 Hey there, how's it going? Good, thanks Luke for answering that. There's literally more people than I expected to be here this side of lunch for a talk about data and privacy. But if you're bored, it's mostly your fault because the title's right there, right? So we'll do what we can, actually there's people walking in. Don't just stay out, there's a more interesting one in the other room surely. Okay, this talk is more or less an overview. Some of you will find it too basic if you have any familiarity with GDPR and data law. Others of you might find it just insightful and give you just enough to understand kind of the basics. It's a few hundred pages of legislation and there's many, many billion dollar industry being generated because of this. So the chances that we're going to get to the depths of that are minimal. I'm curious to know who has heard of GDPR in the last few months? Does anyone here have a site or a service targeted at Europe or have anything to do with Europe? Oh wow, cool, great. And then who here has major interaction with GDPR has just been the annoying emails and the chance to unsubscribe to everything that you didn't know you were here. It was good for that. Well, I work with XWP, we're a WordPress agency. We deliver enterprise solutions with WordPress and I'm a team lead. The important red text there is that I'm not a lawyer. So please, I hope you don't misconstrue anything I say is illegal advice today, of course. And this is an overview I encourage. What I would hope is that I would point out things maybe that you might think, you know what, I should have a look into this. I should engage a legal expert if you find there's a need there. So someone in this room, if you are a legal expert and you've come to this because you think of something, during the Q&A please pipe up and answer the questions instead of me. I will not be upset if you do that. These are my rug rats that are at home right now and this is my family. I work remotely so often I'm working at home with them screaming in the background. I don't know any of you, does anyone else here work remotely or work from home? And how many of you had the experience of the guy in the BBC talking with the Korean man about where your kids have been in the background? Yeah, we've all had that one and had to yell at our kids at some point from a call. But yeah, that's my family. Aside from being famous for internet quotes, Napoleon several hundred years ago, well 150 years ago, had this quote that helps us to understand kind of the depth behind when we talk about data, when we talk about information, how valuable this really is and the extent to which this has power. I mean data has the power to hold entire countries at ransom or a lack of data or lack of information has enough to leave you completely blind and useless. So it's no small thing that we bring this up. But it's worth asking why though at a WordCamp, are we talking about data? And what I want to do is I want to, I'm going to talk about GDPR, but there are sort of two other areas that I want to brush on as well. So these are the three areas that I really want to approach data privacy from an ethical standpoint, a commercial standpoint and a legal standpoint. So I'm going to do it in that order. You might think, I would tend to think that a lot of my talk, like the majority will probably be around the legal side, but I would argue that the top one could be even probably more important if we were to really think about all of this now. So let's go there, the ethical case. Whoa, all right, do we need to even go through that now? I think there's some things stuck, it just keeps like... No, it's literally stuck. I think I need to pull it out. All right, I'll give it one more shot. If we get that going on again though, I'm going to ditch this thing and stand beside the... Oh no, I'm going to use a different one. Seamless. Continue. Oh no, what is going on here? Oh look at this, this one works perfect. Data itself really, when you think about it, data equals power, having someone's information. And we could go to, and I would love to, actually it's probably not the time to talk about the dystopian future, the 1984 Orwellian idea of a surveillance state. I mean arguably you can see that in the present, places in the Middle East, in China, and what's happening in these countries, it's frightening to me, it's frightening. It's frightening when I think about my kids and their future and what could go up. I mean that is one zone we could go to this, when we talk about the ethics of data privacy and protection. But we'll wind it back to the president for less intense issues. But still, they are still serious. For instance, data is used really in many ways to manipulate people into buying or believing or something. For instance, finding data about someone, finding out, this is an interesting thing I learnt the other day, we're obviously, I think we're all aware that we're more likely to buy something if we know that our friends like it. But research has shown that if I was to gather the closest friends on, say, Facebook, take their faces, create a composite which you would never recognise as your two friends because we're actually really, we're very poor at recognising composite faces, even our own. And I was to advertise to you a product with a composite of your two closest friends, you would be far more likely to buy that product. Now that's actually, that's simple, there's software that could do that easily right now. But quite quickly, you can be manipulated without your knowing, just by knowing a few things about it, you can manipulate to believe something, algorithms that profile you to understand you. Not only that, you