ManageWP & GDPR: What you need to know

It seems GDPR is hot topic wherever you turn. But just in case you’ve been living “Internet free” for the past couple of months and you’re unfamiliar with it, here is some information about it. Today, we’ll cover what is it, what are we doing about it, and how it affects you.

We’ve been receiving a lot of questions about the GDPR and we wanted to take a moment to reach out to you. Not only to keep you informed about all the work we’ve done on this subject but also to show you what is yet to come.

What is GDPR?

“The General Data Protection Regulation (GDPR) is a regulation (binding legislation, not just a directive) by which the EU intends to strengthen and unify data protection for all individuals from the European Union (EU). It also addresses the export of personal data outside the EU.

It aims primarily to give control back to EU citizens and residents over their personal data and to simplify the regulatory environment for international business (any company that is gathering, processing or storing the personal data of EU citizens).”

GDPR also includes steep sanctions for any company that is not compliant with the GDPR regulation after May 25th, 2018, when the GDPR goes into effect. These fines can go up to 20 million Euros or 4% of annual global (note global!) turnover, whichever of both is highest.

That is, simply put, a staggering figure.

Key Principles of GDPR

Here are the key takeaways you need to be aware of:

  1. Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.

  2. Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.

  3. Personal data held needs to be kept up to date and accurate. It should be held no longer than necessary to fulfill its purpose.

  4. EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance.

  5. All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer.

What is ManageWP doing about GDPR?

We know that GDPR is a big deal. Which is why we’ve set up an internal team to focus specifically on getting ManageWP ready for the GDPR. And although it took an enormous amount of time, we are happy to put our effort behind this, because we strongly believe this a step in the right direction for our users.

Here’s how we’ve divided our time and resources to tackle GDPR head-on:

What does this mean for me?

It means a few things, actually. Here’s what you need to be aware of:

Your Rights

gdpr rights

Our Obligations

What’s coming next?

What else can you expect to change in the coming months? Here’s what we have on our docket:

New Privacy Policy

We are planning to release a unified, comprehensive privacy policy providing clear visibility and transparency on how we collect your personal data, where we store it, how we use it, and for what purposes — in concise, clear, and plain language.

Consent

The GDPR requires that we must obtain freely given, specific, informed, and unambiguous consent for communication with our users. With a clear explanation of how we are planning to use your personal data in that regard.

That means that in the next few weeks, we will approach you with specific consent forms regarding your data storage and processing.

I want to be very clear on this point: nothing is changed about the way we are doing things or how we are storing and using your data. We just need your explicit consent in order to keep things running as they are now and to have your official consent “on record” in order to be fully compliant with the GDPR requirements.

If for any reason you don’t agree to our new terms and would rather close your account than opt out of specific features, you will be able to do so. But before such action is taken, we urge you to contact our support teams as they are in a position to clarify any misunderstandings or alleviate any concerns you might have.

F.A.Q.

  1. My company is not within the EU. Does the GDPR even apply to me?

It applies to all companies (globally) that are processing and holding the personal data of those residing in the European Union, regardless of the company’s location.

  1. Why the urgency?

Although the GDPR was introduced two years ago, it becomes enforceable starting May 25, 2018.

  1. We do not charge for services we offer. Do we need to comply?

Yes. The GDPR applies to firms that offer goods or services to EU residents irrespective of if payment is exchanged.

  1. Don’t you already have a privacy policy?

Yes. That being said, The GDPR just puts tighter guidelines and restrictions on our privacy policy.

  1. What type of data is considered to be “personal data”?

Any information related to a natural person or “Data Subject,” that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

  1. How do I obtain consent?

In general, consent needs to be explicit, opt-in and freely given. This means the popular opt-out based consent of today will no longer be acceptable.

  1. Does my business need to appoint a Data Protection Officer (DPO)?

DPOs must be appointed in the case of (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, or (c) organizations that engage in large-scale processing of sensitive personal data. If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

Final note

Let’s be honest – talking about data regulations doesn’t sound fun to the most of us. But if you own or develop websites that gather or process personal data, you can’t afford to bury your head in the sand.

We are doing everything in our power to be fully compliant before the date that the GDPR goes in the effect. All of the mentioned items are well underway. Some are finished and some will be completed soon.

In the meantime, we wanted to make sure you won’t be surprised by all the things that are coming and to reassure you that none of these changes will impact our principles and the way we’ve been operating so far. Your data is in safe hands and well-protected.

Stay tuned for more info on our plans and progress. An official GDPR announcement is coming soon.

SaveSave

Marko Tanaskovic

Growth Engineer & Business Intelligence / Digital Marketing Expert @ ManageWP Currently on a mission of either cloning himself or learning to be at two places at the same time. Latter being the preferred option.

20 Comments

  1. Marko Tanaskovic

    Author

    There is a lot of question regarding the signing of Data Processing Agreement. So let me jump in with one critical piece of information: you are NOT required to sign the DPA.
    While our Privacy policy does not technically cover your end-users or site visitors, the GDPR calls for a Data Processing Addendum or DPA, which is an additional legal document that provides for contractual assurances about our privacy and security practices.
    In order to fully cover this aspect of GDPR, we updated our Terms of Service (Section 7) with the Data Processing Addendum. It is meant to provide you with contractual assurance that we have robust mechanisms to ensure the transfer of Your Data, including transfers of Your Data from the EEA to the Services, meets with compliance under applicable data privacy laws.

