 Hi, mae'n Mark Wiseman. I've been working with SoMedia for the last two years now, and about six, seven months ago, this whole GDPR thing showed up. Of course it showed up two years ago already in 2016, this European legislation got passed. May 25th this year it actually goes into effect. So all our customers, we have 350 websites we take care of, and we were not going to wait until May 24th when they all show up with the data processing contract saying, please sign this. So we've been digging into this. This talk will purely focus on WordPress. GDPR, of course, touches your entire organisation, but we're going to stick to WordPress because I've only got 25 minutes to do this in. I'm also going to grab my speaker's notes because it's a complex topic. So my first question really is, who here owns a WordPress website? Who is the owner of a website and collects data for it? Oh, that's good. That's like half. Who is from a hosting company who provides hosting to customers? I see one hand going up there, slightly less, because it means I'll keep my focus a lot on the end user, which is the data controller if you are the one collecting the data. As John Williams said, this is not legal advice. We are technicians who have been forced to deal with this stuff. Everything I say here today, don't take it as true. If you think there's a tip in there, take it to your lawyers if you need to. Let's see. So general data protection regulation, which in Dutch is called the AVG. How many English speakers are there? All right. That's just the Dutch name for it. Every country in the EU will have their own little acronym for it. Also for every country in the EU, you'll have an authority which will be able to give you fines and make sure you actually do this properly. So what it does is it protects the privacy-sensitive data of consumers in the EU. This already makes it a lot wider because it means that if you have a website running from the United States to have a European customer coming onto your website, you're going to have to deal with the GDPR. It also means that if you're a European and you're in South America somewhere and you buy something online, GDPR does not apply to you. It only applies to stuff which gets bought by consumers who are in the EU. It's on EU ground, on this territory. What it next does is it will force you, enough Ss in businesses there, to change and review any practices you have when it comes to personal data information managing. They'll do that by giving you rules and regulations, and if you don't comply, they're going to give you fines. GDPR is about all the data which, as a person, you give away to companies. I'm not going to go into every aspect of the GDPR. We'll stick to the core which is data, personal data. It falls into two categories. You have your personal data and then you have privacy-sensitive data. If you look on the side of the out-of-the-town personal savings, which is the Dutch authority which will do this, they'll tell you there is low-risk information and high-risk information. What is low-risk information is the stuff on the left as basically what you'd find in your envelope you get from your electricity bills. Obviously not your IP address will be on there, but it's not data with which I can actually say something about you as a person. I can say where you are, what your name is. If you combine that stuff with the stuff on the left, all of a sudden I can start targeting you because now I know that your medical information contains that overweight and I can start sending you brochures to start losing weight. Now, is this an issue? Yes, it is a bit because we've just seen Facebook in Cambridge Analytica where 50 million profiles went off to Cambridge Analytica which then got used in political marketing campaigns and that's of course one of the reasons why the GDPR is very good to have from a consumer perspective. Shall I look at my notes? No, no, I want to click. So the rights the GDPR gives to consumers are the rights to be informed before you start gathering data and they also have the rights to not have it gathered which puts you in the position where you have to ask them, please can I gather your information? Every consumer has the rights to inspect all the data you've collected on them. Every consumer has the right to have faults in their data corrected and the presentation will be available afterwards, I promise, including all my notes. They have the right to no longer have their data processed even if you are still storing it. That sounds a bit weird but it means if they have to keep tax records for you because you've bought something with them they can still ask you, it's fine that you're keeping my data but you're not allowed to do anything with it. And they have the right to be forgotten in your organisation hence websites provided you don't have another reason for keeping their data. What we're going to do now is we're going to go through seven impacts which we've identified for your WordPress website. Some will be focused on technology, some will be focused on what you've got to organise around the technology to do this properly. Now, the biggest concept I've ran into is the privacy by default. That basically means you're not allowed to assume anything that you're going to do with their data. You always have to ask them, can I do this? And the biggest example of that is you have your contact form, you can send me a message and at the bottom it says, subscribe to our newsletter and it has a box ticked. Now you're not allowed to tick that box anymore because when we collect data we're only allowed to collect it for one specific purpose provided they've given permission for that. So you're using your contact form and then saying, oh and here's the newsletter, there's a two different processing of that same data. One is to answer the question they've asked, and