know, the data around you, especially your search history, can begin to, I think if you're familiar with the philosophy of say duck-duck-go and other search engines, begin to actually encapsulate you in this silo of information where when a search engine understands what they think you're looking for, they begin to show you more of what you've been looking for. So you no longer receive an objective understanding of the world or a news story or an ethical issue or so, and you can actually start to be trapped in a world of your own philosophies. Beyond that, you know, as well as that, I mean, obviously selling your information, selling it to other people without your consent, I mean, as if that's not already happening and happened. And last of all, you know, the issue of a company being hacked and your data, your precious data, being stolen and used against you. There is a lot of power that comes with data to manipulate, to silo, to control. And so we need to take it very, very seriously. Oh, here we go, sorry. I'm getting confused between here and here. So, I mean, when we think about WordPress, why does this have to do anything to do with WordPress? You know, my philosophy and my belief about WordPress is WordPress is a bastion of the free internet of open source. If this idea that if you have a good enough idea, it shouldn't matter where you are and who you are, you know, that you have an opportunity to bring a great idea to life. There is great software that can empower you to build something for yourself. Often tyrannical data practices stand for the opposite, to actually box people in, to take advantage of vulnerable people who either don't know or don't understand what's going on when they're engaging with online services. And not only that, I mean, I really think that to be in WordPress is to stand for ethical practice online and ethical use of the internet. Anyway, that is an ethical case for data and for data privacy. Now, let's move on to commercial. I want to ask a question here. Could everyone put your hand up, please? Go on, everyone, put your hand up. Let's do it. Keep your hand raised. If you trust big companies, let's say Facebook, if you trust them with your data. Okay. Now, you can't keep your hand raised if you actually trust them and you want to own up. I mean, we may be a slightly biased audience, you know, because we have a technical background, maybe most of us here. All right, let's do it again. Everyone, hands up again. Let's be asking an even deeper question. Keep your hand up. If you think that big companies are actually being honest about the way that they use your data, you know? Let me show you something. This graph on the right here, this is two years old. Okay, this servo is two years old now, so it's actually very old when you think about it. This is the percent of consumers in these countries who think that big companies are not being honest about their data. Like, in France, 62%. I mean, Australia is probably going to be comparable, I would think, and I actually think that two years on, with Equifax, with Cambridge Analytica, with everything that has happened in the last year or even six months, I can't imagine these numbers any lower. In fact, I think they're much higher. And then over here, this is the percent of consumers who trust companies to do the right thing with their personal data. Here in France, like, almost one in 10. Can you imagine as you as a service offering something, if only one in 10 people came through your door, trusted you? That's actually, this is not far out. This is actually probably accurate. And now, we are talking probably about bigger companies. Probably people are thinking about that, and maybe you don't fall within that category. But when you think about it, what they are doing is creating a reputation and a mistrust amongst consumers for the way that we are handling and using their data. Here as well, this is the percent of consumers who would, this is even more important, who would not allow a company, they do not trust to use data about them. Around 75% across the board who wouldn't give their data to a company they wouldn't trust. Now, why is that important? Because data is essential, right? It's powerful, and the downside to data, the tyranny that can follow if we don't do it well, is there. But from a commercial standpoint as well, like, you know, data is highly effective for the way we run our business to understand your market. I mean, it's huge cost-saving if you can get good intelligence from the people that you're working with or offering a service to, time reduction and building the right product, product development, enhancing your service. Having good data is brilliant for business. But like I just said, three out of four people are not going to give their data to someone they don't trust. It actually creates quite a compelling opportunity for us to actually become good data stewards. I actually think we'd put this case forward that right now, the market is right with an opportunity for people to say, I am a good data steward who cares about your personal data and your privacy, and you could make a case. Now, you're working backwards now. I think, you know, probably 10 years ago, you might have worked from a place where people automatically trusted people with their data, and so, you know, you would have had to lose that trust. I actually think the reverse is true now. For most of us in this room, I mean, you all put your hands down, your default mode is probably not to trust the company with your data right now until they earn your trust. So how do we do that? You know, data awareness is growing, and this is an opportunity. I'm going to change tax again. Like, I