    1. Tom

      Marko,
      we sure need a Data Processing Agreement, as your are processing personal data of my customers like name, address etc. If you are not able to provide a DPA, I would have to cancel the ManageWP services. Unfortuneately it is not enough to annonce some updates to the Privacy policy, Terms of Service and the official GDPR announcement.

  2. Ian

    I am in Canada and not directly concerned with my personal data, but what PII is stored by your systems for each site I have add into ManageWP?

    The WP user tables that go into a backup would be an obvious one, but anything else?

  3. Alexander Schimpf

    Hi folks,

    when do you offer the gdpr data processing agreement (contract) for us?

    Cheers Alex

    1. Phil

      Very interested in this as well.
      May 25 is getting *awfully* close indeed.

    2. Tim

      I am waiting to. When it does not come before May 25. I have to cancel all services of ManageWP.

      Cheers Tim

      1. Kim Vinbrerg

        Getting a bit worried here. It is this week! and still nothing for us. ManageWP we need this!

        1. Marko Tanaskovic

          Author

          We are planning to release updates to the Privacy policy, Terms of Service and the official GDPR announcement this week.

          1. Bernhard

            So hmmmm … a few hours left ’til May 25

    3. Michaela

      Very interested in this as well. All of your customers in the EU need to close an Data Processing Agreement with ManageWP. This is mandatory. When it does not come before May 25. I have to cancel all services of ManageWP.

  4. Phil

    Hi Marko,
    thanks for the timely post.
    Do you have any timeframe as to when we might expect those new agreements between ManageWP and us users? I’d quite like to inform my clients about this as soon as possible.
    Also, I was wondering: does the built-in analytics service in Orion include IPs and might therefore be considered “personal information” under GDPR? And if so, is there a way to opt out of this?
    Thanks again!

  5. Danny Scheurink

    Hi, because ManageWP has full access to all websites I added, I need to close an Data Processing Agreement with ManageWP. This is mandatory. All users should have 1 send to ManageWP. Does ManageWP has a own model to sign? Other organisations like Analytics, Hotjar, Mailchimp etc. has their own Data Processing Agreement. If yes, where can I find it?

    Thank you!

    Danny

    1. Marko Tanaskovic

      Author

      Hi Danny,
      Data processing agreement is one of the few new things that will be included in our revised Privacy policy. We will notify all our users once the revised documents are vetted and published.
      Stay tuned, a couple of new options are coming too.

  6. Philip

    How does GDPR effect ManageWP backups? We run daily backups on all our sites for security purposes. What if one user in our store wants to be deleted, i.e, the ‘right to be forgotten’. Do we have to go back through each backup to delete them? Can this be automated somehow? Thanks

    1. Martin

      Good question. I’d like to know the same.

    2. Marko Tanaskovic

      Author

      Your backups are stored for 90 days. If you remove the website from your dashboard, backups will be removed after 7 days. If you re-add your website within these 7 days, your backups will still be available.
      We will probably add some sort of automation for deleting our users personal data in order to comply with any deletion requests.

      Are you looking for the option to:
      1. Quickly delete your personal data from ManageWP?
      2. Delete all your backups for the specific website?
      3. Option to alter the database for the specific website in all of your backups?

      1. Philip

        Hi Marko,
        Option 3 is closest to what we want to achieve. So if a customer contacts us and wants their data deleted from our store etc, we can easily delete that user from all backup instances, rather than having to delete all backups. Backups are handy if we need to revert to a time before a website was hacked for example. Are these backups in the EU and if not can there be an option to select the EU.

        1. Marko Tanaskovic

          Author

          Hey Phillip,
          In essence, you need a solution that will help you honor GDPR requests toward your users. I can understand that. We can certainly consider creating such solution and adding it to the ManageWP repertoire. I’ll contact you directly and we can discuss it further.
          But in order to be perfectly clear, we are preparing ManageWP to be GDPR compliant toward you (our users). Which means, we are preparing ourselves to honor any and all update/deletion requests of your personal data.
          To answer the question regarding the backups location, you have the option to change your chosen backup location at any time (https://managewp.com/guide/backup/change-backup-region) for each of your websites.
          For the end, I’d like to add that we are working hard to ensure the same data protection & privacy even if you are storing your data on the US servers to ensure our compliance with all data protection laws applicable to our operations.

          1. Martin Jarvis

            I changed all of the ManageWP backup locations for my managed sites to EU (rather than the default US) some time ago. However, we always see the message about it being more efficient to store the backups in the US. I think that the backup times are maybe slower when backing up to EU-compliant locations. Can you confirm exactly what it is that is less efficient when backing up in the EU, and whether you are taking steps to improve this?
            Thank you.

          2. Marko Tanaskovic

            Author

            Most of our infrastructure is on US servers so they system works a little faster if the backups are present there also. In case of downloading the backups – the difference should be negligible.

Leave a Reply

Your email address will not be published. Required fields are marked *

Over 40,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 40,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 40,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 40,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!