the other is to stick them in the newsletter. So for every time you want to collect data, they have to explicitly tick that box. So all the tick boxes, subscribe to our newsletter, let us visit you at home whatever you want to do, you're not allowed to have those pre-ticked. You're also not allowed to place cookies, tracking pixels, another tracking technology, which is stuff which goes onto their PC or which collects their data, unless you have explicit permission from them. I'm going to give you all the problems, I'll give you the solutions later on in the plug-ins. We'll get back to this in one of the next slides, but you have to request permission for every separate type of usage of personal information. So as I said, the contact form and the newsletter, combining them into one thing, not allowed to do that, you have to split it up and say, yes I'll have a contact form, and I really do want a newsletter. All the data you collect you have to have a good reason for doing it. And what are good reasons to collect data? Well, the first one is if somebody's ordered a service with you, you have a good reason to keep this data in your file, because you have to send them a package at their home address. Obviously that would also contain sizes of clothing, which could be personal information. You're allowed to keep it as long as you have a good, proper purpose for collecting that data. So fulfilling a service is a good reason. A never reason is, as I've just mentioned, if by law you're required to keep this information, so the tax man is your big friend here all of a sudden, because anybody requesting you to remove your information from your WooCommerce, you can say, no, can't do, I have to keep it, tax man tells me so. And of course you can collect data because somebody's explicitly giving you consent to collect that information. So if I have a website where they can recommend books to me and I tell them these are my favourite authors, yes, here's my tick box, please give me recommendations for other books. I have to have explicit permission for that. The third impact, oh, we've got another one here, what's this? All right, this is a tip, and the tip is, just to find your data collection, but it means make an overview for yourself so you know what data you're collecting and this doesn't just apply to your entire organisation. Know what you're collecting, know who in your organisation can actually access it, and which subcontractors you are using. So if you own your own website, you're probably not the owner of the server which it runs on. That hosting party, you have to have a contract with that they will behave according to the GDPR. This is where it gets fun. So the law says we have to obtain granular consents. So as we've already said, I want to be a member of your newsletter, that's fine. That's a granular consent. But how far does this go? So you have to give them clear choices on what they're agreeing to. So they have to be able to clearly say, this is what I'm agreeing to. It has to be one consent for one thing only and that's what they say okay to. So I've been seeing a lot of examples of companies trying to stick to this law and what they end up doing is giving you an enormous list of cookies which they're placing. That does not agree with... I can actually read this out what the law says. Data subjects should be free to choose which purpose they accept rather than to consent to a bundle of processing purposes. And a purpose must be sufficiently defined and sufficiently unambiguous and clearly expressed. Now if you're going to show somebody a big list of these are the JavaScripts we're including, these are the cookies we're placing, la, la, la, giving a clear and unambiguous few of what you're asking permission for. It's not about the technologies, it's about what you're going to do with the data. So if you start mentioning, I've got all these cookies, you still haven't told me what you're doing with the data. Avoid the technology and instead use clear, normal Ypinyonica language. For... Where was the non-Dutch person? Ypinyonica are a childhood book which is very simple language. And here's an advice which is against law. You can group together purposes for similar services. So if you have two analytics cookies or services running which all collect data for the same reason and you process it in the same way and la, la, la, then you can basically put them together. And the reason for that is this one. These are purposes of data processing in online behaviour advertising which is a long word for saying remarketing. And it says there's 10 different purposes we can come up with and there's nine different companies involved and they're either a processor or a sub-processor. Now, the law basically says you have to have 10 tick boxes on your site because these are all different purposes. That cannot be the... No, this is just advertising. Of course if you put Facebook into this and Twitter and all the other services you suck into your site you'll have 100 consents. That's why I'm saying here, group them. And why group them? Because this is the NPO of the Dutch televising companies or the Dutch televising company and what they have done is they have said well we've grouped, depending on the type of purpose we have we've grouped them together. So we have a tick box here for social media. If you tick that you're basically saying yes it's okay to include technologies which allow you to share stuff to social media. And here's an interesting thing because I didn't mention that here you do not need to get granular consent for are technologies you're using which are essential to run the website. So I think WordPress has a cookie which says I'm testing if I can place cookies. That's a functional cookie. It doesn't store any personal data, it's just there to make the site work. If you have a wish list on