It seems GDPR is hot topic wherever you turn. But just in case you’ve been living “Internet free” for the past couple of months and you’re unfamiliar with it, here is some information about it. Today, we’ll cover what is it, what are we doing about it, and how it affects you.
We’ve been receiving a lot of questions about the GDPR and we wanted to take a moment to reach out to you. Not only to keep you informed about all the work we’ve done on this subject but also to show you what is yet to come.
What is GDPR?
“The General Data Protection Regulation (GDPR) is a regulation (binding legislation, not just a directive) by which the EU intends to strengthen and unify data protection for all individuals from the European Union (EU). It also addresses the export of personal data outside the EU.
It aims primarily to give control back to EU citizens and residents over their personal data and to simplify the regulatory environment for international business (any company that is gathering, processing or storing the personal data of EU citizens).”
GDPR also includes steep sanctions for any company that is not compliant with the GDPR regulation after May 25th, 2018, when the GDPR goes into effect. These fines can go up to 20 million Euros or 4% of annual global (note global!) turnover, whichever of both is highest.
That is, simply put, a staggering figure.
Key Principles of GDPR
Here are the key takeaways you need to be aware of:
Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.
Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
Personal data held needs to be kept up to date and accurate. It should be held no longer than necessary to fulfill its purpose.
EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance.
All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer.
What is ManageWP doing about GDPR?
We know that GDPR is a big deal. Which is why we’ve set up an internal team to focus specifically on getting ManageWP ready for the GDPR. And although it took an enormous amount of time, we are happy to put our effort behind this, because we strongly believe this a step in the right direction for our users.
Here’s how we’ve divided our time and resources to tackle GDPR head-on:
- Dedicated GDPR team: We have thoroughly analyzed GDPR requirements and put in place a dedicated internal team to drive our organization to meet those requirements.
- Identifying Personal Data: We are currently in the process of mapping the different levels of personal data that is collected, stored, used, and disposed of.
- Data Privacy Impact Assessment: Analyzing the risk to data that a system might pose. Systems that collect, transmit, process, or store personal data are validated to ensure processing is consistent with our privacy notices.
- Data Portability, Update & Erasure: While the ability to change or delete your data was already in place through our support teams, we are a looking at a more streamlined version that will allow for the automation of these tasks.
- Consent: We are drawing up data processing agreements that will clearly define what data we need, for what purposes, and will require your explicit consent in order to process your data after May 25th.
- EU-US data storage and Swiss-US Privacy Shield Certification: EU customer’s data may be transferred to and processed by our US entities as well (for example, you may choose to host your site in our US datacenters). In accordance with the GDPR, we need to ensure that our US entity offers the same level of protection of the EU data, as guaranteed in the GDPR, even though it is subject to US jurisdiction.
- Enhancing Data Security: Data security has always been a paramount issue for us. We are reviewing our policies to further enhance data privacy and data security measures.
- Vendor Agreements: We are creating legally binding and enforceable vendor agreements as an instrument between ManageWP and service vendors in order to ensure adequate safeguard measures for data processing. Only vendors and entities that have been appropriately vetted will be able to receive personal data.
- Changes in the Product: We have identified a few requirements in areas of our product that will be impacted by GDPR. We have developed a strategy that’ll help implement those changes. We are in the process of implementing the required changes to our internal processes and procedures. Once that is completed, we will verify and validate those changes.
- Being Visible & Achieving Transparency: Providing visibility and transparency on how collected personal data is used is of utmost importance. We identified different levels at which we are using personal data and are in the process of mapping and clarifying this information in order to achieve transparency and provide visibility to our users.
What does this mean for me?
It means a few things, actually. Here’s what you need to be aware of:
- Transparency: We are making it even easier to understand what is happening to your personal data.
- Consent: Choose what data is collected about you (with the ability to change that choice).
- Update and Erasure: Update or request deletion of your data.
- Portability: Take your data elsewhere in a portable format.
- Due Care: Safeguard your data.
- Minimization: Minimize the risk of your data being exposed.
- Privacy By Design: Analyze the risk a system might pose to your data.
- Notification: Communicate data breaches quickly.
What’s coming next?
What else can you expect to change in the coming months? Here’s what we have on our docket:
The GDPR requires that we must obtain freely given, specific, informed, and unambiguous consent for communication with our users. With a clear explanation of how we are planning to use your personal data in that regard.
That means that in the next few weeks, we will approach you with specific consent forms regarding your data storage and processing.
I want to be very clear on this point: nothing is changed about the way we are doing things or how we are storing and using your data. We just need your explicit consent in order to keep things running as they are now and to have your official consent “on record” in order to be fully compliant with the GDPR requirements.
If for any reason you don’t agree to our new terms and would rather close your account than opt out of specific features, you will be able to do so. But before such action is taken, we urge you to contact our support teams as they are in a position to clarify any misunderstandings or alleviate any concerns you might have.
- My company is not within the EU. Does the GDPR even apply to me?
It applies to all companies (globally) that are processing and holding the personal data of those residing in the European Union, regardless of the company’s location.
- Why the urgency?
Although the GDPR was introduced two years ago, it becomes enforceable starting May 25, 2018.