know I'm kind of bouncing around these three, and don't worry, I'll draw it all together towards the end of this presentation. But we've considered the ethical ramifications for where bad data practice could go. We've considered that there is a commercial case for being good data stewards, and I want to talk about just some aspects of the general data protection regulation, the GDPR. And what I would like you to think about is this. Only maybe a fifth or a sixth of the people in this room put your hand up when you said you were targeting someone in Europe or you had a European case of why you should care about GDPR. It probably is more than that. You may not even realize. But I think considering the first two, what I'm about to present should be relevant for all of us. Because I'm going to put forward some things that are in GDPR that I actually think we should all care about, and my personal opinion, and we can debate and disagree about this, but my personal opinion is that GDPR itself is a great thing. It's a good thing for the world. It's probably a bad thing for a lot of people. I mean, I don't own a big business in Europe and have to foot a billion-dollar legal bill for anything, so I've got a pretty sheltered opinion about this. But what I do think, when we consider the landscape of data use and data privacy, that it is instilling in starting a conversation around the world around what healthy and good principles are for protecting the data of consumers. So let's consider a few things. The data, this regulation, for those who don't understand, this replaced a 20-year-old, it was a data protection directive. That was what existed in Europe before this. There wasn't a legislation. It was interpreted into local laws within Europe. It was very outdated. It was kind of from almost pre-Internet, and it had to try and cover the Internet of today. But it was quite limited. GDPR is kind of solving a problem to bring together European data laws and also getting authorities that could enforce this. Does GDPR apply to me? Well, actually, GDPR is actually, any company processing the personal data of subjects who are in the Union, it doesn't actually target the companies in Europe. It actually targets companies who target people, who target citizens within the European Union. So if you're in a Australian company and you're shipping to somewhere in Europe, you actually are within the remit of GDPR. Now, ways that you might be accountable to this is if, say, you provide the ability to order goods or services in a European language, perhaps providing payment options in EU currencies or the euro, let's say, providing local content, offering potential EU customers international friendly services. So people might ask and say, well, look, what if someone from Europe visits my site? Now, let me not give legal advice here, but I personally, in my understanding of people I've listened to, do not think that you will be targeted by data protection authorities in Europe if someone from Europe visits your site with their data and do something with it that is not within these laws. But if you're actively targeting people, yes, you could be accountable. And it's worth considering that this will likely be enforced internationally as well. Let me just give a couple of reasons. I mean, in Australia, under the Data Protection Act, the fines kind of max out at $2.5 million. I mean, only companies with an annual revenue of $3 million are accountable in the first place. But fines max out at that point. In Europe, in the UK recently up until now, fines max out a half a million pounds, so even probably less than that. But under GDPR, failure to comply can mean a fine of up to 20 million euros per issue, like per non-compliance, and beyond that, up to 4% of global revenue. When you think about a big tech company, this is billions, billions of dollars that you're accountable for, as well as this idea, probably it's yet to be fleshed out how international enforcement will go about, but it's not like international law isn't enforced already in other cases, so I don't think it's a hurdle that they won't jump over or at least shut off your service to Europe if you're not in compliance. But there is a case of many people in this room to follow because you could be accountable to these laws. Now, beyond that, the even scarier point are probably these guys. The day after GDPR was enforced, May 25th of this year, Facebook and Google were leveled with $8.8 billion worth of suits in one day. So we kind of sit at... GDPR actually enables class action law suits and suits to be filed underneath this legislation. So we're probably watching the dawn of a new legal industry. This is going to be a big deal. If you're a legal expert, I would suggest flying to Europe, branding yourself as some kind of data or digital law expert, and then throwing another zero to your paycheck because chances are that you could get a piece of the pie. But yeah, civil action is going to be a big deal under GDPR. What I want to do is I just want to go over four major changes. Now, there's probably ten things we could talk about, but just for the sake of time and probably the more interesting ones, these are four that I think are really worth talking about. Are you bored yet? Good. Data types. There are a set of data types that were not previously classified under many laws as ones that would be accountable or considered even personal data. For example, an IP address or a unique ID on a mobile phone or a device ID were not really considered. I think in the United States, even in Europe, considered personal identifiers, but now are. Which would mean that the rest of it all... So if you were to harvest someone's IP