Skip to content
From our Community Blog:

GDPR, Privacy, and WordPress

Subscribe to Community Blog updates

You may have noticed that data privacy has been in the news lately, for a lot of different reasons. One of those reasons: the European Union will be implementing the General Data Protection Regulation, or GDPR, this spring. GDPR has global implications, which means there are changes coming to WordPress core, and also to how we build themes and plugins.

This episode features WPCampus community member Brian DeConinck and digital law and policy specialist Heather Burns. You can learn about Heather's work at her website, webdevlaw.uk. Among her many projects, she is part of the team working to prepare WordPress core for GDPR. She joins us to talk about upcoming changes to WordPress, and privacy best practices for site admins and plugin authors.

Resources mentioned in this episode, and additional reading about GDPR:

Note: Our recording picked up a little more background noise than usual for this episode. After cleaning up the recording, most of the conversation is pretty clear. But if there's something you can't make out, please see the transcript below.

Listen to the episode

Transcript

Brian: Welcome to the WPCampus Podcast, a podcast for those using WordPress in higher education.

You may have noticed that data privacy has been in the news lately, for a lot of different reasons. One of those reasons: the European Union will be implementing the General Data Protection Regulation, or GDPR, this spring. GDPR has global implications, which means there are changes coming to WordPress core, and also to how we build themes and plugins.

My name is Brian DeConinck, and I work for North Carolina State University. I'm joined today by Heather Burns, a digital law and policy specialist. You can learn about Heather's work at her website, webdevlaw.uk. Among her many projects, she is part of the team working to prepare WordPress core for GDPR. She joins us to talk about upcoming changes to WordPress, and privacy best practices for site admins and plugin authors.

One quick note before we hear that conversation: Our recording picked up a little more background noise than usual this time. I've cleaned things up, so most of the conversation is pretty clear, but if there's anything you couldn't make out, you can visit wpcampus.org/podcast for a full transcript.

Transcribing the podcast is something I've been wanting to do for a long time for accessibility reasons, so I'm glad there were some loud voices in the background this time that gave me the push to finally do it.

With all of that out of the way, here's Heather!

Heather: Thank you for inviting me on, Brian!

Brian: Well, thank you so much for being on!

So, just hypothetically, if there's someone who's listening who has no idea what GDPR is, or anything at all related to it, what is GDPR?

Heather: So GDPR is a renewal and a refresh of the European data protection and privacy structure. Very different from the way the United States works, in Europe we have a single overarching data protection framework, across all situations, all sectors, all business sizes, whether you're the largest corporation or a one-woman business, or for that matter a university, the same set of laws apply to you.

We've been working with a European data protection framework since 1995, so what GDPR is, as I've said, it's a renewal and a refresh of those rules, which was, you know, desperately out of date.

So, we're all getting ready for it here. It may seem a little bit cumbersome, but it is ultimately such a healthy business process to go through, because everyone needs to go back to basics and examine how they collect data, what they collect data about, why they collect it. And I find the compliance journey is actually so rewarding. It allows them to feel better in control and empowered of the ways they do business with data.

Brian: I feel like, in recent years especially, data storage is cheap, so we've all sort of gotten addicted to the idea that we can just keep things forever and ever and ever, but GDPR seems like it's going to force sort of a cultural shift.

Heather: It will. And, not before time. I've been speaking and writing about this stuff for years, but even in the past month all of the news stories really got people just thinking about these things. Developers, how the decisions they make can create a snowball which avalanches into a privacy concern. So, now's the right time to be thinking about it.

Brian: GDPR is a European Union regulation. Many, I would say most people who are involved with WPCampus are not in the European Union, although we have people around the world. But GDPR does apply globally to anyone who's interacting with people in the EU. So can you tell us a little bit about the scope of GDPR and who's covered by it?