your WooCommerce shop that's also a functional cookie. It's not there collecting personal data, it's there because if it's not there you can't run the shop, you can't have a shopping basket. So we won't be doing this. We'll probably end up doing this at the end of the day. I like this one, this is pretty good. The one thing they've done which they can't do is this at the bottom which says that's not clear, that's not unambiguous. Basically they're saying these are all clearly defined and we have some stuff which are all going to lump together and you just have to tick the box. This one's out of order, you can't do that. And you can't pre-tick all these boxes. I've actually unticked them here but when you go to their site they've all pre-ticked them. So don't do that. Then what this GDAPR requires for me as well requires you protect your data and they're looking at a chain of responsibility. So this is why I asked who is actually the owner of a website. If you are, you are now the data controller. You're the one who has a purpose for collecting the data and doing something with it. And if you're a hosting company or a service company, you've got two facets to this. One, you've got the data of your own company. So if you have clients which are consumers who have a website with you, this applies to them as well. You also have to have a security policy in which you say to them this is how we handle our data but you also have to have one about their data which you are taking care of for them. So there's the data of your own company and that of your customers which you're taking care of. I mean this is a no-brainer but make sure you've got everything in place. Your SSL certificates have strong passwords. Make sure your hosting company knows what they're doing because the biggest way to get hacked we've found out is bad hosting. So that's about you as a company protecting the data which you've collected and then they've gone and given these rights to consumers to make you do things for them. So they have the right to send in a request to seal the data which you have on them. You have one month of time to give them an answer to show them exactly what you have. You have to do it in a clear format so you can't give them a database dump but you have to have an Excel sheet or a PDF which does it. And you don't have to charge anything for it. So this will be fun after May 26. I hope everybody's going to email VGOMP and ask this question because I want to see the lawsuits which come out of this stuff. Now that's easy if you have a user base that marks in because you can put up a page for them and say, right, this is all the data we've collected for you. I don't know how this is going to work for anonymous visitors who have come to your site. I don't think it can be done but the law doesn't say anything about anonymous visitors you're grabbing data from. So again, May 26. Let's wait for the first lawsuits around this. I think I've said this before. When you're inventorying all the data which you're collecting, don't collect more than you need. There's no reason to. The law says you're not allowed to collect more than you need for your purposes. And especially when it comes to your website, if you have data banging around in it, get rid of it, take it out of your site. Your site is a soft spotting security anyway. Clean up your website. So you've got to give them options for them to say, forget me, change my data and what data do you have. I haven't told you how to do this. This one's fun as well. Data breach is the point at which you discover a hole in your security and it doesn't mean something bad has happened to the data. It doesn't even mean somebody has actually hacked it. It means you've seen that there is a hole in your data and it's a data breach. So you write a data breach report and then talk about things which are not clear. If you are the data collector, so the owner of the data, you may have to report a data breach to the authorities and you may also have to inform the users that have been affected. Now, the reason when you have to do this is for sure if it's about a lot of data, if it's about data which has higher risk associated with it, so a lot of privacy information. But it also says it's up to your judgment if you should report it. My advice is any data breach is to report them all. First off, don't try and get data breaches, but if you do have one, report them because at least they can't come back at you afterwards and say, oh, you didn't tell us. The last thing you have to get sorted for your website is you have to have a privacy policy and even if you don't need one. The reason for this is it looks good on your site to have one. These are obviously not technology reasons, but if you have a site and all you have on it is a contact form you're not using Google Analytics or anything putting into it, but if you have a contact form you're collecting data, make one paragraph privacy statement and say we're collecting data off this form so we can answer your question and we will not do anything else with it and we're storing this in our own website. There's another reason for that privacy policy is if you do actually have a bigger website and you're requesting multiple permissions all over the place or just in a single place like the MPO does, in the privacy policy you want to repeat all this stuff. You want to say we're using Google Analytics in an anonymous mode Google Analytics. Google collects this data so we can figure out how to improve the website and here's a link to the GDPR statements by Google. Do this for all the services you're using, do this for all the ways you're processing data for them. I wonder. There's a special mention here for Google Analytics. I finally agree that Google Analytics is going to be a functional cookie or a functional piece of technology. If you use it