address, you would need proper consent under GDPR as well. I mean, that's a big deal even right there. Beyond that as well, geolocation data as well. No longer is that just considered data that you could just grab. It actually is your accountable under GDPR for how you handle, how you harvest, and how you take that data. GDPR also introduced this concept of sensitive personal data. And it has an extra set of ramifications for how you deal with that. You can do that with app at health, sexual orientation, race, religion, political opinion, even biometric data as well, like genetic data and fingerprints. These are actually sensitive personal data under GDPR. And this actually requires an even greater... I mean, you've got to have a good reason. More or less, you've got to have a good reason to hold this data. And there's some added layers to how you need to protect that data. But it's just worth knowing that there is a separate category of data. You might know someone's name or their email address or someone. But that's not in the same category as like their fingerprints or their genetic material. Yeah, let me move on to consent. I'm kind of skimming through this because there's a lot to get through. Consent in times gone by was kind of considered that we could just allow someone like a pre-ticked box or by being in this room you can send to me recording you and knowing everything about you, right? No longer under GDPR. Consent needs to be explicit. And like I say in Australian data law there is kind of an allowance for this consent by simply being there. This is kind of what can fly under Australian data law but it won't fly under GDPR. Consent needs to be... Let me say this. I'm going to read it straight off. The consent needs to be freely given, specific, informed, an unambiguous indication of their wishes either by a statement or clear affirmative action. So under GDPR not only does consent need to be clear and do you need to be telling people why you're collecting their data and what you're going to do with it they will literally need to to tick something or agree to something or make an affirmative action to do that. It presents a pretty decent UX challenge. I mean every point of friction in a UX pathway to buy a product or to access a service we understand effects conversion. So there's a pretty big UX challenge here for people especially in Europe if you're in e-commerce to help people to move through that pathway efficiently without as much hindrance but I do think for many people this will have the effect of either causing their pathways to become more cluttered or probably cause people to rethink what they're collecting in the first place. If I'm asking for someone's biometric data and I don't really need it maybe I should stop asking for it maybe I should stop collecting it. I think that itself might actually be like a for as far as the consumers concerned a good piece. Revoking consent must be just as easy no longer hidden in behind you know 400 layers of settings menus and options where you can finally figure out how to tell Facebook you don't want them to know something about you and it also applies to some you know data already collected so if you have a big you know database of people's personal information if you can't show that you collected information with proper consent you know my understanding is under GDPR would actually have to delete that data and get rid of it probably start again so I think a lot of people when you got all those annoying emails you were actually getting a lot of people who were just re-establishing consent to either keep the data they already had about you or to continue the process they were on with you and lastly it must be used only for the purpose it was collected these kind of vague statements like you know we use your data for marketing purposes or product development or research or at a later date these won't fly anymore these vague terms you know consent now needs to be clear and unambiguous you know this is I mean I think as a consumer I think this is a great thing but once again it does present a challenge if you're using data for a lot of different reasons let's talk about breaches companies now I mean in Australia I think you know you don't have an obligation to necessarily notify your users of a breach unless there is specific harm that could be or a specific risk to them because of the breach or even to notify on authority but under GDPR you have a 72 hour deadline this is a pretty big deal 72 hours is not very long especially because most companies don't actually know what was taken let's say until weeks or months after the event so it's probably yet to see how this works out and how many companies can really comply with this but also as a PR nightmare imagine telling your PR department guys wake up we've had a breach in three days time we're going to be on the front cover of Wired or something and everyone's going to know that we had a you know how are we going to spin this so it doesn't sound so I mean the PR departments are going to hate this one and obviously if there was a significant risk you know if you held the data home address or something and it was I don't know I'm trying to think of the kind of areas that could be actually risky you need to contact your users your consumers with undue delay this would mean I think for many companies they'll need reporting policies and procedures breach templates all these kind of things to help deal with the instance in which they have a data breach my new rights the rights that you have under GDPR there are a few ones that are really important for a start I'd imagine most of us have heard about this one the right to be forgotten this is an