- We do not charge for services we offer. Do we need to comply?
Yes. The GDPR applies to firms that offer goods or services to EU residents irrespective of if payment is exchanged.
- What type of data is considered to be “personal data”?
Any information related to a natural person or “Data Subject,” that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
- How do I obtain consent?
In general, consent needs to be explicit, opt-in and freely given. This means the popular opt-out based consent of today will no longer be acceptable.
- Does my business need to appoint a Data Protection Officer (DPO)?
DPOs must be appointed in the case of (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, or (c) organizations that engage in large-scale processing of sensitive personal data. If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Let’s be honest – talking about data regulations doesn’t sound fun to the most of us. But if you own or develop websites that gather or process personal data, you can’t afford to bury your head in the sand.
We are doing everything in our power to be fully compliant before the date that the GDPR goes in the effect. All of the mentioned items are well underway. Some are finished and some will be completed soon.
In the meantime, we wanted to make sure you won’t be surprised by all the things that are coming and to reassure you that none of these changes will impact our principles and the way we’ve been operating so far. Your data is in safe hands and well-protected.
Stay tuned for more info on our plans and progress. An official GDPR announcement is coming soon.
There is a lot of question regarding the signing of Data Processing Agreement. So let me jump in with one critical piece of information: you are NOT required to sign the DPA.
In order to fully cover this aspect of GDPR, we updated our Terms of Service (Section 7) with the Data Processing Addendum. It is meant to provide you with contractual assurance that we have robust mechanisms to ensure the transfer of Your Data, including transfers of Your Data from the EEA to the Services, meets with compliance under applicable data privacy laws.
I am in Canada and not directly concerned with my personal data, but what PII is stored by your systems for each site I have add into ManageWP?
The WP user tables that go into a backup would be an obvious one, but anything else?
when do you offer the gdpr data processing agreement (contract) for us?
Very interested in this as well.
May 25 is getting *awfully* close indeed.
I am waiting to. When it does not come before May 25. I have to cancel all services of ManageWP.
Getting a bit worried here. It is this week! and still nothing for us. ManageWP we need this!
So hmmmm … a few hours left ’til May 25
Very interested in this as well. All of your customers in the EU need to close an Data Processing Agreement with ManageWP. This is mandatory. When it does not come before May 25. I have to cancel all services of ManageWP.
thanks for the timely post.
Do you have any timeframe as to when we might expect those new agreements between ManageWP and us users? I’d quite like to inform my clients about this as soon as possible.
Also, I was wondering: does the built-in analytics service in Orion include IPs and might therefore be considered “personal information” under GDPR? And if so, is there a way to opt out of this?
Hi, because ManageWP has full access to all websites I added, I need to close an Data Processing Agreement with ManageWP. This is mandatory. All users should have 1 send to ManageWP. Does ManageWP has a own model to sign? Other organisations like Analytics, Hotjar, Mailchimp etc. has their own Data Processing Agreement. If yes, where can I find it?
Stay tuned, a couple of new options are coming too.
How does GDPR effect ManageWP backups? We run daily backups on all our sites for security purposes. What if one user in our store wants to be deleted, i.e, the ‘right to be forgotten’. Do we have to go back through each backup to delete them? Can this be automated somehow? Thanks
Good question. I’d like to know the same.
Your backups are stored for 90 days. If you remove the website from your dashboard, backups will be removed after 7 days. If you re-add your website within these 7 days, your backups will still be available.
We will probably add some sort of automation for deleting our users personal data in order to comply with any deletion requests.
Are you looking for the option to:
1. Quickly delete your personal data from ManageWP?
2. Delete all your backups for the specific website?
3. Option to alter the database for the specific website in all of your backups?
Option 3 is closest to what we want to achieve. So if a customer contacts us and wants their data deleted from our store etc, we can easily delete that user from all backup instances, rather than having to delete all backups. Backups are handy if we need to revert to a time before a website was hacked for example. Are these backups in the EU and if not can there be an option to select the EU.
In essence, you need a solution that will help you honor GDPR requests toward your users. I can understand that. We can certainly consider creating such solution and adding it to the ManageWP repertoire. I’ll contact you directly and we can discuss it further.
But in order to be perfectly clear, we are preparing ManageWP to be GDPR compliant toward you (our users). Which means, we are preparing ourselves to honor any and all update/deletion requests of your personal data.
To answer the question regarding the backups location, you have the option to change your chosen backup location at any time (https://managewp.com/guide/backup/change-backup-region) for each of your websites.
For the end, I’d like to add that we are working hard to ensure the same data protection & privacy even if you are storing your data on the US servers to ensure our compliance with all data protection laws applicable to our operations.
I changed all of the ManageWP backup locations for my managed sites to EU (rather than the default US) some time ago. However, we always see the message about it being more efficient to store the backups in the US. I think that the backup times are maybe slower when backing up to EU-compliant locations. Can you confirm exactly what it is that is less efficient when backing up in the EU, and whether you are taking steps to improve this?
Most of our infrastructure is on US servers so they system works a little faster if the backups are present there also. In case of downloading the backups – the difference should be negligible.