how are they going to keep enforcing this like let's say it's a small country like Finland I'm just going to make sure what what's your opinion on that Finland make up a law that could affect everybody like this is affecting sure you is very powerful but maybe other that's a great question I would probably leave that up to a lawyer to discuss with you but you know I would say you know it the law is coming you know California's already passed a similar law so you might as well be paired when it comes to GDPR in terms of you know the rules are on extraterritoriality and long-arm jurisdiction of other countries I don't know if I'm as well versed in that but that would be in my advice you know maybe you want to consult with an attorney on that no please go ahead is there a reason to so um yes so so similar a lot of concern has come from mailing lists so people who are already enrolled in a mailing list and the a lot of the advice I've you know seen from attorneys and lawyers is that you know you can contact them again and ask them to re-opt into your mailing list so that could be you know something you may want to do or specifically you know of your European clients you may want to do that look to see if you know which ones are in the EU you can ask them to re-opt in so you know I would say that's the safest bet you know it's up to you if you wanted to do that or not sure go ahead some friends and some of my clients are on third-party platforms for instance one of my clients is on a boat selling program associated with M5 I'm not sure but they are collecting information okay like Amazon and ABB boats and others are collecting information from European customers versus credit card information you know want this and what they're looking for all kind of stuff now some of that actually gets passed down the screen to my client sure so when you get an order from some company through Amazon or other platforms a lot of there's a lot of information that it's been filtering out you don't get the credit card number but you might get other information get their email address get other information about what they're looking for comments etc etc so how liable are we for that when it's information coming from a major international platform and what's our responsibility I mean they're going to come all the way down the chain and come in to some guy at you know Silmar or something right I would think that you are still liable in some respects most of the liability I would assume would be on that major international platform that's selling this product you know it would order something from Europe they're going to send their their address right now you've got their name their address their email address maybe some other stuff you don't have the credit card number but is that something to be concerned about I mean I would be concerned about it because you know if that individual goes into that major company and requests their data to be erased they should be contacting that vendor contacting you directly to say okay this user requested that you know you now need to erase it from your platform so I would say you need to have those agreements in place I mean I know it's a headache and that's one of the hurdles with GDPR but yes I would say you know you would be liable in that aspect they say erase from the platform I mean is that a lot of this has been printed out papers there's papers stuff I mean you know not everything's just got a lot like you get an order from Amazon for instance and you know you got to print out shipping labels etc in fact most of us who print out the order the order itself would have a lot of personal information something here right so now what are you supposed to do go back through your files like send them the shredded documents again it's a great question yeah I mean I think um where are we at on that you know I think when it comes to certain things I think you can redact certain elements of your order you know I think it's probably best you know at the same time you know you ask your lawyer when it comes to specific things like this but I know like there's a lot of forums for example where people are discussing things in a thread and a user you know requests their data to be erased but that ruins the entire order you know of what people were discussing and so similar maybe to how you know the orders work people were saying you know they can just erase the strictly the personal information but not the entire thing so they'll redact certain elements of it but when it comes to that yeah I mean I think at the end of the day you still have to you're still responsible for for erasing when it comes to legitimate personal data um so it's it's something you know you you'd want to discuss right right I mean I think it can I mean I think people you know at the end of the day they're going to understand there's going to be you know maybe some things but you know I think it's it's also to be determined you know the law is just you know it was enforced you know a few months back I think right now they're going to be you know enforcing this at you know all the major companies and and but it slowly it's going to you know dwindle down to small business owners but I think the total effect of it is is yet to be seen I'm not going to endure and want to see your files in the garage because you've got thousands and thousands of old amazon over I mean I don't think they're going to come come that far but right yeah once it's more stateside then you may see more visible entities yeah yeah sure go ahead man so I have you know 7800 email addresses from people who subscribe to my blog it's kind of piggybacking off what you said I'm a little you that think I have a general idea what I need to do like update my privacy problem policy telling people what I collect how I collect sure but you know and I have seen those little cookie things and do I need to add that I feel it's like the smallest things are just so overwhelming right just blogging forgot that it is I mean if you're not accepting any personal data and you're just blogging you don't really have to do anything because I'm taking their email address that's why I have their name in their email right um then if you if you have an email address there if you're taking their email addresses you know just be explicit on that contact form you know you can have a small privacy policy page I would recommend you know and then yeah and just say you know I'm storing your data on you know mail chimp or whoever you know you're using um you know you're not doesn't sound like you're using any cookies you can use that cookie bot website it'll tell you if you're if you're using anything um but um I mean I think you're it sounds like you've got it well covered if you're just doing mailing this well piggybacking off what she said if I go back and you know some of these people subscribed to me five six years ago I'll never hear from them you know right because I've gotten those emails from people and I'm like I'm like you know yeah right I've got too many other things going on right I mean no I'm not using mail check I'm using a plugin through WordPress that sends out emails when I post okay yeah yeah we've got just a few more minutes for questions sure go ahead they're talking about exactly what you're talking about and I'm not going to go on the record and say what is it they say but just put your mind a little bit the extraterritoriality and small bloggers because people are out there asking the exact same questions right but just doing a little search the fear of God is yes go to a reputable watch one of these free seminars it's not as scary as that's the argument that's it in the town it's not excellent sure are you seeing a similar thing in the US that's going to maybe conflict with some of these things from Europe and you see any kind of trend going where in California somebody's going to say hey we have our law and we don't really care about your law because we've got our own privacy thing and we're not going to enforce this I mean there could be you know there very well could be state-side legislation that says you know you know you have to keep data for x amount of time and the e-law may say something that you know you have to erase it so there could be some conflicts you know that's you know to be seen but right now I think you know GDPR has set the bar and and it's you know they've taken the lead so it's better to I would say my recommendation would be to follow their guidelines and then you know we can modify them as you know laws here in the US make their ways all right well thank you all for coming I appreciate it