extension of a previous landmark case in Europe in Spain I believe over the right to be forgotten or to be deleted from Google search history I mean Google search request was I think the specific case but now it's in trying to law in Europe at least that if a company has your data you should be able to contact them there should be no I think undue undue penalty for doing that there's no like 40 euro fee for you to have your data deleted I understand that that's kind of covered in there and I think there's even a 30 day I think you've got 30 days actually to comply with this but for you to delete all the data you have on someone this is a tremendous technological challenge especially for systems that have been built up until this point with no element of design put into this that we would have to go back and delete all the records for a specific individual especially when you think about backups as well I mean backups hold to that we could we could talk about that in the Q&A about how people are going to handle that someone in this room actually may have been thinking about this I would be curious to know how other people have started to think about this but data subjects do have this right to say all the stuff you know about me I want you to delete it the exception would be a legal case like you know tax information or criminal these kind of bits of information that there is a legal reason you might need to hold something for say seven years or whatever that would obviously override the data subjects rights in this case the right to stick processing you could also this is kind of a lesser right but you could a company could have your information but you could tell them I don't want you to use my information anymore it's one step less than deleting it but it's also saying I don't want you to process my data anymore data portability users now have the right to request all the data that a company has on them in like a machine readable format whatever that means it's kind of it's a little bit hazy in the legislation but the idea would be let's say you know you have a health insurance provider and they have all this information about you you can request that they give you a print out version of CSB or something that has every bit of information about you and you can take that straight to a competitor and say hey here's my background and here's all the information that this company has about me but this is a right that people have to be portable to move their data sets around I think it kind of gives some power back to the individual instead to a corporation as well as knowledge of profiling if you are being profiled which you are which I am which we all are right I mean the profits it's going on but we you know the idea that you should have knowledge that someone is building a profile of you and about you and trying to understand more about you I mean if that profile began to imply let's say for instance someone has a profile about you what you are clicking on what you are doing they go all Cambridge Analytica on you and they start to say well this person is probably conservative or probably this and probably that they might start to think your sexual orientation your political persuasion your religious beliefs and all these kind of things once they generate that data about you by profiling they now have sensitive personal data on you as well right so if you think about it if you deduce if such and such says I eat kosher oh they are probably Jewish right so now you have a piece of and actually this is funny it's quickly it's very quick how fast you could have someone's sensitive personal data someone takes kosher you basically have a sensitive piece of information about them some people might even argue that if you take shirt sizes that you know someone's biometric data because you know their body shape or their body type or something like that I don't know how that will fly but some people suggest that even that it could be considered personal data now let's change so those are some of the high level pieces of GDPR we could talk about some more in the Q&A if you want to but I want to wrap this up talking about WordPress the way WordPress is addressing this and then even just some thoughts for us to take away about how we each can approach this so I've given a legal an ethical and a commercial reason to care about data privacy and some of the ways the law is addressing it which I do think address the ways that we could address it commercially with transparency with proper consent with proper care as well as good ethical reasons this guy up here is Leo he works at XWP as well he's on the core team for WordPress and data privacy and he was a big piece of the 4.9.6 release where they implemented a set of changes to help site owners with compliance to GDPR so some of the major changes were comment consent having said that the wording needs to be altered a little bit you should be able to find some information about that GDPR in Europe and you need to get proper consent to have someone's comment on your site which is their personal information you may need to alter the wording around that a little bit more there's also for those of you who haven't seen I hope you've had a look at this a data export and erasure feature if you haven't had a look through it it might be a bit confusing just trying to work it out in the admin find there's some really good YouTube tutorials if you just type in GDPR and WordPress there's some people who've walked through the process of how to export someone's data should you get that request or to erase someone's data if you get that request as well but it's worth knowing that it's built into WordPress it's baked into CoreNow so