Heather: Well, European data protection law has always been extra-territorial. It has always applied to people within the European Union regardless of where their data was collected and processed. But because the existing data protection framework was from, again, 1995, floppy disks and dial-up, the constant international data flows we deal with all the time, whether that's a client's business records or the data syncing to cloud storage on your phone, wasn't really adequately addressed until now.

So, GDPR applies to any business, organization, or educational institution which is collecting or processing data about European Union residents, regardless of their nationality or location within Europe. If you serve customers in the European Union and you're an American business, you still have to protect their data to European standards. And that also applies to educational institutions, whether it's students, prospective students, alumni. I think we're going to dive a little more into that today.

Brian: Yeah, well, I'm thinking about my own university. I work for North Carolina State, and we have online education programs, we have international students, we have a satellite campus in Prague, all these different ways that we're interacting with people in Europe, that on a day-to-day basis I might not even be thinking about, let alone just people who might show up and sign up for a newsletter on a website, or something like that.

So, higher ed, at least in my experience, we don't always take change very well. And in many ways this is a big change. It's going to require us to re-think how our websites function and how we interact with our users.

Looking at WordPress core specifically, what kinds of interactions are we really concerned about, just in the core WordPress application?

Heather: Getting ready for GDPR has posed a few unique challenges to the WordPress ecosystem. When it comes to privacy, core, all things considered, is pretty good. There are a couple of tweaks and changes and improvements we're making that we're going to discuss later. But the challenge for WordPress is that a WordPress site is a combination of core, and plugins, and themes. And there are infinite combinations of ways that those aggregated websites collect data, process data, the way the website administrators use the data, access the data, or not.

So, our challenge was to, not to---let's be honest, we cannot make any WordPress site compliant with anything, but what we can do is fix what is humanly possible to fix, and then provide site administrators with the tools and resources they need to make the right decisions and to inform their site users about the best ways to protect and safeguard their data.

Brian: So this isn't something---I've seen you talk about this in Slack and also the recent change to the published WordPress plugin standards, that you can't just have a plugin that makes you GDPR complaint, that solves all of your problems magically for you.

Heather: I like to tell people there's actually no such thing as GDPR compliance, because it's a bit like saying you're healthy. Just because you're healthy today, doesn't mean you're going to be healthy in a week. It's about your ongoing, every day business processes, the ways you do business, how you take data, how you store data, and the quickest way to let your standard slip is to ever believe that you are compliant.

So the notion of, just install a plugin that will do all that stuff for you is something I've been railing against on WordPress pages for years. So we took the opportunity to have the plugin guidelines amended so that no one could ever say that their plugin would make the site legally compliant in anything, whether that's GDPR or ADA or, I've even been seeing plugins that offer to spit out a legally water-tight business contract.

There are many things that we've been able to take a look at, not necessarily within the very narrow definition of the GDPR compliance deadline, but which have an equally important impact, and certainly be relevant for future work after this deadline.

Brian: I want to talk a little about that future work in a minute, but let's, I guess, dig into some specifics. I'm a plugin developer and I'm a site administrator. We all interact with WordPress in lots of different ways. What are some of the specific changes we can expect to see in WordPress core?

Heather: Well, I've been working [inaudible] late January, early February, with a core compliance project group, which is Automatticians, plugin developers, volunteers, just anyone who's interested in these issues of how do we get WordPress for GDPR? Keeping in mind that, as I said, we can't make a website compliant. So what can we do to help administrators get there?

The GDPR compliance project has four areas that we're working on. First is developing tools for core for the various requirements of GDPR, such as data export, being able to delete a user's information.

The second thing we're working on is a tool to create a GDPR-compliant privacy policy, because---and I just gave a whole talk about this on Sunday at WordCamp London---privacy notices are a big part of helping be GDPR compliant, and the days of these legalese gibberish walls of text are over. Privacy policies now have to be open, transparent, helpful dialogues with the user, of the ways you're using their data and what options they have over it.

So that, again, creates a challenge for when you might have a site with thirty plugins and themes and contact forms and such there. So we're developing a tool that will help site administrators develop that privacy policy without having to talk to lawyers or developers.

