Becoming … a dpo

A few years ago, i read an interview from ma.tt and i remember that at the following question “What will be your next move after wordpress ?”, ma.tt answered something like “maybe coding a bank”.
At that time, i had a long experience working in IT departments of banks and thought that this would be a HUGE challenge.
But today, thanks to GDPR, his dream might come true ! and here is why !

I am not a lawyer, but i have to say a few words about GDPR. I read most of the text but not ALL the text. The magic of E.U. is that it is available in 24 different languages.
I also read two books in french :

  • “Le Délégué à la protection des données (DPO) – Clé de voûte de la conformité” that i would translate as “Data Protection Officer – Cornerstone to compliance” (more here and here)
  • “Vade-mecum de la protection des données personnelles – pour le secteur bancaire et financier” for “Reference guide to personal data protection – in the banking and finance industry” (more here and here)

This is not making me an expert of that matter but here is my point of view.
The first thing you have to know about GDPR is, whenever a E.U. citizen comes to visit your site and let some digital footprints or personal data on it, you do not own his/her data anymore, you are just like a depository of their personal data. As if you were a banker, and someone comes to open a bank account at your office and makes a deposit. As a banker you do not own the money, you can use it to make money with it, but you don’t own the money. It still belongs to the guy who came to the bank. It is exactly the same for visitor’s personal data and your site.
Upon a simple request, he/she can ask to see is account statement (in the case of GDPR, this request is not another comment left on a post, it is a legal request).
What i learned during my jobs in the bank industry, is that the first job of a banker is Trust.
If you are not a trusted banker, you will have no chance to prosper.
So at any time, he/she can come back at your bank (site) and ask to make some or a complete withdrawal of his/her money (correct or erase personal data).
This is what GDPR is all about, the goal is to build and maintain a chain of trust. Every piece of software or service used on your site has to be listed and somehow trusted. GDPR is a never ending process aiming to build that chain of trust for each component whether it is a software or a service.
For wordpress, it is important to separate (a) wordpress as a software (core) and (b) wordpress.org as a service provider.
(a) wordpress core should provide its “records of processing activities” (GDPR prerequisite) for you and your site to comply with the text, meaning that every piece of software that is used by wordpress core should also provide their records, even if it is to tell they do not collect personal data. Two examples :
i. is wordpress providing themes using google fonts (google being a subcontractor) ? which are not just fonts, each time a visitor reads your text with that font, google knows it. Google provides this service to your website for free, but get paid by collecting your visitors personal data (same for youtube or those little icons “little blue thumb up”, “little blue bird”, etc …).
ii. In wp 5.2, wordpress core is adding a new external js library : clipboard.js … the provider of that library should/have to provide its records of processing activities.
And i see what your next question will be … and jQuery ? yes, jQuery as well.
(b) wordpress.org, which is providing different services through core (automatic upgrades which requires knowing the list of your plugins & themes) but also can collect directly personal data through different means : trac, plugins and themes repositories (developers & visitors), documentation, wp staff can be included as well …, should have a dpo (apparently they have one delegated dpo with email dpo@wordcamp.org [still expecting an answer btw]) and also be able to provide their records of processing activities.
There are other prerequisites in GDPR such as “Communication of a personal data breach to the data subject”. Do you remember Mark Z. speaking of “a major breach of trust” at the U.S. congress after the C.A. scandal. This is, i think, the most difficult part, how to detect a breach in a system you know almost nothing about (in WP 5.1.1 javascript is 232 276 lines of code, php is 205 664 lines of code and not counting plugins or other themes). Even if WP 5.2 will provide new tools called SiteHealth that will not prevent from any potential data breach, your security and the security of the personal data you are hosting have to be adressed. My advice is : reduce the access to your admin to a limited number and trusted people first. And if you detect a data breach, wordpress core is not providing (and i think will not) any tool to help you to communicate to the “data subject”.
When i asked wordpress to send me their “records of processing activites” almost one year after GDPR started (25th may 2018), i thought this would be a matter of hours, maybe few days [the answer i am expecting].
Microsoft and WordPress.com international blogging activities are relying on wordpress core.
Last but not least, and as a (data) banker, if sued, you will have to produce some materials to oppose and tell the court you did it all by the law. You will have to be able to prove it.
May be ma.tt will have not just a few words on GDPR at the next WordCamp Europe 2019.

This entry was posted in News. Bookmark the permalink.