that within your data tables you can comply with this that's a really, really big deal that they got that out quickly so that businesses, people in WordPress could comply with that I think hats off to WordPress and the core team for getting that through so quickly it's really empowering as well as a privacy policy generator it kind of gives the bare bones privacy policies are one of those things it's just you must have it you really, really need to have them and generating them now is easier than ever literally there's a New Zealand based one that I came across even just by Googling around that you could just answer a set of questions and it like spat out a privacy policy may not cover everything and a lawyer might shoot me for suggesting something like that but the bare bones and getting started in generating a privacy policy suggesting a terrible one is better than none at all it's there and there are a lot of tools to help you to generate those things including in WordPress CoreNow as well the only thing Leo told me to say was there's still some gaps in localization so the way in which WordPress Core handles this may, you know, will differ for compliance it's kind of they're trying to get compliance with the EU data laws which is a good idea but getting compliance with other countries you know there are gaps in how it's localized so you need to understand that for yourself so what should I be doing about this? first start checking your plugins most of the major ones you will have seen have updated with compliance to GDPR it's really good if you rely heavily on a plugin that is not in compliance I suggest I mean I don't know do you want to do but finding one that is analogous that is in compliance is a great idea that's a good practice in general GDPR compliance will basically ensure compliance with say Australian data law Australian data law is not as severe although amendments could come to bring it up on par at any time think about your other ones email lockdown, cookie consent Google Analytics, I think one thing you would want to do is turn off IP collection in Google Analytics I think that's one thing you need to turn off in order to be fully compliant but Google Analytics has come a long way as well create a privacy policy but development requirements for having a secure website protecting people's data are really really really important and the most important question is really sit down and do this I really think you should sit down one day if this is an issue you need to think about and ask these four questions and write honest answers to them what data am I collecting am I collecting names, collecting emails collecting shirt size, collecting religious this I'm collecting that, collecting this comments, I mean just you really have to sit in every possible little edge case that you could be collecting and then ask yourself where am I storing it there are ramifications for where you store data if you're storing it offshore at least understand where you're storing it because if you are storing it somewhere there are kind of zones that GDPR seems to define as not acceptable places to store information if you're doing offshore of your cloud storage or something like that but we'll have a look into that I suggest then ask this question why am I collecting it in the first place, do I need it do I I'm collecting this stuff, do I need it for anything and then ask did I get proper permission to have it and go and have a look through that excuse me the previous philosophy around data collection was always collect everything and work out what to do with it later we really need to as a community you know as a citizens of the earth start to reverse and think let's collect just what we need right that's let's collect what we need for now if I need more data I'll go and collect that later and start to get away from this idea of just bulk collecting information just because we should just because we could as an idea let me finish on this there's my boys again sorry it's Jude and that's Leo because when we think about the future what future are we heading towards this is really where I want to close this up are we heading towards like that dystopian future that we all think of where my kids will grow up with intricate profiles about them about their race, about their persuasions about everything about them, the fact that they've got middle class white parents and they're probably they're watching Peppa Pig and they're going to want to buy this and buy that and buy this and that they are profiled to the extent at which companies can access and know everything about them, manipulate them, use them or are they going to grow up in a world where they have control of their data, where they have freedom where they're not vulnerable to the attacks and the manipulation and tyranny of large corporations I mean I think that's what's at stake here is our future where we're headed I think WordPress has 30% of the internet, I think we have some power in shaping the future of the internet and how we how we go about data that's it we can have some questions now I suppose remember the red thing that said not a lawyer I'll do my best if anyone actually is a lawyer here and they do know about this please chime in while you were talking about the I was just thinking about the ramifications of data so if you've got a site a WordPress site and a user comes along and says I want my personal data removed you've theoretically got to go through all the backups that you've made of that site as well and remove that data don't you? Theoretically yes I think there is a piece in there that is like it's kind of around what's the I need to get the wording right but it's kind of like