GDPR: What businesses need to know

The General Data Protection Regulation (GDPR) will be enforceable THIS May 25th! The implications for businesses that operate in Europe and collect user data are significant and are certainly not something to be taken lightly.

Great, another confusing legal acronym.– Hopefully not you about GDPR

For the uninitiated, the GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. For industries like online publishing, the way user data is collected and managed is about to change. In a big way!

Brendan Woods, one of our Team Leads, has been leading our research on this and how it will be impacting our clients. As part of this, he ran an internal training session. Seeing how widely relevant these laws are to the industries we serve, we’ve recorded it to share with you.

For those who want the TL;DW, the rest of this post breaks down the incoming changes and what they mean.

Who does GDPR apply to?

GDPR applies to any company processing the personal data of subjects within the European Union. Let’s make this very clear from the outset. It’s not just for companies in Europe, but for any company that collects or processes data on European Union (EU) subjects. The net is very wide!

There are a combination of factors that define whether or not a company is targeting European subjects. These include things like:

  • Offering European languages on a website
  • Offering European currencies for purchases
  • Localized content
  • Giving international services to people in the EU

It’s interesting to note that as the law was passed pre-Brexit, it will most likely stand and remain relevant to the UK.

What happens if the rules are broken?

These new laws have some serious teeth. The previous iteration of the law had fines of up to £500k pounds in the UK. The GDPR allows for up to €20 Million or 4% of global revenue. Whichever is greater. Keep in mind that for Google, that’s about $3.5 Billion.

Each EU state is required to set up a data protection authority to oversee the enforcement of compliance within their state. They will have powers to do things like access premises, give binding orders, administer fines, hand out suspensions, etc. Not only are the penalties large and clearly defined, each member state will have an organization specifically set up to issue them if compliance is not met.

Modern governments are well adjusted to working across international borders so their will certainly be precedence for having these laws enforced on companies outside of the EU.


The more you understand about GDPR, the more you recognize the room it will create for a whole new class of litigation. These laws significantly increase the rights of data subjects to take civil action if they believe their rights to data privacy have been breached. You can expect to hear of class-action settlements that even exceed the above penalties.

Companies affected

With GDPR, almost every company type will be affected. Within the documentation, the terms controller and processor are used. Controllers are companies that dictate what data is collected and how, where processors are companies that process that data according to the directives of the controller. Previous iterations of similar laws effected mostly controllers, where GDPR broadens the requirements to include processor type companies.

5 Big Changes for Businesses

1. ​ The New Guy

Companies will be now required to appoint Data Protection Officers (DPO). These will be executive level positions responsible for enforcing compliance across the company. It’s expected that approximately 75,000 DPO jobs will be created off the back of this new legislation.

2. The Types of Data

The types of data that are included within the protective rights of subjects are increased from what was included in previous laws. These data types include:

  • ​IP Addresses & Mobile ID’s
  • Geolocation Data
  • Sensitive Personal Data
    • Racial/Ethnic origin
    • Political association
    • Religion/Philosophy
    • Trade union membership
    • Sexual orientation
    • Biometric/Health data
    • etc

When collecting these data types, companies must now explicitly define the reason why they are collecting the data. Companies for many years, under the potential returns of big-data mining, have had a “collect it and we’ll figure out what to do with it later” attitude. This is no longer allowed.

3. ​Consent

Consent for data collection must now be explicit. Vague reasons such as “for marketing purposes” or “for research” or even “to improve user experience” are no longer acceptable. The company must specifically define and communicate to the user what their data will be used for.

It also must be active consent. Consent through silence or even pre-ticked boxes are off the table.

On top of being explicit in requesting consent, companies must also make it just as clear and easy for consent to be revoked.

The final piece of the consent puzzle is that pre-GDPR collected data is subject to these changes. So if consent has been collected in the past through a method that doesn’t adhere to these new standards, a company is required to re-request consent. We can expect to see many email sequences going out from companies in the coming 12 months with these kinds of requests.

4. Data Breaches

It seems that every other week there is a story about a major data breach from some large company. Within the GDPR, companies are now required to respond in a particular way if this occurs. Specifically, they must:

  • ​Report the incident to their relevant data protection authority within 72 hours
  • The incident must be reported to the affected users “without undue delay”

This means that companies will need to update their relevant policies and procedures. And with the hefty fines and potential litigation, they will be very motivated.

5. New Personal Rights

With these new laws, individuals will have new legal rights. Summarised, they will have:

  • ​The right to erasure (deletion of all personal data)
  • The right to restrict the processing of their personal data
  • The right to data portability. E.g. “Give me my data Mr Insurance Company so I can take it with me when I move to another insurance company”
  • The right to knowledge of profiling

The way data is stored and the interfaces for engaging with it have been and will need a lot of attention for many companies. We are working with some of our clients on implementing solutions to facilitate these kinds of data related requests from users.