Third area we're working on is, we're going to take a look at the plugin development guidelines, because any work we might be doing now can only be retroactively applied to existing plugins. If plugins have areas they could be slightly better in, regarding privacy and data protection, it's because we haven't clarified that sufficiently enough. So we're going to better define what is now acceptable, for best privacy and data protection practices. Again, not within the strict definition of GDPR, as a European law, but as privacy as a general principle.

And the fourth area we're looking at, is more developing information resources for site administrators, everyday site users, and developers on what they need to know about GDPR, as well as general best practices and privacy and data protection, in language geared toward each of those audiences.

So, this work, fingers crossed, with lots of coffee and Red Bull, will all be ready and up and running by the 25th of May, which is the day GDPR becomes enforceable in Europe.

We're also noting things we could equally turn our attention to, but kind of putting them on the B-list until we're done with this specific deadline. And then we're going to take a breather and come back to them afterwards.

Brian: And so, by May 25th, that would also be, I guess, WordPress version 4.9.6, maybe?

Heather: Possibly? Yeah. I've heard things about 5, but, you know what deadlines are like, so.

Brian: I've been sort of lurking in the GDPR compliance channel in WordPress Slack for a couple weeks, just trying to get myself up to speed for what I need to know. I'm seeing some tools that will hopefully be available for data review and data export for end users. Can you talk a little about what those kinds of tools might look like, bearing in mind they're not actually real yet, they're still in development?

Heather: Well, you're welcome to help us test them!

On data export, users have the right to export all the data that a site holds on them. You've heard the apocryphal stories of people requesting that Facebook send them a copy of their data, and they literally get the box, the ream of paper, [inaudible] the entire box. So, we're looking for ways, again, to number one, create a tool that will allow the user to request the data export, to verify the identity so it's not someone trying to steal your data, and for the site administrator to provide a copy of it.

And also looking at building the functionality into those tools so that it also pulls the required data from your plugins.

If you think about it, this has been a really difficult, but good challenge to get our teeth into. How do we create functionality to pull all of this information the user or the administrator will need from very diverse plugins doing very different things?

So we have an export tool. The privacy notice tool is something that really excites me. It will---again, coffee and Red Bull willing---allow users to generate a GDPR-compliant privacy notice in a page that would be a default. When you install a new site, you have "Hello" and "About" pages, and you're going to have a privacy notice page now.

That page will generate the information, but it will not publish it. There will be plugins that choose not to comply and don't provide the information. There will be information that the business owner or the site administrator is required to provide in any case, you cannot automate this process. You have to be accountable, there are questions only you can answer.

So we're providing the tool that will let them get halfway, provide the information they have to get on their own accord, and then able to review that and manually publish it. So, we're not going to do the job for them, we're not going to do your homework for you. We're going to give you the tools you need to do it right, but it's still ultimately the administrator's responsibility to ensure the accuracy of that notice and then to publish it.

Brian: And I guess it also raises the standard---responsible WordPress admins have had to do their due diligence in reviewing security and things like that in the plugins that they're adding, but now it's just another thing that we need to be thinking about.

Heather: Absolutely.

Brian: So, thinking about higher ed, a lot of large universities, especially in the United States, are addicted to decentralization. We don't always like talking to ourselves, and we don't always like talking about important things before deadlines.

Thinking about my own university for instance, we have, across twelve colleges in the university we have thousands of WordPress websites. Some of them are in multisite, some of them aren't. Some of them are maintained actively by IT staff, some of them were created and somebody walked away from them. And this is just sort of an ongoing challenge for our own processes, and maintaining security, and things like that. But thinking about GDPR and privacy in general, coordinating privacy policies with our legal office and vetting plugins, seems like a large task.

So, with that in mind, can you solve all of my problems for me? What kind of recommendations would you give for prioritizing and assessing risk when you're trying to decide what to do and how to approach GDPR for one website, or many websites?