there's some kind of fairness element to that like within reason you have to do that so there are a couple things to think about there's number one what are all the backups that you have and within reason if something's backed up to tape then yeah I don't know you're probably not going to have to and people probably aren't going to chase you down if it was like look it would have cost me like 50 hours to get one person's data around I have to repeat the process and you probably get away with that if you could honestly stand up if I had to stand up in front of a court and tell them and they said to me why didn't you delete this person's data seriously man it was going to take me 100 hours to delete this one person's data they might say well okay at least you tried but I did delete this, this and this and I removed records from here I think the two things we're thinking are number one where have you onshared that data has your content been syndicated elsewhere and are there other data controllers that have a responsibility to contact them and ask them to delete it as well so that's one piece and you would have to you can't really get them to do that but you would have to show that you asked them to delete that and secondly if you had built your data backup system post May 25th 2018 when the data was enforced even two years ago when we knew about GDPR and you showed that you built and designed a system where you could not simply and more readily race individual data records you may not have such a good case then big part of GDPR is that well now you know design with privacy and mind, design with these things in mind so if you're using an old retro system you may have a case for why it was too hard but if you use something new or you build something new and you still didn't do it with compliance and with the knowledge in mind I think that's when you wouldn't have a case I think it's a gray area though but there is some wording in the law about the reasonable amount of effort you need to go into to do that yeah you could say that ease of access or the reasonable amount of effort you need to go to to do that it says technically feasible it gives those a semi-mine way yeah I think that's more or less the I think that's the sentiment behind it you pointed on one of the gray areas yeah any other questions? there were definitely people closer to you but if you want to go for a run I've got two quick questions if that's okay if the data that you have I know you're not a lawyer so I won't be affected if you don't know the answer if the data that you have like does not reveal that they're like European based does the GDPR still apply? yes I would say so if they are from Europe it wouldn't matter what you had about them it would be more the fact that they are European whether you could plead ignorance if that's what you're suggesting but yeah I wouldn't think so and like one project I'm working on at the moment I know if someone says delete my account I know that will break everything in that instance for example would anonymizing all their data be an adequate substitute there are provisions for anonymization and pseudonymization within GDPR and they're there and recommended processes that's I don't know but anonymizing a set of data that instead of deleting it actually I haven't heard of someone suggesting that pathway to deletion I suppose it's a similar kind of concept but I know anonymization the tricky thing with anonymization and pseudonymization it's actually really hard there's generally going to be a Rosetta Stone somewhere that allows people to match tables and find out that person's record so they are considered preferable and designed by privacy practices that you should do whenever you can and make pseudonymization and anonymization available to users but yeah that's good find out you know I don't know instead of deleting can I anonymize I don't even thought of that anyone else? there's a guy waving over there I thought he's the guy that we should really obviously I have a question you really want to ask it's not really more of a question more of a statement you said about data breaches there is an important legislation in Australia about notifiable data breaches which came out in February which if anybody says in Australia should be aware of so sort of flagging that if you weren't aware of that the other thing too is that it's a big rule to put out globally saying we're going to go after people do this but you think if we've got a third of the internet running WordPress and how many people that take to try and keep that compliance in place it's a bit of a hard ask to try and do it that's not to say that we should be doing the right thing because we need to be doing the right thing so I think we don't want to put the fear into people about they're coming after you because there's also that pendulum effect the moment we're seeing it's going to go all the way back there and we'll go that way and somewhere in between Australia will line up in between so it's going to be a moving space as it progresses forward yeah absolutely thanks what about the rest of the world what about them do you mean like are data laws changing in other ways it's pretty scattered the US the legislative system in the US you've got state, county, country there are different layers to this and by and large the US has considered one of the most relaxed when it comes to data privacy this is a big deal for companies who are in the United States who are operating in the United States and Europe who now have to bring all of their operations within compliance to GDPR so it's a big deal for those countries who were a long way off if you're in Canada or even Australia with more a