Effect of GDPR / DS-GVO on blogs and other pages

This is not a database knowledge article. I more or less see this as a information collection and discussion point. An important topic for me at the moment, besides all the usual upgrade and migration things, is about the effect of GDPR / DS-GVO on blogs and other pages.

A Quick Recap

Effect of GDPR / DS-GVO on blogs and other pagesMy GDPR journey started last October in Slovenia at the User Group Conference. I attended Philippe Fierens’ and Pieter van Puymbroeck‘s very cool and refreshing talk about GDPR. What is GDPR? I guess you have heard of it already. It is the General Data Protection Regulation. And as we Germans have much better acronyms and can build longer words than anybody else in the world (*haha*), it is called DS-GVO (Datenschutz-Grundverordnung).

Basically GDPR or DS-GVO are usually characterized as “the right to be forgotten“. But actually it is much more than that. It also means that you can’t just collect data of EU citizens simply because you can (or want). And you must explain which data you collect and why. And what you are going to do with this data.

Important: GDPR will take effect on May 25, 2018.

The interesting part: If you fail to comply with GDPR / DS-GVO you can be fined. You can be fined heavily in fact. Fines up to 4% of a companies yearly revenue may be applied. Philippe and Pieter showed pretty impressive examples using Facebook in their talks in Slovenia, Ireland and other conferences (find the slides here – PDF 20MB). We’ve had interesting discussions during and after the talk. What happens for instance to your backups? Yes, you should have a process in place to delete records from backups once you restore them in case you deleted the data from the live system because of a “forget me” request.

Interesting Examples

If you are using WhatsApp you gave WhatsApp full access to your address book. If you have my phone number and/or email address in your address book as well, WhatsApp knows it now, too. But I never used WhatsApp. WhatsApp (or its owning company, Facebook) never asked for my agreement to store my phone number in their database(s). In my understanding of GDPR, WhatsApp will now have to ask everybody for agreement when it stores data which allows to identify a person uniquely (and a phone number is clearly such an identifier). Even more interesting, I have the right to be forgotten. I’m not a lawyer but I can see a lot of trouble coming up. Read more here in case you’d like to drill down deeper and here.

Facebook for instance moved all user accounts (we speak about 1.5bn!!!) and data from non-EU citizens during the past weeks from servers in Ireland (where all non-US/Canada user data was stored before) to servers in the United States. Guess why …

Effect of GDPR / DS-GVO on blogs and other pages

Following a discussion with a fellow colleague a few weeks ago, I got alerted quite a bit. I started reading pages and hints what people did to make their blog and web pages GDPR compliant. And I started doing treatments as well. Here’s a rough draft of things I checked, changed or deleted.

Effect of GDPR / DS-GVO on blogs and other pages

  • IP addresses on the blog
    The blog’s software did store IP addresses with each comment. I deleted all IPs from the MySQL database storing the blog’s content and added a script piece to never collect IPs again when you comment. You’ll find a simple description how to delete IPs and prevent future storing here.
  • Plugins removal
    I checked all my plugins and removed the ones which potentially transfer data without your agreement to a 3rd party in a non-anonymized way. This includes things such as “Gravatar“. In the comments your avatar pictures are not shown anymore. But I also exchanged the convenient standard “sharing” buttons getting displayed underneath articles. I exchanged the functionality with “Shariff Wrappera plugin from German computer magazine c’t / Heise Verlag ensuring DS-GVO compliance.
  • Additional plugins
    I added also a plugin to disable all data transfer when you click on a Youtube video linked from my blog.
  • Google Webfonts
    In addition I changed the fonts from (as many others) simply using a Google Webfonts plugin to locally stored fonts. To be honest, I wasn’t aware that using Google Fonts as web based fonts means that Google gets all the IPs (and more) transmitted when you surf to a page using their web fonts. After reading a lot of things – and finding nothing useful related to GDPR on Google’s own page I decided that I better download my two fonts and host them locally on my server. You can find a simple how-to here.
  • JetPack
    Wordpress, the owner of the JetPack Plugin, announced quite early that they’ll make JetPack 6.0 GDPR compliant. You access the switch via the PRIVACY link at the very bottom of the Jetpack Plugin’s Dashboard – and then you have to toggle the switch as shown here. I toggled this OFF of course. But once reading back and forth I’m a bit unsure if this is enough – and I may turn off JetPack completely (see “Analytics” below).
  • Analytics
    I never used Google Analytics. And I tested already hosting Piwik/Matomo locally on my server.
  • Hosting company
    In addition to all this I have to sign a contract with my hosting company. As every hoster is storing things such as IP addresses where I (or you) don’t have control about, there’s an agreement required – the wonderful German word is called Auftragsdatenverarbeitungs-Vertrag (ADV-Vertrag). My hoster promised to deliver such a contract before May 25. I will sign it as soon as it is available.
  • Contact form
    I didn’t offer a contact form – hence no change is required here.
  • Comments
    Following GDPR a comment option must include an opt-in that you allow to store your data. You’ll find now an extra checkbox asking for your agreement to allow me to store your email address when you comment on the blog. Of course only I see the address as I’m the sole administrator of this blog page. And it doesn’t get shown to others.
  • Cookies
    As I never used any cookies with the blog I don’t have to adjust anything.
  • HTTPS
    Since I started this blog I use https connections only. Nothing to change here.

What’s missing currently – but will be added within the next weeks – is a privacy policy page explaining all this in detail.

Summary

On May 25, 2018, the European Data Protection Regulation takes effect. It gives EU citizens not only the right to be forgotten but also makes it mandatory that pages and apps store only data which they need to operate. Furthermore for many cases an explicit opt-in is required.

Let me know if I forgot something.

–Mike

2 thoughts on “Effect of GDPR / DS-GVO on blogs and other pages

Leave a Reply

Your email address will not be published. Required fields are marked *

* Checkbox to comply with GDPR is required

*

I agree