Heather: The first and most important thing is it needs to be a cross-disciplinary effort. GDPR is about removing the notion that privacy is a contractual matter for lawyers. In fact, they're the last people who should be involved. It needs to be cross-disciplinary across your management, across marketing, across design and UX, across administration, and, yes, across legal, although I don't honestly expect an American university lawyer to understand much about European privacy law.

But, the expression that I've used in all the speaking I've done about GDPR is "pull your socks up." GDPR is about pulling your socks up. All the little processes we've gotten sloppy and lazy about. And maybe, UX didn't design something a certain way beause marketing didn't tell them, or admin didn't tell them that they were collecting [inaudible].

So the healthiest way to start the GDPR compliance process is to literally get everyone in a room around a table and ask these questions. What information do we collect? Where do we collect it? Why do we collect it? Who has access to it? Where do we store it? For how long do we store it? What rights do people have over it?

It includes everything from paper files to archives to backups to old files in registrars, to alumni donor information. And this is why, as I said at the beginning, this can be such a powerful process. Very few organizations will ever have sat down and asked these questions to begin with. And you will be staggered when you just face the scope of what you have, where you have it, and who has access to it.

And then you start by looking at your risks. A very healthy process to do as part of the privacy by design framework, which is part of GDPR's requirements for data-intensive projects, is the impact assessment. And that's a living written document that everyone involved in the project signs off on, where you ask those questions that I just posed, and you take it a little deeper and talk about the risks.

What are the risks to us holding this data? What are the risks to the users? What are the risks to the organization, in this case the university? What happens if this data is leaked? What happens if it is breached? What happens if it is misused? And what risk mitigation strategies are we going to put in to make sure that that doesn't happen?

So your first step might be deleting a heck of a lot of data. I love how GDPR is causing this big global data purge, of stuff you don't need or shouldn't have been asking for in the first place.

Brian: Right. I don't necessarily need IP addresses from people who visited my website three years ago, that I'm not doing anything with, that I'm not looking for any useful information from it.

Heather: A healthy part of compliance is creating a data minimization, retention, and deletion schedule, for every kind of data you hold. GDPR doesn't set hard and fast rules on these things, but it expects you to come up with a rationale for how long you're keeping all this data, why you're keeping it, and when you're deleting it, for every bit of data that you hold.

So it may be that we keep all alumni data forever and ever, and as long as you can justify it, that's fine. It may be prospective clients and applicants, you're not going to need their data after two years, because even if they were coming back and going to you anyway, they'd have to start a whole new process, so why are you keeping all of that data? For network administrators, site logs, site admin things, there are certain legal obligations you may have to comply with about how long you keep visitor data in case there's a court case or misuse of a university system.

That's fine. But think about everything you're keeping and how long you're keeping it, and come up with a regular schedule for deletion. And that way, you have so much less data that could be misused.

Brian: In some respects, I feel like higher education institutions are better poised to think about this than private businesses, just because, at least in the United States, there are already many laws surrounding student data, for instance, how that's retained and who's allowed to have access to it. This is just sort of a broadening of that scope, it's not just students that we're thinking about, it's everybody who's interacting in some form with the university.

Heather: I mean, I remember, I was an undergraduate in the States over twenty years ago, and my student identification number was my Social Security number. And it was on your library card, it was on your ID card, when it was exam time they would just post the Excel spreadsheet outside the university department with your results by your Social Security number.

Brian: In hindsight, that wasn't such a great idea.

Heather: You know, it's amazing how far we've come in twenty years, but we had a very far way to come.

So it's true that US law has sectoral regulations on privacy pertaining to students, but there is a culturual difference between the United States and here. And I'm not trying to paint anybody right or wrong, better or worse, I'm just explaining the difference. The US culture of privacy is, you're opted in and you have to opt out. Whereas the European approach is, you are opted out and you have to opt in.