greater and higher level of law around this the change won't be quite as far but yeah I think companies will weigh up and some companies will stop providing services to Europe because it's more expensive to become GDPR compliant than the amount of revenue they generate from their European business we'll do one last question and then we'll wrap up for lunch Hi Brendan thanks for that so my question is about whose responsibility is it to know all of this and then know when they're supposed to be implementing it so as a WordPress community as a tech community tend to have heard this word a lot of people haven't and our clients come to us with they want some they want us to be able to tell them what they should know but at our level we're developing or we might be building a site but we actually don't know what their legal requirements are based on their businesses and a lot of people are DIYing so they're creating their own websites they have no idea how to anonymize or to remove data from their websites they have no idea you go into a WooCom a site you configure it how to look after the storage of the data there what are your thoughts on the education process from the DIYs up to the businesses who say I'll just make it GDPR compliant and it's like actually you need to sort your privacy policy out you need to talk to your lawyers about your terms of use and you need to have a bit of responsibility and ownership over this because it's your business that's going to be affected by it if someone comes knocking yeah there's a lot to that but the last sentence or two you put there probably where my opinion rests I actually think there's because we deal with this as well companies that come to us and they need something and they talk about GDPR compliance I suppose there's two approaches you could go with there which is like hey we don't touch this we do what we can but we need Udemy recommendations and you're the one who's going to be accountable to this at the end or at the other when you're like okay we are going to build in GDPR compliance for you if you were going to take on that kind of risk I think you'd be arming yourself with a digital law expert to be able to properly offer that service and guarantee some level of compliance whether someone wants to actually guarantee compliance is a big deal considering the level of fines that are involved with this but yeah individuals themselves the business owner themselves they are the point of accountability not an agency but it probably isn't offering a service offering that you can increase and say hey when we build for you we include GDPR compliance a GDPR privacy impact assessment might be an idea we've done that for companies as well we'll look at how they do from the start to the end of how they process and collect data and we'll do an assessment and make recommendations we will still be careful to say this is not legal but these are what we believe you need to do to comply do your final checks with the lawyer at the other end as far as education goes I think WordPress is doing a pretty good job I mean most word camps seem to have a talk like this one right now like a mandatory talk for the last year and a half that someone gets up and talks about GDPR and obviously the WordPress core team while they're fairly late to act it kind of really kicked into gear at the last minute which is actually everyone with GDPR they did a pretty good job of getting things in line pretty quickly so that if you use WordPress out of the box and you're using plugins that are GDPR compliant you've got a pretty good privacy policy I think you know you shouldn't be the craziest thing in the world to think you could offer something is that my time you've still got one minute this is romantic it's lovely yep I do think it's approachable for someone who is not making data their core now it's just worth mentioning under GDPR one requirement for any company whose core activity is data collection is to appoint a DPO a data protection officer this person is not an engineer they're not necessarily a lawyer they don't have to be anything what they have to do is represent the GDPR compliance to your organization at an exact level they need to be appointed with executive power to help make sure that everything you do is compliant and at the end of the day they would stand on behalf of your company in front of a data protection authority in Europe to defend or oversee what you're doing so if your core activity is data collection and around so let's say you're a health provider you're a bank you're a social network any of these kind of things then yes you would need to appoint a data protection officer it's also worth remembering as well that there's not only there's an introduced role of a data protection officer there's an introduced concept of a data controller and a data processor a data controller is the person who asks for the data and who wants the data and who desires it the processor might be like an affiliate email marketing solution cloud hosting or something like this who actually goes and processes your data like an AdSense network or something like that who holds data that was given to them by a controller GDPR makes the distinction and makes both parties accountable the controller is primarily accountable but a processor that might be you in this room if you process personal data that you didn't collect under GDPR you're still accountable for how you treat that data and how you use it how you store it and so on cool yeah thanks nice one one super super last question being keynote speaker sometimes Luke you can look I know you're not a lawyer but is it data or data awesome well thank you so much cool alright thank you guys