This document discusses the General Data Protection Regulation (GDPR) and its implications for WordPress sites. Some key points: - GDPR strengthens and expands the data protection rights of EU individuals and applies to any company processing EU residents' personal data, regardless of location. - It introduces strict rules around consent, data breaches, and new individual rights like the "right to be forgotten." Non-compliance can result in fines of up to 20 million Euros. - WordPress core has implemented changes like comment consent checks and data export/erasure features to help sites comply. However, plugins and privacy policies may also need updates, and proper data collection, storage, and use practices should be reviewed

1. GDPR, Data Privacy
and WordPress

2. Brendan Woods
Team Lead, XWP
@brendan_woods
brendan.woods@xwp.co
https://xwp.co/
not a lawyer

5. Ethical
Commercial
Legal

6. Ethical
Commercial
Legal

7. War is 90% information.
~Napoleon Bonaparte

8. Data = Power

9. WordPress is for a free internet
● WordPress is a bastion of the free internet
● Stands for equal opportunity, to allow anyone to bring a great idea to life
no matter where they are.
● We must stand for ethical data practice. To protect the vulnerable.

10. Ethical
Commercial
Legal

13. Data is Essential
● Understanding your market
● Cost saving / time reduction
● Product development
● Enhanced service

14. Being a Good Data Steward
● Data awareness is growing, and consumers are becoming far more
sceptical
● This is an opportunity to build consumer trust.

15. Ethical
Commercial
Legal

16. The General Data Protection Regulation (GDPR) is a new
regulation that acts as an addendum and overhaul of
the European Union's (EU) existing data privacy laws

17. Does GDPR apply to me?
- Any company processing the personal
data of subjects who are in the Union.
- It doesn’t matter where the
company is located.

18. Do I really need to follow?
● Previous fines under the DPD were much smaller, up to £500k in the UK.
● Now, failure to comply can result in fines up to €20 Million or 4% of global
revenue, whichever is more.
● Enforced Internationally.

20. Major Changes
Data Types
Consent
Breaches
New Rights

21. Data Types
● IP address and mobile IDs now included as personal data.
● Geolocation data.
● Sensitive personal data
○ Health, sexual orientation, race, religion, political opinion.
○ Also includes biometric data - fingerprints, retina scans, genetic data.

22. Consent
● Explicit consent must be obtained, no more pre-ticked boxes and vague
statements.
● Revoking consent must be just as easy.
● GDPR applies to some data already collected.
○ Some companies will need to re-establish consent.
● Must be used only for the purpose it was collected.

23. Breaches
● Companies have a 72 hour deadline to report data breaches to their
relevant Data Protection Authority.
● Breach must be reported to users/customers without “undue delay”.
● Due to this difficult clause, companies will need reporting policies and
procedures, as well as breach templates.

24. I just want my phone call

25. My New Rights
● Data subjects are able to request to be forgotten. I.e. The right to erasure.
● The right to restrict processing
● Data Portability
● Knowledge of profiling

26. WordPress Core
● WP 4.9.6 Release implemented a set of changes to
help site owners with compliance
● Comment Consent (check language)
● Data export and erasure feature
● Privacy policy generator
● Gaps in localisation
Leo Postovoit

27. So what should I be doing?

28. Next Steps
● Check your plugins
■ Google Analytics
■ Email opt in
■ Cookie consent
● Create a Privacy Policy
● SSL and Encryption

29. The most important questions
● What data am I collecting?
● Where am I storing it?
● Why am I collecting it?
● Did I get proper permission to have it?

30. What kind of future do we want?

31. Questions & Comments
@brendan_woods