New Team Forms to Facilitate GDPR Compliance in WordPress Core

As May 25th, the enforcement date for the General Data Protection Regulation (GDPR) draws near, individuals and businesses are scrambling to make sure they’re compliant. I’ve read a number of blog posts throughout the WordPress community explaining the GDPR and what needs to be done for compliance and it’s a tough thing to grasp.

The EU GDPR was designed to harmonize data privacy laws across Europe, protect and empower European citizens data privacy, and reshape the way organizations across the region approach data privacy. In reading the regulation and various blog posts, the terminology makes it appear that the changes are geared towards large, international businesses that process personal data.

However, according to Heather Burns, a digital law specialist in Glasgow, Scotland, the GDPR affects sites large and small.

GDPR applies to all businesses, organizations, sectors, situations, and scenarios, regardless of a business’s size, head count, or financial turnover. A small app studio is every bit as beholden to these rules as a large corporation.

Determining if your site needs to be compliant and how to accomplish it can be overwhelming. If you do business in Europe or collect data from European users, you must protect that data in accordance with the GDPR as if you were in Europe. For example, if you operate a blog with a contact form that saves entries to the database from people who live in Europe, you must make your site GDPR compliant.

There are a lot of aspects to the GDPR and while an excerpt can not fully explain it at a glance, there are a few themes that stick out to me.

  • Be upfront and concise about what data is stored, sent, and used on the site or form.
  • Give the user a chance to consent without automatically opting them in.
  • Collect the least amount of data possible for legitimate business purposes.
  • Provide a way for users to download or access their data and remove it.

Many of these are common sense practices that are not implemented on many sites, WP Tavern included. How often do you visit a site’s contact form and see an explanation as to why those fields are required, where the data is stored, where it goes, and what is done with it? This is something I’ll be working on in the next few weeks.

Making WordPress Core GDPR Compliant

Earlier this month, a number of volunteers gathered to discuss GDPR compliance in WordPress core. The meeting took place in a newly created channel #gdpr-compliance that’s accessible to anyone with a SlackHQ account.

The team created a proposed roadmap to add privacy tools to core. The plan includes the following ideas:

  • Add notices for registered users and commenters on what data is collected in core by default and explain why.
  • Create guidelines for plugins on how to become GDPR compliant.
  • Create and add tools to facilitate compliance and privacy in general.
  • Add documentation and help for site owners to learn how to use these tools.

Earlier today, the team met and created a GitHub folder that houses the roadmap, knowledge base, trac ticket list, and other items associated with the project. There was also some discussion on whether the interface provided by the GDPR for WordPress project is a good foundation for core and plugins to report personal data. The GDPR Compliance Slack channel is also a good place to ask questions and discuss data privacy in general.

Popular form plugins such as GravityForms and NinjaForms have documentation available that explains GDPR compliance and how it applies to their products. For those who use the Contact Form module in Jetpack which saves entries to the database by default, you’ll need to wait for further updates. WooCommerce and Automattic have announced that they expect their products will be GDPR compliant by the time it goes into effect later this year.

GDPR Resources

If you’re like me, reading about the GDPR and its policies can make your head spin. It’s important to keep in mind that at the heart of the GDPR are common sense behaviors for handling personal data. If you’d like to learn more about the GDPR, check out the following resources.

9 Comments


  1. Jeff, note that this is EU (European Union) regulation and EU is not whole of Europe, there are countries outside of it. Which means that for some European countries and some European citizens EU rules don’t apply, and thus GDPR.

    I am not surprised that this EU regulation sounds complicated and hard to understand. Most (if not every) EU regulation (not just for digital) are like that. Problem is that EU has become to big, bureaucratic, out of touch with real life, that doesn’t solve but introduces new problems and has way to many regulations. While in some cases intentions might sound noble, execution is poor and awful. Take for example two well known cases for digital: cookie law and VAT MOSS.

    My bet is that this is how it will end with GDPR. Privacy would be improved only on paper, not in real life.