GDPR and Publishers

We work with a number of large international publishers so we’ve been thinking a lot about how these laws will specifically impact them. Walking through some standard work flows and user experience flows we begin to see how the GDPR will touch on a lot of their points of user engagement, such as:

  • Requesting newsletter subscribers
  • Profiling subscribers
  • Accepting submissions for contests
  • User account creation
  • Data collection for remarketing/retargeting
  • Account creation
  • Premium editorial content subscriptions

…and the list goes on. Making updates to the user flows and internal interfaces is where we are seeing the most pressing needs.

An Opportunity

At face value, these changes appear incredibly intimidating. Big fines and big operational changes are something most business operators don’t particularly want to be thinking about. However, we see a very positive opportunity within GDPR. It gives businesses everywhere a clear framework for how to go about the collection and use of personal data with integrity. As technology companies, our users trust us and GDPR lays a clear path for how we can repay that trust. For companies like ours as well, it gives us an opportunity to provide value to our clients and walk with them to help achieve compliance.

In summary (of this summary), GDPR is coming in May and it’s going to impact the way businesses operate online perhaps more than most people realize. Taking the time to understand the implications and preparing a path towards compliance is very important. We have been and will continue to work with many of our clients to update their websites and platforms to adhere to these new standards.

Do you have anything to add to this? There’s a lot to cover, so please let us know if you think we’ve missed anything important in this overview. Additionally, if you believe your company needs technology support in achieving compliance with GDPR, please get in touch.

Tide: A path to better code across the WordPress ecosystem

Involve yourself in enough WordCamps, meetups and community forums, and you start to notice a trend. The same kind of question is asked over and over. It sounds something like…

What plugin should I install to do {feature}?

WordPress users have the world’s most popular CMS, with 29% of the web under its wing and 53,000+ plugins, yet there is still a confidence gap when choosing plugins and themes. Right now, WordPress does a great job of providing plugin and theme information related to:

  • The features
  • The support you receive
  • User reviews

These are all part of what makes a good plugin or theme, but there is an important piece missing. This piece of information answers the question…

Will the code I’m about to install break or put my site at risk?

A plugin or theme could deliver the exact range of features you need, with great support, and positive reviews, but if the quality of code it contains is poor, you risk the integrity of your website. A single line of good code can unlock potential for you and your website, but bad code can trigger untold calamity.

Unfortunately, the barrier of entry to writing good code is higher than we would like to admit.

The good news

We believe there’s a way to streamline complex web engineering processes around code quality into elegant tools that all WordPress users – from builders to admins to developers – can understand. Tools that empower users to make better decisions on the plugins and themes they install on their sites. Tools that equip developers to easily spot problems and craft a better class of code.

Say to Tide.

Tide, a project started here at XWP and supported by Google, Automattic, and WP Engine, aims to equip WordPress users and developers to make better decisions about the plugins and themes they install and build.

Tide is a service, consisting of an API, Audit Server, and Sync Server, working in tandem to run a series of automated tests against the plugin and theme directories. Through the Tide plugin, the results of these tests are delivered as an aggregated score in the WordPress admin that represents the overall code quality of the plugin or theme. A comprehensive report is generated, equipping developers to better understand how they can increase the quality of their code.

The image below is an early concept of how Tide could introduce the score to the plugin tile in the WordPress admin. How would you present this data? We welcome your feedback.

WordPress plugin card concept with Tide Score

Tide brings code transparency to the individual, with the collective outcome being an increase of quality across the entire WordPress ecosystem.

Tide at WordCamp US

Alongside our friends at Google, we’ll be sharing Tide with the WordPress community at WordCamp US in just a few weeks. The Tide plugin will be released shortly after. Add your email below if you want to hear more about this project as it develops.

Why this is important to us

At XWP, we are working for a future where the open web is more performant, secure, reliable, and accessible. WordPress plays an undeniably large role in this with the quality of code across the ecosystem setting the stage for either its success or struggles.

What’s next

We know it’ll take some time to make this tool perfect, but we believe in the positive impact good code will have on the WordPress community and the open web. In the same spirit as other open source projects like Let’s Encrypt, Travis CI and WordPress itself, we believe that “a rising tide lifts all boats,” and we want your help in getting this right. If you feel you can contribute, stay tuned as we release further details in the coming weeks.