anonymously. Because Google Analytics also places a cookie on your PC which is known as a, it's actually a piece of privacy information, a cookie. That's the law says a cookie is privacy information. But now there is on the website of the persons, out-of-the-tage persons, Emmanuel, how you can set up Google Analytics to work and you don't have to ask permission for it because this is the big worry of everyone I'm going to lose my Google Analytics data. You don't have to, it'll be anonymised. The worst effect of that is you don't actually get a proper location of it. I mean they'll be able to say yes this is in South Holland but they won't be able to say this was in Rotterdam on the Binevech or anything. It'll be more fluffy and therefore anonymised and therefore you're allowed to collect it because you're not collecting personal information. Sorry. Out-of-the-tage persons gegefens. Finally, if you go to their site there are no warnings on there. But they don't have any tracking cookies. They don't have anything in their site actually which is good. Right. How am I doing on time? I've got another five minutes left. We're actually going to make this. So I'm going to go through a few of these things just because they're interesting to look at and then John Willam will come back and he'll go through a number of plugins we've found with which he can handle a couple of these questions. And then our talk will be available on the website afterwards. We have a link on the last slide I think. So I've said about Google Analytics. You can anonymise it so you can collect that but you can also still use Google Analytics in its full-blown form provided somebody gives you permission for that. So don't say to them we want to track you on our site fully with Google Analytics because everybody is going to go to the statistics. We would love to serve you better and we can do that if you click this button for us. The tone of voice in which you present these requests for permission is going to be part of the success whether or not people are going to click them. This is the same for the remarketing picks or don't write we're going to track you all over the internet but right we'll be able to serve you adverts which are more suited to your taste. So you can do Google Analytics full provided you so you can have two levels of it which is what I'm saying. Your biggest bulk will be the anonymous stuff you're collecting and a percentage of your users will say yes we like you we're going to help you improve your site. The tag manager which I think that's been around two or three years now and it's showing up in lots of sites because what it does is it allows you to combine all your external JavaScripts and tracking mechanisms into one spot and all you have to do is put this one little code in your website and you've got all this stuff running into it. So from the people who own their own website who uses the tag manager? Right and other people who have the tag manager being set up by an external marketing company all right well we have run into this one so what's happening is you've got a web hosting or a website owner and they've said to this marketing company here's my tag manager go and fill it in and there's 60 scripts in there 10 The problem is there are all different kinds of purposes so you're going to end up with you can't just include the tag manager in one because it's going to be an all or nothing thing so one way to do this is when you collect permissions on your site write them away into a cookie which is funny because that's a functional cookie then so you've got a functional cookie to record that somebody is not giving you consent and the tag manager scripts you can set them up and read out a cookie on a site if the cookie is not there or has a certain value yes include this script in my tag manager else do not include it in my tag manager but the tag manager is a fiddly thing to work with when it comes to only putting things into your site which people have given consent for another way to do this for the tag manager is to have lots of different containers for the tag manager and only include those which have the scripts in it as consents are given share buttons so we have all these plugins which produce share this to another site and so you get this plugin and you go oh yeah there's 60 networks let's all tick them on and then you start up the page on the front end and there's all these share buttons well what it's gone and done it's gone oh I'll have a Facebook script and I'll have a Twitter script and I'll have a Instagram script besides slowing down your website enormously do you know where these scripts are coming from because they're coming from external places do you know if the people who are handing out those scripts are their GDPR compliance so for every script which you suck into your website you have to understand that the party on the other side contract the user of that script and link it to the IP address of the user who's seeing it because it's what happened in client's site this isn't on the web server anymore see if you can avoid that in your site all of these social services have things like this which means just have a link which sits in your page and obviously this part can be dynamically stuck into your page if you click that it'll take you off to a page on Facebook where you can share your thing nothing's happening on your side now scripts are being imported so that's a way to get around the plugins which give you 100 different scripts coming from all over the place you can do it a simpler way it's not as pretty but it works external files so you have your website and there's you're reselling fruit machines fruit press machines and the manuals for these are on the site of the builder of these machines and they're out in Romania and they have all these different manuals in different languages and