I am evaluating this blog for GDPR compliance and will make the blog private May 25th 2018 until I can make it compliant. It is unclear how long that will take, so if you think you want to get some stuff from the blog that you really need, please do that while you can.
What is this all about?
If you are working for an international company you will likely have heard about General Data Protection Regulation or short GDPR already and maybe you did a training or two on what it implies. If not, in short, the EU is setting up new rules to protect the data collected and stored about their citizens by companies and organizations. These rules have been specified years ago and become into full effect on Friday. There are serious fines involved when being not compliant.
At the moment it is unclear if this blog or me running it are counted as an organization or not. There is not a lot of precise information that helps you to understand what GDPR means in your case, at least I was unable to find it in a reasonable time frame. There are however practices in place that have been used in the past to collect money by threatening to sue and you could find yourself between a rock and a hard place really fast. I don’t want that, obviously.
Where are the issues?
I have been involved in GDPR related work as employee and realized that GDPR potentially also impacts this (and any other) blog. I started reviewing GDPR compliance for this blog and ran into challenges. The challenges so far are
- RSJazz is currently hosted by WordPress
- I allow comments on posts
- I allow subscription e.g. e-mail subscription
- I am lacking guidance to users how the blog implements GDPR compliance
To be compliant, I would have to know what personal data is collected, what is done with it, where it is stored, how to find it if a user complains and how to delete it. I would have to make this information available or have a consent mechanism active that gets the consent about the usage of the personal data. This consent mechanism would have to provide me with the information about what users have given consent.
As far as I understand, cookies are relevant for GDPR, as they store some information such as the IP address. There needs to be a consent mechanism for cookies and they can only be stored for a limited amount of time. WordPress provides a widget that is supposed to help with the cookie aspect of the EU law for example asking for consent. I installed the widget but it seems not to be working. As a minimum I have to get this working before I can make the blog public again.
There is a bunch of analytic going on on WordPress. It is not transparent to me what is going on, where the data goes and what is done with it (e.g. storing it). I have looked at disabling the basic plug ins to disable cookie usage and analytic (even if that means loosing the analytic information). At the moment, I am unable to switch these plug ins off. The blog is hosted on WordPress with a free plan. To have more control I would have to change where it is hosted which I would likely have to pay for. I would also have to make sure the blog and any personal data is protected against hacking and manipulation.
There are compliance plugins for GDPR but they don’t seem to fit into my free plan model, so I would have to go to a payed plan, in order to add them to my blog.
There is not a lot of concrete information available that would help to really understand what is needed and how to make that happen on WordPress.com.
Bottom line, I am currently unable to make sure GDPR compliance can be provided.
If I can not change that until Thursday end of business, I will switch access to the blog to private to make it inaccessible, which means I don’t need to be compliant. In this case I will be looking into the issue and what is needed to make the blog available again.
Once there is enough information and working cookie/consent frame works available I will make the blog available again.