Yoast and the GDPR
The GDPR is a hot issue and we have been getting some questions about where we as Yoast are in the process of becoming 100% GDPR compliant. For that reason, we have set up this page to keep you posted on the steps we are taking and the data we are processing.
What is the GDPR?
The GDPR or European Union’s General Data Protection Regulation is a major change in the way we process personal data, in the sense that we all need to be clear about what data we process and where we process that in what way. Openness about what we do with your personal data. That makes all the sense in the world to us. Here’s Wikipedia‘s summary:
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
In short, as an individual, you need to be able to get proper insights into what personal data of yours is processed by for instance Yoast, for what purpose and how. And you have the right to have old and irrelevant data deleted (“forgotten”) as well.So if you want your personal data removed from our systems, we must act on that request. This applies to every company that has EU customers or stores any other personal data of EU residents.
Strict take on privacy issues
At Yoast, we take privacy very seriously. Always have, and that is why we store and process as little details as we can to be able to work with/for you. You’ll rarely find us asking excessive details that we really don’t need for that.
As a general rule, do not give us personal data. Not your own, not your customers’ and not your visitors’. (We actually put this in our Terms of service.) This may sound strange but for most things, we just do not need personal data. And under the GDPR, you should not give us personal data if it is not needed. If we do need personal data, we will ask first.
One of the things that we will be more strict on, for instance, is that we won’t accept people’s own personal login details. You’ll be amazed how many people simply send their own login details over email. This isn’t secure in any way, as you will understand.
With the GDPR, we need you to be in the driving seat in these cases. It’s your (customer’s/employee’s) data. You need to be able to control our access to your website, which means you need to create a login for your website especially for us, for the time of the assignment (so just to fix something in support, or for us to be able to configure our plugin). When that assignment is done, we will let you know and we’ll insist that you remove our login details as they are no longer needed. It’s your responsibility to remove these, as that isn’t something we can control. On our side, we will make sure to remove these login details from our records.
This is about personal data, not website data
Please note, that most details we do have access to in our line of work, relate to website data, not personal data. The login details procedure as described in the previous section is especially needed in case of an online shop that stores customer data as well. As we want a solid procedure for this, we apply this procedure to all websites, just to make sure we and you are not overlooking that tiny piece of personal information you stored and made accessible for us by that login.
GDPR targets that personal data. Where it comes to website data: we need that data to further optimize your website. No personal data is needed for that, so please don’t make this data accessible to us. If you really have to, follow the procedure as described. Of course, we promise not to touch that data in any way that’s not agreed on. For instance, if we need to use the data for testing purposes, we’ll need to agree to this use in writing. And we’ll agree on what happens with that data after testing if needed.
We will respect your rights
You have the right to inspect the data we store. On request, we will give you a complete overview of personal data we have of you, and copies as we have them. If you then see errors in that data, we will happily correct it. (Unpaid invoices do not count as errors. Just kidding.)
As mentioned before, you also have the right to be forgotten. You have the right to have us remove your personal data from our records. We will, of course, act appropriately on your request. But please note that, under the GDPR, we are allowed to keep the data we need to do our work. So if you, for instance, have an active Yoast plugin and want support, we are allowed to store your name, email address and the like for that purpose. The same goes for your invoice: tax regulations require us to store these for at least seven years after your purchase. But that just goes for the invoice itself. Other data we will delete as soon as we no longer need it.
When the personal data in question is from your employees or customers, then they have these rights and you are responsible for ensuring they can exercise them. Tell us beforehand, so we can conclude a data processing agreement to figure out the best way of working here. Do not send us other people’s personal data without a data processing agreement in place.
The GDPR requires us to take “adequate” security measures to protect all personal data we store. We are currently drafting a security policy and implementing extra security measures to comply with these requirements. We will keep you posted.
Getting ready for May 25, 2018
We are determined to have everything ready for GDPR as soon as possible, before May 25. That means that we are currently:
- Making inventories about what data we store or process where within our process, for both our website and our client-platform MyYoast.
- Setting up a Data Processing Agreement for third parties we work with, so we can take care of the legal side of things more easily – we have been getting emails about that already.
- Updating our Terms of Service and other legal documents to align with any GDPR related changes. We want to be as clear as possible when it comes to your personal data.
- Are reaching out to third parties we work with, to make sure these align with and are prepared for the GDPR as well. Think along the lines of email senders, hosting companies, etc.
Obviously, but this is a continuous process and not per se for the GDPR, we are monitoring site security and security certificates to make sure your data is as safe and secure as possible.
Last but not least, you as a user have the right to be forgotten, so to say. That means we need to set up a procedure to remove your data from our records. We clearly need to finish our aforementioned inventories first to make sure that procedure is 100%. It will be.
Needless to say that this page will be adjusted after every step we take in the process of becoming a 100 percent GDPR compliant, now and after May 25, 2018, if anything changes in the GDPR rulings. Any questions about the GDPR can be sent to us via our contact page.