ManageWP & GDPR: What you need to know

It seems GDPR is hot topic wherever you turn. But just in case you’ve been living “Internet free” for the past couple of months and you’re unfamiliar with it, here is some information about it. Today, we’ll cover what is it, what are we doing about it, and how it affects you.

We’ve been receiving a lot of questions about the GDPR and we wanted to take a moment to reach out to you. Not only to keep you informed about all the work we’ve done on this subject but also to show you what is yet to come.

What is GDPR?

“The General Data Protection Regulation (GDPR) is a regulation (binding legislation, not just a directive) by which the EU intends to strengthen and unify data protection for all individuals from the European Union (EU). It also addresses the export of personal data outside the EU.

It aims primarily to give control back to EU citizens and residents over their personal data and to simplify the regulatory environment for international business (any company that is gathering, processing or storing the personal data of EU citizens).”

GDPR also includes steep sanctions for any company that is not compliant with the GDPR regulation after May 25th, 2018, when the GDPR goes into effect. These fines can go up to 20 million Euros or 4% of annual global (note global!) turnover, whichever of both is highest.

That is, simply put, a staggering figure.

Key Principles of GDPR

Here are the key takeaways you need to be aware of:

Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.
Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
Personal data held needs to be kept up to date and accurate. It should be held no longer than necessary to fulfill its purpose.
EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance.
All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer.

What is ManageWP doing about GDPR?

We know that GDPR is a big deal. Which is why we’ve set up an internal team to focus specifically on getting ManageWP ready for the GDPR. And although it took an enormous amount of time, we are happy to put our effort behind this, because we strongly believe this a step in the right direction for our users.

Here’s how we’ve divided our time and resources to tackle GDPR head-on:

Dedicated GDPR team: We have thoroughly analyzed GDPR requirements and put in place a dedicated internal team to drive our organization to meet those requirements.
Identifying Personal Data: We are currently in the process of mapping the different levels of personal data that is collected, stored, used, and disposed of.
Data Privacy Impact Assessment: Analyzing the risk to data that a system might pose. Systems that collect, transmit, process, or store personal data are validated to ensure processing is consistent with our privacy notices.
Data Portability, Update & Erasure: While the ability to change or delete your data was already in place through our support teams, we are a looking at a more streamlined version that will allow for the automation of these tasks.
Consent: We are drawing up data processing agreements that will clearly define what data we need, for what purposes, and will require your explicit consent in order to process your data after May 25th.
EU-US data storage and Swiss-US Privacy Shield Certification: EU customer’s data may be transferred to and processed by our US entities as well (for example, you may choose to host your site in our US datacenters). In accordance with the GDPR, we need to ensure that our US entity offers the same level of protection of the EU data, as guaranteed in the GDPR, even though it is subject to US jurisdiction.
Enhancing Data Security: Data security has always been a paramount issue for us. We are reviewing our policies to further enhance data privacy and data security measures.
Vendor Agreements: We are creating legally binding and enforceable vendor agreements as an instrument between ManageWP and service vendors in order to ensure adequate safeguard measures for data processing. Only vendors and entities that have been appropriately vetted will be able to receive personal data.
Changes in the Product: We have identified a few requirements in areas of our product that will be impacted by GDPR. We have developed a strategy that’ll help implement those changes. We are in the process of implementing the required changes to our internal processes and procedures. Once that is completed, we will verify and validate those changes.
Being Visible & Achieving Transparency: Providing visibility and transparency on how collected personal data is used is of utmost importance. We identified different levels at which we are using personal data and are in the process of mapping and clarifying this information in order to achieve transparency and provide visibility to our users.

What does this mean for me?

It means a few things, actually. Here’s what you need to be aware of:

Your Rights

Transparency: We are making it even easier to understand what is happening to your personal data.
Consent: Choose what data is collected about you (with the ability to change that choice).
Update and Erasure: Update or request deletion of your data.
Portability: Take your data elsewhere in a portable format.

gdpr rights

Our Obligations

Due Care: Safeguard your data.
Minimization: Minimize the risk of your data being exposed.
Privacy By Design: Analyze the risk a system might pose to your data.
Notification: Communicate data breaches quickly.

What’s coming next?

What else can you expect to change in the coming months? Here’s what we have on our docket:

New Privacy Policy

We are planning to release a unified, comprehensive privacy policy providing clear visibility and transparency on how we collect your personal data, where we store it, how we use it, and for what purposes — in concise, clear, and plain language.