So the US approach is, collect all the data, keep the data, and then if you're going to do something with it later, maybe only then think about it. Whereas, the European approach forces you to pass a lot of hurdles before you are ever collecting that data in the first place.

So, even though your American university data will be pretty tightly protected, it's still a really good opportunity to look at it through minimization retention eyes and see things like user rights over the data. The European view is, again, where it's user-centric, whereas the American view is, it's institution-centric.

So think in terms about how, what if the user just doesn't want this data collected? What if they don't want the alumni office calling them until the day they die asking for money? That sort of thing.

Brian: I think perhaps our alumni office has a different view of that interaction. But yeah, this is an opportunity to rethink how we approach the people who interact with our institution.

Heather: Absolutely.

Brian: Going back to, I guess the mechanics of GDPR for a moment, it'll be fully implemented on May 25th. Do we have a sense for what a GDPR complaint might look like for an organization or an institution that's not compliant? What kind of a process might be followed? I assume this is where lawyers get involved.

Heather: Actually, no. It's a big misconception, because---We have a process in Europe where we work through data protection regulators, we have something like that here. Every nation has a regulator. The closest you come in the US is the FCC, but not really, it's kind of sort of, but not really.

So if an alumni living in Scotland has a problem with being harassed by her alma mater in Washington and realizes, "they're also selling my data and I'm getting junk mail?" what she has the right to do is contact her national data protection authority, and say they're not respecting us. And that data protection authority will get in touch with the institution in the United States and explain they're concerned that you are not respecting our citizens' data. Could you explain your processes and procedures?

So, it is a cooperative process. They will work with you. Sometimes Americans don't seem to understand that the European privacy system, it's not about courtrooms and lawyers. I've seen comments on posts I've written, things like "Will I be prosecuted?" That's not how it works, it's not an adversarial, it's not criminal law. It's civil statute. It's done through cooperative involvement with regulators.

The only reason you're ever going to get a fine, and there's so much rubbish and misinformation and scare-mongering about fines---fines, certainly in the UK where I am, are only ever levied as the fourth stage of an exhaustive process where they have genuinely tried to work with you, and you've not taken their advice or you've repeated mistakes. Or, it's levied in cases of truly egregious data breaches, where the fine was absolutely justified, so your Facebooks and your Ubers.

But the regulator will work with you. However, you have to meet her half way. And if the regulator comes to you and says, "We're really concerned, you're actually selling data about thousands of your alumni over here to marketers without their consent, could you please show us what opt-in consent they gave to that?" And if your answer to that is, "Uhhh..." you have two problems. Because the fact that someone attended your university twenty years ago was not granting active consent for every list you want to put them on until the day they die.

So, again, you've got to start thinking about these processes now. Where did we get this data from? Why is this person on this list? What rights do we give this person? And that's healthy, I think.

Brian: Yeah, I think it's going to force us to think about things we get away with not thinking about a lot of the time.

So, we've talked a little about the changes that---again, coffee and Red Bull---coming soon to WordPress. But this is the first major push for privacy anything in the WordPress community that I can remember. What comes next? What comes after May 25th? What's the future of privacy in WordPress, and giving more tools, giving more recommendations to WordPress users?

Heather: Well, this is only my personal view, but my personal view is I would like to see privacy become a core team, like accessibility. You may remember, a few years ago, accessibility had to fight for their voice to be heard. And now, they are an active core team. So I would love to see a privacy core team to look at these issues going forward.

There's so much we could look at and learn from, we just have to keep cranking towards a specific deadline or a specific piece of legislation. So I think it's a really big challenge that we should be sinking our teeth into, about how do we create a best standard and practices for privacy and user protection, not pinned to any one particular legal framework. But mindful of the fact that there are elements we can cherry-pick from various different legislation and systems, to create a really good best practice standard for all developers to use.

