 Okay, berapa banyak orang di sini yang tak berminat dengan gtp or privacy issues dan sebagainya? Well, that's a handful. 8 jam lagi. 8 jam lagi. 8 jam lagi? Oh iya, sebelum malam ini. Jadi gtp sepatutnya untuk berjumpa dalam hari ini sebenarnya. So just a self introduction. I'm Robert. So what I do for my full time is that I'm actually a technical solutions consultant at attribute data. Attribute data is actually a analytics consultancy firm but we also do get a lot of other requests from clients like how do we do privacy and stuff like that as well. On the side, what I do for fun, I do mostly on things on WordPress. My own side is a test bait for a lot of different technologies. And I also, like I mentioned, I translate for Chinese plugins and teams. My interest of technology and coral singing. So before I start on really on that on gtp, I'm not a lawyer obviously. So this is not a legal advice. If you really want legal advice, go and find a lawyer please. So don't get me into your lawsuits if you go and get one. So gtp stands for general data protection regulations. It's a EU law that has 20 years of history. It started in 1996 and finally approved in 2016. And it's acted in today. So there was actually a grace period of two years to deal with all this nonsense. But the usual human as we always does delay and procrastinate everything. So what it actually does simply is to legalise human rights to personal data. So in the past anyone can just use your data and no one can protest to it. Whereas with this regulation, give a lot of legal firepower to people over their own personal data. And some of you might say that, we have PDBA which is actually the Protection Data Protection Act, which was out a thing two years back as well. Both has the same extra thorough reach in the sense that if you are dealing with data of, let's say for PDBA, if you're doing data with Singaporeans and you're based on overseas, you're still liable under PDBA. For GDPR, if you are dealing with data that belongs to EU person or EU resident, doesn't it be citizen, people who stay in EU, or even EU-based companies, companies with headquarters in EU, you will be liable under GDPR. PDBA has a lot of provisions that allows for exceptions which GDPR doesn't have. So let me just go through some of them. If you find this speaking very fast, that's because I have 15 slides in 15 minutes. So first, it has a limited scope. It doesn't actually apply to all personal data processing activities. Certain government activities that allow you to just collect information and you don't know that it's collected. Business contact information that is already out in public is also excluded, or any public information that is out, say maybe on a news network and stuff like that, that is also excluded from the personal data processing activities and stuff like that. Consent-wise, for Singapore, it's very limited in scope in the sense that if you see a lot of contests and stuff, you will see things like tick here and you are liable for marketing materials and stuff like that. Or sometimes the US don't even give a tick. It's like, by entering these contests, you will receive our marketing activities in GDPR. It doesn't allow for that. For any relevant personal data that is remotely to a purpose, it can be collected in Singapore, meaning you say that as long as the organisation thinks that piece of information out there is relevant to that activity, even though it's not now, but maybe in the future, you just collect and keep it. There's no such thing as data minimalisation. Next thing is that a purpose for data collection, although it needs to be appropriate and be reasonable, it do not need to be specific for dim consent. Dim consent meaning to say that for example that I raised earlier, if you enter contests, we've just a disclaimer to say that hey, you'll be spend with marketing materials and stuff like that. You don't need to actually give a purpose for that. You also have limited access to your data in the organisations. You can only access up to one year of history of how the organisation process or data or give out of data. You say that if the organisation give out the data to some other organisation that did some other stuff, bad stuff to your data like two years back, wouldn't know. For correction wise, if the company things that or organisation things that you don't need to collect, if they do not need to corai it, they won't corai it at all. Erasure wise for PDBA is very limited. It simply states that if the company things that you do not need to use the data anymore, you erase it. But we all know that doesn't really happen. So for GDPR, it's very strict when it comes to data. Relevant reach for Singapore-based sites or businesses is that if you have any data, if you're interacting with or collecting data from person or organisation within EU, you'll be liable for any lawsuits arises from GDPR. The principles of GDPR is that the data, there's six of them in general, data shall be processed lawfully and fairly in a transparent manner. You have to be upfront to what you're collecting the data for. You'll be very specific what you're collecting the data for and probably for how long as well. You can't collect data without explaining what you're using it and the purpose has to be very legit. You cannot be very nefarious about that. Data processing shall be