I have tried to wrap my sorry head around the requirements mandated under this regulation and am still reading sites like the ICO.org.uk website and WebDevLaw, among others to get a better understanding. (This infographic is a very clear, at-a-glance aid.)
Disclaimer: I am not a lawyer and the following is my initial layman’s thoughts on the subject. Nothing here should be taken as legal advice.
I will admit to feeling overwhelmed by the implications the GDPR has on the entire concept of blogging and personal websites. Even if you remove every comment, contact and payment form from your website, where people are actively providing personal data (i,e. name email ), your site, like every site on the internet, is still collecting passive data from site visitors, including IP address, pages visited, computer OS, browser, screen resolution, monitor color depth, language preferences, etc. What you see in your WordPress.com Stats dashboard is only a small glimpse of that collected data.
Beyond requiring disclosure of what user data is collected and the reason for its collection, how long data is stored, how that data is safeguarded and how data is shared and with whom, the GDPR also requires providing users a means to exercise their rights over that data, including its removal.
To give you an example, again – comments. Until now, on both standalone WordPress and WordPress.com sites, we have been consistently told that comments left on someone else’s site became the property of that site owner. And now under the GDPR? (What this implies for comment discussions and forums is just mind-boggling.)
Our Users’ Websites
Another example: Having been actively involved in the community forums for a number of years, I’ve seen forum threads where site owners ask to obtain their list of subscribers in order to be able to send them direct emails beyond the automatic notice of new blog posts or move their subscribers to a different email marketing service. Site owners do not have access to users’ email addresses when the subscriber is a logged-in WordPress.com user and Staff do not provide that information to site owners. However, if that subscriber is not a logged-in user and enters their email address in the Follow Site widget, then the site owner can download a CSV file of those email addresses from their My Sites>People dashboard.
Taking that process a step further, if a site owner moves from WordPress.com to a Jetpack-connected, standalone WordPress site, it is currently possible to move the list of WordPress.com subscribers to the new WordPress site (reference). How will the GDPR affect this?
To say “it’s complicated” and far-reaching would be an understatement. The working group for the ORG core software, on which our WordPress.com platform is based, is currently in discussion on how to bring core into compliance with the GDPR and hopefully they have the needed legal experts involved.
While I applaud giving users control over the data collected about them and the ability to remove it, implementation is a minefield. Will there be one set of data procedures for European visitors and another set for everyone else?
Meanwhile, someone pour me a scotch. Legalese is a parching business.
If you want to get an in-depth look at the GDPR and how it affects you, the University of Groningen offers a free 4-week online course. (NAYY) May 25th is just around the corner.