Consent

The GDPR requires that we must obtain freely given, specific, informed, and unambiguous consent for communication with our users. With a clear explanation of how we are planning to use your personal data in that regard.

That means that in the next few weeks, we will approach you with specific consent forms regarding your data storage and processing.

I want to be very clear on this point: nothing is changed about the way we are doing things or how we are storing and using your data. We just need your explicit consent in order to keep things running as they are now and to have your official consent “on record” in order to be fully compliant with the GDPR requirements.

If for any reason you don’t agree to our new terms and would rather close your account than opt out of specific features, you will be able to do so. But before such action is taken, we urge you to contact our support teams as they are in a position to clarify any misunderstandings or alleviate any concerns you might have.

F.A.Q.

My company is not within the EU. Does the GDPR even apply to me?

It applies to all companies (globally) that are processing and holding the personal data of those residing in the European Union, regardless of the company’s location.

Why the urgency?

Although the GDPR was introduced two years ago, it becomes enforceable starting May 25, 2018.

We do not charge for services we offer. Do we need to comply?

Yes. The GDPR applies to firms that offer goods or services to EU residents irrespective of if payment is exchanged.

Don’t you already have a privacy policy?

Yes. That being said, The GDPR just puts tighter guidelines and restrictions on our privacy policy.

What type of data is considered to be “personal data”?

Any information related to a natural person or “Data Subject,” that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

How do I obtain consent?

In general, consent needs to be explicit, opt-in and freely given. This means the popular opt-out based consent of today will no longer be acceptable.

Does my business need to appoint a Data Protection Officer (DPO)?

DPOs must be appointed in the case of (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, or (c) organizations that engage in large-scale processing of sensitive personal data. If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

Final note

Let’s be honest – talking about data regulations doesn’t sound fun to the most of us. But if you own or develop websites that gather or process personal data, you can’t afford to bury your head in the sand.

We are doing everything in our power to be fully compliant before the date that the GDPR goes in the effect. All of the mentioned items are well underway. Some are finished and some will be completed soon.

In the meantime, we wanted to make sure you won’t be surprised by all the things that are coming and to reassure you that none of these changes will impact our principles and the way we’ve been operating so far. Your data is in safe hands and well-protected.

Stay tuned for more info on our plans and progress. An official GDPR announcement is coming soon.

SaveSave

20 responses

Philip

April 19, 2018

How does GDPR effect ManageWP backups? We run daily backups on all our sites for security purposes. What if one user in our store wants to be deleted, i.e, the ‘right to be forgotten’. Do we have to go back through each backup to delete them? Can this be automated somehow? Thanks

Danny Scheurink

April 22, 2018

Hi, because ManageWP has full access to all websites I added, I need to close an Data Processing Agreement with ManageWP. This is mandatory. All users should have 1 send to ManageWP. Does ManageWP has a own model to sign? Other organisations like Analytics, Hotjar, Mailchimp etc. has their own Data Processing Agreement. If yes, where can I find it?

Thank you!

Danny

Phil

May 7, 2018

Hi Marko,
thanks for the timely post.
Do you have any timeframe as to when we might expect those new agreements between ManageWP and us users? I’d quite like to inform my clients about this as soon as possible.
Also, I was wondering: does the built-in analytics service in Orion include IPs and might therefore be considered “personal information” under GDPR? And if so, is there a way to opt out of this?
Thanks again!

Alexander Schimpf

May 16, 2018

Hi folks,

when do you offer the gdpr data processing agreement (contract) for us?

Cheers Alex

Ian

May 23, 2018

I am in Canada and not directly concerned with my personal data, but what PII is stored by your systems for each site I have add into ManageWP?

The WP user tables that go into a backup would be an obvious one, but anything else?

Marko Tanaskovic

May 24, 2018

There is a lot of question regarding the signing of Data Processing Agreement. So let me jump in with one critical piece of information: you are NOT required to sign the DPA.
While our Privacy policy does not technically cover your end-users or site visitors, the GDPR calls for a Data Processing Addendum or DPA, which is an additional legal document that provides for contractual assurances about our privacy and security practices.
In order to fully cover this aspect of GDPR, we updated our Terms of Service (Section 7) with the Data Processing Addendum. It is meant to provide you with contractual assurance that we have robust mechanisms to ensure the transfer of Your Data, including transfers of Your Data from the EEA to the Services, meets with compliance under applicable data privacy laws.