limited to what is necessary for the purpose. You cannot collect all kinds of data. You need to say that if the data that is required is just only your email address and your name and that's it. They shouldn't collect beyond your home beyond that. They won't want your home address, your phone number and your kids information. Stuff like this as well. Okay. Sorry about that. Okay. And that's number three. Number four, data shall be accurate and kept up to date and correct. Well, this one it's more towards data processors and controllers. Processors and controllers basically people that possess or data. So processors can possess data on behalf of controllers who basically hold your data. Controllers can be processors as well. They have to be accurate. So we need to say that if you request for data and then say, hey, this data needs to be updated. They have to do that for you. They can't say, oh, it's too costly. Therefore, I won't do it for you. All right. Data shall be kept so that it defies no longer than is necessary. Like I say if you want to keep data for people forever that if there's no reason to keep it for. So let's say if you run a contest for six months, and then within that six months or after that six months contest you should just script the entire list of information unless you have specific chat box to say we would like to receive future marketing materials and stuff like that. Okay. You have to take reasonable steps to protect your data. So this goes hand in hand with the regulation of that if there's a data breach of if there's a data breach you have to report within 72 hours to the authorities in EU. So EU has every country has their own authoritative body you can actually select which country that you want to do. So at the moment it's all same balance and equal but my personal opinion is that because different countries have different what I say cultures so you can choose somewhere that is more relaxed with data privacy but that is for that's in the future we'll find the future. So how to go about with GDPR is that you don't buy or use third party of of previous information why? because you don't get explicit consent in the first place so you can't use that if you have to scrape it off because once the complaint reach to the EU body the EU body will ask you what's happening if you have existing user data segment them according to EU or EAA is basically the European Economic Area is larger than EU because some countries are not part of EU but this document is actually applicable to EAA countries as well and a separate segment for UK the reason why a separate segment for UK is because of Brexit right right now it's uncertain of how long or how is it going to be done so a lot of experts out there they say UK as a separate bracket and if they exit EU and these two keep GDPR as part of their law national law then at least you are safe right and then versus the rest of the world and the rest of the world you can just do anything you want with it but in accordance to of course national laws right for unknowns like people things that you do not know people that you do not know whether they are EU or whatever countries personally I would treat it as EU citizens or EU interest but this is personal preference right if you have existing meaning this you have to get as please sit consent specific to the purpose if you do not do that in the first place so if you had ask if you have if your meaning list already had the provision you don't need to spend your users again ask hey we would like to opt in again because you already have opted in before right for social media sorry but before that update privacy policy if you don't have privacy policy put it up there to say what you use the data for how you use the data where the data is going and stuff like that social media wise don't worry about it because it's covered by social media their own TNCs and privacy policy and their own tools so if they screw up their problem is not yours for direct meal and phone calls so direct meal and phone calls if you are engaging into B2B kind of businesses this is interesting because you can actually call the person let's say if I want to link up with a friend of Zion who is doing maybe some Java programming right Zion probably will just ask his friend hey can you pass pass your phone number to me and that's that is actually okay because it's considered as legitimate interest there's a huge there's a provision for such stuff right but if in the future let's say it will do your own B2B marketing and stuff like that and you call a person and the person say hey stop calling me in the future drop in don't call him anymore so you got to track who opt out from from your calling list right and yes get a lawyer right please do or get a GDPR consultant but then again this is a joke that I saw on Facebook do you know good GDPR consultant yes can I share? no right because I don't have consent right so what happen if there's no compliance the headlines is always you get 5 out of 2 million euros or 4% of global and no turnover but that is the last resort that the EU body will put onto you the first issue with your warning will reprimand and ask you to stop what you're doing before they find you right so there are steps that there are escalating steps so once you if you hit the warning please just do what you need to do to comply right so the