    Report


    1. Which means that for some European countries and some European citizens EU rules don’t apply, and thus GDPR.

      That’s not the case if a non-EU entity transacts with or manages data for EU entities, i.e. GDPR will apply. You can choose not to adhere to GDPR, but if your EU footprint is large enough then expect enforcement. The EU has messed up before, both the cookie law and VAT MOSS, but GDPR is well thought-through and already law in all EU countries; it’s just enforcement that starts this year.

      IMO this should be viewed as an opportunity to review how you treat your users and deal with their data.

      Report


  2. It’s worth noting that both VATMOSS and the cookie law have been substantially overhauled and reformed for the better thanks to positive, evidence-based, and cooperative engagement from the public and from organised advocacy groups.

    So that’s the nice thing about the GDPR compliance project: it has drawn people following those examples who want to be positive, constructive, and engaged, and just get on with the task ahead. Another lesson learnt from the previously mentioned issues is the importance of getting it right in good time rather than scrambling to retrofit fixes after the compliance deadline has passed, and that’s what we’re working on now.

    People who want to spin political grievances, victim narratives, and conspiracy theories are entitled to their opinions but at the end of the day, as Jeff said, this work is about raising the standards by which we protect the people in our data, ensuring that the WordPress project itself is one that people can trust, and providing the tools that everyday site administrators need to be able to protect their users and themselves too. I can’t think of any effort more worthwhile than that.

    Report


  3. There is a €10 million minimum fine for non compliance — €20 million for tier 2 offenders — but there is scope for (internal) regional variation in GDPR’s application so there is some wiggle room.

    As @Matt rightly says, GDPR affects any person or business that collects data about anyone in the EU at the time of data collection.

    GDPR defines Data Subject to be anyone who happens to be within an EU jurisdiction at the time their data is collected as well as persons normally resident within the EU (EU citizens). This Data Subject could be an EU citizen travelling in the US or an Australian citizen in transit across EU airspace. Data Controllers and Data Processors are equally tightly defined as those who collect, store and crunch data collected on EU Data Subjects.

    Further, GDPR requires that those who own or manage properties where data is collected ensure the security of that data, record where that data is shared, notify Data Subjects of any data sharing or changes to the basis of any data collection and provide a route for data to be viewed by Data Subjects or deleted (including shared data — see next).

    Furthermore, GDPR puts the onus on Data Controllers to ensure those who might access that data are also GDPR compliant.

    Are the horrors of this regulation beginning to reveal themselves to you?

    How about this: what data is collected by your web server (stats and error logs), web host (data backups) and payment processors (e.g. Stripe and PayPal)?

    When an EU Data Subject purchases a service or plugin, the vendor needs to be GDPR compliant whether that vendor is in the EU or not.

    GDPR is too well written. This regulation will affect more people than most could have imagined when the documentation was finalised. In my opinion, GDPR will cause non EU businesses and website owners to reconsider their openness to persons covered by EU jurisdiction.

    Myself, and I am in the UK, as soon the UK leaves the EU, I will review whether to geoblock Data Subjects within the EU. So little of my traffic and business is conducted in the EU I won’t miss it and the costs of compliance are too high to warrant EU business.

    GDPR is going to cause bigger headaches than many yet realise.

    Report


  4. Complete rubbish about the fines. Monetary penalty fines – as I explained in the Tavern podcast – are only applied as the fourth stage of an exhaustive cooperative engagement process between the regulator and the organisation, or in the cases of genuinely egregious data breaches. The fines are proportionate and necessary, not maximum and destructive. (As a word of advice to readers, the most blatant sign of GDPRubbish is anything discussing fines whatsoever.)

    As a UK business, you’ll know that very little of what’s in GDPR is new. All of its basic principles have been around since 1995, incorporated domestically as the DPA of 1998. You also know that GDPR will continue to apply within the UK through the new domestic implementation, the Data Protection Bill, after the UK leaves the EU and for several years beyond that.

