Two years ago, four letters – GDPR – were creating the buzz. Adopted in April 2016 (with an entry into force on May 24, 2016), the General Data Protection Regulation remained however unknown by the public until its impending enforcement date. Importantly, this new regulation on data protection and privacy in the European Union (EU), which was replacing the Data Protection Directive 95/46/EC, was not only of concern to European citizens, but to any business processing the personal data of people residing in the Union (regardless of the company’s location). Accordingly, the whole world was dreading May 25, 2018.
Even if an organization is not connected to the EU itself, if it processes the personal data of people in the EU (via tracking on its website, for instance), it must comply. The GDPR is also not limited to for-profit companies.GDPR.EU
The interest on the GDPR raised sharply before its imminent application – with a flourishing number of articles on how to achieve GDPR compliance, in particular. Now, this regulation has been in place for about two years and the buzz is long gone (as illustrated by this Google Trends graph). Although it might not be a bad idea to remind what is the GDPR1, there is no point to reinvent the wheel. So, what this post will be about then, you may wonder?
Definitively not about the legal aspect of this regulation – a topic beyond my subject matter expertise anyway! Not event about the seven principles of data protection that must be implemented
nor about the eight privacy rights that must be facilitated
; at least not directly. Pursuant to the CogitActive Saga, this mini-series will chronicle the impact of the GDPR on the course of events, or more specifically, how did the GDPR affect the making of my website(s).
The messenger
… I received an email from SiteGround about an incoming webinar entitled What Is GDPR and What Is Your Host’s Role in It?
. This occurred approximately two months after I signed up with them. Even though (or because) I had absolutely no idea what the GDPR was, I decided to attend their free webinar.
SiteGround webinar
The two hosts – Maya Stoyanova (Senior Legal Advisor) and Hristo Pandjarov (WordPress Initiatives Manager) – gave a brief 27-min overview about what the GDPR is and what you need to do about it. After that, they went through the questions asked by their customers for another 36-min discussion. The video was posted few days later (nota bene not immediately as usual, probably due to the poor quality of the image), along with a blog post with replies to the unanswered questions.
I didn’t have any question this time2; I was clearly stunned by these revelations. Unbelievably, something as basic as an IP address, which is stored in the web server log files of any website (among a wealth of other information about the activities of the visitors), is considered as personal data. Meaning that anybody with a website, be it a for-profit company or an occasional blogger, has to comply with the GDPR – as long as they have visitors from the European Union! What about the comments on a blog, which requires visitors to provide their email and name? What about Gravatar? Oh my!
WordPress itself is not GDPR compliant yet.Hristo Pandjarov
So, what should I do for my website to be GDPR compliant?
Despite a cautionary statement – all answers to your questions should be considered only as an opinion and not as legal advice
– they provide few key recommendations on how to comply with the GDPR. In particular, in addition to emphasizing the importance of processing the personal data in a fair and transparent way, as well as getting explicit consent from the users (for pretty much everything), they recurrently told about privacy policy and terms of service. For example, they indicated, if there is personal data collected and/or stored by you, you need to prepare a Privacy Policy explaining what’s the use of that data
. In keeping with this idea, they wrote that cookies3 should be explained and covered by the Cookie policy . . . and . . . you need to provide a way for the user to manage those cookies and disable them
. Last, but not least, given the right to object, they stress that users should be able to easily unsubscribe and/or withdraw their consent. And that was just the tip of the iceberg!
At that point, I was hoping for a GDPR checklist to avoid costly fines for non-compliance.
SiteGround blog
As I said, I was still unfamiliar with SiteGround; in particular, I didn’t know about their blog at the time. Otherwise, I would have read these two posts – an oversight now corrected:
The aim of the first post was to share [SiteGround] experience with becoming GDPR-compliant
; still, it distills few useful info, such as Privacy Policy [should] fully describe why and how [you] collect and process personal information
. As for the second post, after highlighting some of the most important points in [SiteGround new] Privacy Policy
, it describes their Data Processing Agreement (DPA), which regulates [their] responsibilities as a host
– an important measure to allow their clients to have GDPR compliant sites themselves
. Last, but not least, the author – Reneta Tsankova – also underlines that the regulation aims to make personal data processing more transparent and to give people more control over their data
– in itself, a good thing!
The GDPR by design has been aiming to regulate activities of big companies like Google and Facebook that process insane amounts of personal data and are using it to generate significant gains, but at the end of the day, it affects everyone.Reneta Tsankova
Fifteen days!
The clock was ticking. Out of the two years of preparations allotted by the European Union, only 15 days remained. The preparation period was shrinking alarmingly; yet, I didn’t rush into action. As already leaked, I was indeed travelling at the time and would not – in such a short period anyway – have had the time to read the many articles on how to achieve GDPR compliance.
Fifteen days to make my sites4 compliant. Both this blog and my website were already live since I didn’t use a development environment or sandbox. Nonetheless, the Search Engine Visibility restriction in Settings > Reading was checked for both of them, keeping them relatively unknown. No visitor, no problem! Almost no visitor, actually…
To be continued…
1 There are many resources on the subject matter; still, it’s always better to start with the official one. ^
2 See SiteGround New Client Area and Site Tools – part 3. It is worth mentioning that the events related in the current post took place before those about the SiteGround new interfaces described in the so-called posts. As explained in One Year, already?, there are some asynchrony between the posting in the CogitActive Saga and the actual events occurrence. On the other hand, some posts, which do not belong to this chronicle, are synchronous; hence, the resulting anomalies in the chronology. ^
3 Not the sweet biscuit, but the small files stored on your computer when you visit a website. While there are different types of cookies, generally their purpose is to help the website to keep track of your visits and activities. For example, authentication cookies track whether a user is logged in, others keep track of the items in shopping carts, etc. ^
4 See Adding a site to my Multisite network. ^