thing is that the deadline is today right so in the past few days I've seen a lot of emails coming out hey we have updated our privacy policy hey we would like to re-op in to our mailing list for people who have missed the boat meaning sink in the deadline just do what you need to comply to the law right because it's not always that the law once you set in and people will just catch out it's not like the PMD since Singapore so maybe just maybe we'll just get off with a light warning I don't know who coping on that for work press specific update to 4.9.6 so 4.9.6 is specifically for privacy policy the privacy tools right so there's a lot of privacy tools that I will go through later repress.org themselves process of complying but they have done like 95% of the work already remaining 5% they are finishing up soon as well if I'm not mistaken if you're for your own plug-ins and teams that you've installed review them because they might drop in things like cookies they might track some certain data and send back to your own servers for your own diagnostics and stuff like that be aware of what they do right if you're not aware you are liable as well because you go to your own site in the first place review your own marketing stack right because work press alone is not for business work press itself is not it's not sufficient you'll be using things like new chain or other kinds of marketing automation tools right so review a stack make sure that they are compliant as well right so for 4.946 what they give out is a privacy policy page generator right it's a boilerplate kind of thing where we've straightforward legalize but a lot of people read it you still have to edit it because you have to put in things like where you track your data what you track your data weave and stuff like that for commenting wise there's a new option there's a new function to get consent to save for NIM and email address and website on the browser why because of cookies right you can't see an emoji that's cookie so the last part is data handling you can export your data person data out in a zip file which is the feature of GDPR data portability the idea is that if the person don't like do we to use our service they can extract data out and then jumpa-ship to another service right so you can export person data in a zip file including data help by the plug-ins or that that has the privacy hooks in place as well they also can erase personal data including data collector by participating plug-ins for plug-ins and teams like I mentioned where and how data is called itself whoever cookies that they are using because cookies tracking is also they don't like bonus or not so bonus is to integrate with the privacy tools that WordPress has right now marketing stack so final word is that GDPR is an ongoing compliance exercise why because there's always new tools or things break over time there are new marketing strategy and new content new needs, new debt so you got to periodically review stuff like that it's never too late to start if you haven't do your GDPR right now go ahead and do it right now it's like when I was in the US one month back for my tech conference they were like hey this is one month this one month you really need one month you can finish out your GDPR compliance after one month all of you have been doing it and I think right now it's only up 52% of the fortune hundred is doing has complied the rest is not so again not legal advice yeah so that's all this is another joke he's making a list he's tricking it twice he's going to file it's not there nice and Santa Claus is in contravene of GDPR Article 4 it's basically a list of all the definitions under GDPR yeah yeah this is a list of not so personal data it's basically a list of all the resources that you can refer to which I actually refer on particularly I want to look at treasure data marketers guide and the unstoppable mama's guide as well for these two are very concise in the stuff that they summarise for GDPR and what to do as well if you want to see a very fun privacy policy example you can go to the way they write the privacy policy is hilarious but it's very understandable as well okay and that's all any questions? yes what are the legal implications if you have a website or VPS in what are the EU countries? it's not the way yeah it's not the way it's where the people are coming from yeah so if even if you have a VPS in a EU country if somehow your audience is in Africa there's no issue the only issue will probably be when transfer the data out transfer the data out to other countries if I remember correctly the other countries must have equivalent data privacy regulations yeah I think that's the only issue yeah okay any other questions? questions questions I think I have over time no questions? yes yeah yeah I lock in the meal chain after for the longest time today and they were like hey I will support I will support tickets system is down please refer to these articles for GDPR related stuff yeah there was actually when everyone thought it was a joke by one guy on his app it said that he cannot turn on his lights or his lights because of GDPR he can turn on one by one and it was connecting data that was not allowed right yeah okay any other questions? no? okay I will end here if you have any other questions about GDPR and stuff like that find me later okay but again not a lawyer