Brian: Do you find, in---so, I'm going to pontificate for a moment. What I've observed, as somebody following along with core development is, there's a lot of enthusiasm for building something new like Gutenberg, but core teams like accessibility, while they do have that recognition, there's a lot less activity in those channels in Slack, there's a lot less activity just in general.

Do you find that, the interests of the people who are contributing to an open source project, they often tend toward, I want to write code. I want to build something new. How do you balance that with these sort of big questions that WordPress needs to grapple with, and make sure that they do get the time and get the attention and get the interest that they need to get?

Heather: Well, I've been in the community for ten years, and it's been my observation that---and this is a personal observation, but anyone is welcome to disagree with me---but I feel that the reason accessibility and privacy have been so hard to sell is because they're intrinsically connected to law and legal frameworks.

And there's a lot of people in the community who see anything connected to law and run the other way. They think it's the preserve of lawyers, they think that they will be held responsible for any mistakes they made, they think that maybe because they're not legally qualified they shouldn't be working on this.

But, certainly with GDPR, lawyers really do not need to get involved. It's a development framework. Where you need lawyers is to do things like sign off on things like your contracts with third-party providers.

But it would be helpful for us as a community to get over our stigma of anything legal. And thinking of it, again not trying to cause a cultural fight, but thinking of it as a judge, and a gavel, and a courtroom, and a lawyer talking a load of rubbish. It's a completely separate kind of law from the law that we're talking about, in terms of making sites disability compliant, making sites privacy compliant.

So if we just approach them with a little more bravery, less fear. And, through all of our enthusiasm towards creating tools and writing code, as we're doing now with the GDPR compliance project, we have a responsibility, as the makers of the tools that create 30 percent of the web, to do better by all of our users. And we could truly make the web a better place for the 30 percent who use it, who use our product, by approaching legal compliance with less trepidation, more confidence.

Brian: Heather, this has been a really great conversation for me, just my own peace of mind, understanding what's happening with GDPR. I think a lot of people are going to find it very useful.

Do you have any favorite resources you'd like to point people towards? I guess your WordCamp London talk on privacy statements.

Heather: I did, I did that on Sunday, and the video will be up at some point on WordPress TV. I've done a couple of other WordCamp talks on GDPR, and I've also recently written some Smashing Magazine articles on the privacy by design framework and how GDPR will change you as a developer. And you've just reminded me, I owe them another article I should probably start.

So I will pass you the links for those, and you can put them in the show notes, Brian.

Brian: That sounds great. And if someone wants to follow you online, on Twitter you're @---

Heather: @webdevlaw.

Brian: And that's also your username in the WordPress Slack community. It's been very interesting for me following along with the GDPR compliance channel, and I'm really looking forward to seeing what comes in the next couple of weeks.

Heather: I'll just add that if you're coming to WordCamp Europe, I'll be teaching a three-hour workshop on developing for GDPR and privacy and data protection. So if you go to the WordCamp Europe website, you have to register for it just for headcount purposes, but I would love to see you there!

Brian: Sounds great!

Heather: I can't wait to show the world what we've done. Thank you for having me on, Brian!

Brian: Thank you so much!

As we finish up, I'll just read a few notes and then we'll be all done.

If any listeners haven't already done this, mark your calendars for WPCampus 2018. It will be July 12 - 14, in St. Louis, Missouri, at Washington University in St. Louis, Missouri. It's a great event for anybody doing WordPress in higher ed, or even anybody who's just sort of higher-ed-adjacent or curious to hear about how WordPress translates into the world of higher ed. Tickets go on sale on April 30th.

Just as a reminder, you can also subscribe to this podcast on iTunes and on Google Play by searching for "WPCampus Podcast," and you can listen to each episode and follow links to more information at wpcampus.org/podcast.

And finally, you can follow @wpcampusorg on Twitter for announcements about the conference, news and updates about the podcast and the community in general, and much more. If you have a suggestion for a podcast topic, please tweet it @wpcampusorg and we will see it!

So, Heather, thank you so much!

Episode Audio

Login to WordPress