GDPR Compliance Chat Recap – February 14th

(full text on slack)

This first GDPR Compliance Chat started by people introducing themselves. There was a nice mix of core comitters, developers, lawyers (or law-lovers), contributors, trainers, project managers, testers, people enrolled in privacy roles in companies, etc.

The main question was what is personal data and where it is stored. Most of it might be in user_meta, but there is personal data everywhere!

For the exporting part, all data needs to be considered, so probably also from all privacy impacting plugins.

About the roadmap, the first steps are:

  • Identify what is considered personal data (emails, IP, etc)
  • Who are the identifiable persons?
    • Controller: Site owners, admins? In multisites?
    • What about anonymous people that create posts?

Shared documents:

Some items raised worth keeping in mind and explore further:

  • What does the web owner need to do? And what part can WordPress Core take care of?
  • Proposal for a new column (is_personal_data) in all tables to indicate clearly the personal data, but of course data could be serialized and contain both. So interfaces and hooks might be a better way to go.
  • Could some developers share what privacy impacting data some of their own plugins collect and see if a pattern emerges?
  • Data stored on backups have to be deleted too.
  • Is a public post "personal data" if the user posted something that is considered personal? So how far is deletion inside posts needed? And what about quotes?
  • For plugins: a Privacy Impact Assessment is required by the GDPR for data intensive projects. It would be nice to get a tab in the plugin repo noting every plugin's data flows, including collection, retention, cookies, telemetry.

Next GDPR Compliance Chat:

  • Structure the approach
  • Define goals and the roadmap
  • What is in scope and out of scope

#gdpr-compliance #summary