    The only horror to consider is that your data protection obligations for both your domestic and foreign customers – including the ones you describe above as “GDPR requires” – seem to be new to you after twenty three years of being on the books.

    PS On Tuesday geoblocking became illegal within Europe.

    Report


    1. GDPR is different to the UK’s long-standing DPA. They are different in breadth of reach and application:

      1) GDPR has global reach, DPA did not
      2) GDPR covers persons in EU territory however temporary their stay in the EU,
      3) GDPR makes the original collector (and agent of) responsible for actions committed by 3rd parties all the way down the chain so who A shares with (e.g. B), who AB share with and who ABC share with etc..,
      4) GDPR makes any data collection entirely opt-in, DPA did not
      5) GDPR requires a data processor or data holder to provide a method for a Data Subject to have data held about them erased or transferred to another data processor/controller upon request,
      6) GDPR allows for group law suits or for others to sue on behalf of those affected by non compliance
      7) There are many other differences between GDPR and the DPA.

      Here are 2 brief summaries of some of those differences:

      1) https://www.atg-it.co.uk/gdpr/dpa-vs-gdpr/
      2) https://www.ebuyer.com/blog/2017/03/the-difference-between-gdpr-and-dpa/.

      The UK’s ICO has this to say:

      1) https://ico.org.uk/for-organisations/data-protection-bill/

      GDPR is a tortuous beast compared to DPA. So much so that even ICANN is in the process of changing its domain registration privacy policies, and we all know how arrogant ICANN is.

      You are correct about the fines. The Tier 1 fine scale is between 4% of global turnover and €20 million. The Tier 2 fine scale is between 2% of global turnover and €10 million. I am happy you corrected me there. Thank you for pointing out this error in my knowledge.

      Many conversations and reports about the possible fines add ‘whichever is greater’ to their statements about them, which I suspect is due to mistranslation of earlier information put out by the EU Commission, or misproduction by the Commission’s website authors. It is mentioned too often for it to be made up out of nowhere by each author. The authors could be parroting each other though I do recall reading that statement on the Commission’s website too. The page about GDPR that I bookmarked appears to have been edited since my last visit (I know I saw it. Promise). I visit the Commission’s site more often than I would prefer to need to do. I am accustomed to its pages being moved and to page content being edited or entirely replaced between visits.

      The following (current) official texts are enlightening:

      1) https://ec.europa.eu/info/law/law-topic/data-protection_en
      2) http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679

      GDPR and the UK

      GDPR will be brought into UK law and will remain in UK law after the UK leaves the EU. I understand that how it is applied will be down to UK law, which is different in basis and process to EU law. The latter being based on the Napoleonic Code of ‘you have the right to do…’ and the former being based on the English Common Law premise ‘You have freedom from…’

      GDPR will not necessarily escape change when reviewed by UK Ministers and the ICO post Brexit. GDPR’s post Brexit continued relevance to domestic UK law is not a done deal. Reading the updated DPA (details linked to above), it is very likely UK GDPR will be rewritten.

      Geoblocking

      Geoblocking with regards to digital service provision has been illegal in the EU for some time. Europe and the EU are different entities. The EU is a legal construct. Europe is a physical landmass i.e a continent. Once the UK leaves the EU, UK citizens will not be bound by EU law. I will be legally able to geoblock EU traffic when the UK leaves the EU. I am not alone in this reverie. I certainly will not allow EU law to prevent me geoblocking whichever regions I choose to block — I control my data ;)

      Report


    2. “.. geoblocking became illegal within Europe.”

      Uh… what? For EU servers, yes? Because if I have a US client who doesn’t at all care about EU customers, they can and may block eu originated visitors. I fail to see how the EU has any say over that.

      Report


      1. They don’t. They’re just desperately trying to stay relevant.

        Report


  5. Cool, maybe I will be able some time to delete my sleeping .org and .com accounts.

    Report

Comments are closed.