from your website you're immediately linking back to their site those are external files, they're not on your site again, check if you know how those people are handling GDPR because again they can be tracking the downloads of these things fonts is interesting, we ran into this during we did a couple of sessions with our customers where we got in groups of 10 customers at the time and went through their sites with them and what we find is if you have typekit you're again grabbing files from beyond the reach of your own sites these are files which live somewhere else check with those parties who are providing the fonts whether or not they are GDPR compliant and here's the question do you need to ask specific consent to include a font in your site because is a font a functional piece of technology in your site is it required to make the site work not really but you could say well it is a functional piece because if it's not there I'm not expressing my brand properly which has a certain typography which it should have so if it's not there I'm not actually presenting my brand properly this is one of those things we'll have to see what the lawsuits are going to say after this and then we get to the last point practically getting permission and adjusting site behaviour I have like minus one minute so I'll do it wordpress has this wonderful system of plugins and we have sites which have well we have some sites where we think should have less but they have like 90 plugins and the moment you visit the page it immediately starts loading in Facebook and Twitter and scripts and whatnot because all these plugins are doing this and your problem now is going to be how do you let somebody come to your website see the whole site but not place anything on their PC not start up any tracking script and so forth so what's going to happen is we're going to be grabbing permissions from users and then based on those permissions we're going to have to change the way the site behaves and this is a big impact for wordpress I think there's like 25 plugins which have come out by now which all try to tackle this problem and we know there's a wordpress core group busy trying to get a system set up within wordpress where plugin builders can use hooks and filters and say right this is what my plugin does and so forth but that's not all here yet so there's a whole lot of problems for you to deal with between now and two months I'll give John Willem the mic now and we can look at a couple of the plugins which might solve these issues thank you yeah there are already some nice plugins to help you we also made one plugin in ourselves so I will show you six plugins and the first one we made ourselves so that's our disclaimer so if you have like a user base then this plugin can help you to delete like the posts, the links and the comments of people it might be interesting it's a little bit basic this plugin because it only does these things but a lot of times a lot of plugins plays a lot more but for simple websites this is really helpful we also have the wider gravity form stop entries which is also nice because it gives you the possibility to let's have a look, I have two of them that you encrypt the data so you encrypt everything so you cannot read it of course this is also a little bit like you can of course always encrypt if you can get to the database level but it's something, it can be helpful because especially if you for example send it to an email address directly and then you also have like a stored thing on your website like a backup this is also a very nice plugin I will dive a little bit deeper into that because the GDPR demands explicit consent for your visitor to allow you to process their data then it's handy to have like a tick box for everything so for example for your newsletter so what this plugin does it's very nice, I like it I will show you a picture it gives you the possibility to add tick boxes or check boxes I don't know how you call it tick boxes on your form to give permission and they did a nice job it looks nice, it's a very friendly plugin I think this is the best plugin after our plugin of course I think they are doing a better job at the moment I mean it's also different but this is very very useful if you have like the WordPress Commons the WooCommerce Contact Form 7 and also already Gravity Forms you cannot see it here but they just added that recently and our plugin is more like a solution for everything but then you need to do more manual so another nice thing is the WP Policy Genius it helps you to write your own privacy policy also called Cookie Notice and I like this plugin also because it helps you it's like a kind of wizard but it's also of course it's not like from your lawyer so you need to be a little bit careful about it but basically what we saw is that it is useful still we are not lawyers we are very curious how this will continue like after the 25th and I hope you have some these plugins are helpful for you we also made a download available of this presentation on this web address our main website is somedia.nl but we also have like the English version where we wpupgrader.com and these are some of my colleagues and we are crazy about WordPress like you all and we are really thankful for this WordCamp and all the people that support WordPress we couldn't have this company without WordPress and we are happy with that we really love open stores and we really want to thank also the organization for having us here and yeah a lot of people in this city are very like a finer football soccer team but we are more like we are for WordPress so sometimes we are like WordPress supporters we try to help our clients I hope we help you a little bit and if you have any questions we will stand there at that banner you can see Mark in the top we will meet you there maybe have a great WordCamp thank you