Here’s Why a Headless CMS Can Give You Greater Content Management Control – Part 1

Understanding how a headless content management system (CMS) works and the value it provides content producing teams can be a bit of a research journey, but one that can have big payoffs for the right companies. There are many opinions, ideas and buzzwords around content management and headless CMS and unpacking them into valuable takeaways that can inform decisions can be difficult. We, alongside a few of our industry friends, have worked on a number of headless CMS projects and are pleased to bring you a series of posts to help unravel the mystery and shine a light on why and when a headless CMS makes sense.

What is a Headless CMS?

To wrap our heads around the idea of a headless CMS, let’s begin with a simple illustration.

In the 20th century, off the back of the industrial revolution, American factories introduced a method of production we all know as the assembly line. This method of production did a few things:

  • It introduced work specialization
  • It accelerated progression through a linear process
  • It isolated work types, allowing for focus and optimization

Effectively, assembly lines grouped work into stages and allocated specialized resources and processes for each stage.

Image reference:

How Does a Headless CMS Work?

A headless CMS reflects the assembly line approach. It groups the work performed by both technology and people and allocates specialized resources and processes for each.

Specifically, running headless refers to the practice where content is produced independently of where it is consumed.

But what are the components of a typical headless CMS? Like a factory assembly line, it depends on the work that is being done and the desired outcome. Generally speaking however, a headless CMS is broken into 2 or 3 components.

Content production and data storage are handled by the same system and content presentation is separated out (figure a), or all three components are separated (figure b).

Figure a

Figure b

On the other hand, a traditional CMS has everything all-in-one (figure c).

Figure c

The term “headless” comes from the idea that the production and data storage or “the body,” is removed from how and where the content is presented, “the head.” Search around long enough and you’ll stumble upon a few different terms, like decoupled and content as a service (CaaS), that at a high-level, describe the same sort of thing.

Why is a Headless CMS so Great?

Running separate platforms rather than having everything in the single place may sound like it could actually double your efforts. After all, with a traditional CMS the technology (infrastructure, user interface, etc.) takes care of everything meaning users only need to familiarize themselves with the single environment. For example, the user interface responsible for managing plugins or extensions also needs to facilitate content editing.

However, by doing everything it means that the platform is restricted in its ability to specialize.

By implementing a Headless CMS solution, each part of the system can:

  • Run on only the technology that is needed
  • Be isolated from a maintenance and support perspective
  • Be isolated from an optimization perspective
  • Present a user interface (UI) relevant to its exact function
  • Require training only for its exact function

The greatest benefit that comes from running a headless CMS is that the people and platform can specialize and optimize.

How to Know if a Headless CMS is Right for You

While the upside of a headless CMS is clear, how do you decide whether or not to implement? Like with any big implementation, there are some key questions to ask yourself:

  1. How can a headless CMS improve your content management process, and what is the value to your business?
  2. What will it cost?
  3. Does the ROI stack up?

What value can a headless CMS provide to your business?

For example, implementing a user interface (UI) specifically geared for content production sounds great in theory, but will your team realize the benefit? Are they currently hindered by the present system? Will the new system help create greater efficiency?

If the answers is yes, it makes sense to also ask yourself the following questions.

What will it cost to implement a headless CMS?

Whether implemented by an internal team or outsourced, the discovery phase, support, and maintenance will require time and resources. If you choose to use internal resources to implement your headless CMS, it’s important to remember that time spent on the project is time not spent on other business priorities. There is an opportunity cost to any large implementation.

Does the ROI stack up?

While a headless CMS can dramatically improve the efficiency and quality of your content management capabilities, it’s important to understand your ROI expectations for a new tech implementation.

Generally speaking, in our experience it is the larger the team(s) who work day-to-day with the platform where operational efficiency and business profit is tightly correlated that have the greatest potential ROI for a headless CMS implementation.


If you’re interested in learning more about how a headless CMS could work for your business and how it may improve your current CMS, we’d be happy to help. Please contact us for a free consultation.

How big teams are unblocking their content creators

Every big content team eventually faces the same problem with scaling. The rate (and quality) of content production is no longer proportional to the size of the team. In early days teams can simply add staff to solve production bottlenecks. If they need to do more, they grow the team. However, as they and the systems and processes around them mature, the positive correlation between headcount and content dramatically fades.

In these cases, business managers face a choice. Keep hiring, hoping they stumble on some magical combination of people and roles, or look to the machine underneath the team and find ways to free the team from time/attention/energy-sapping tasks that distract them from what they were really hired to do.

In this article, we’re going to look at the impact a slow-moving content machine has on productivity (and ultimately profit), and then go over 3 examples of ways big teams are unblocking their content creators and freeing them to focus on content creation.


Imagine needing a car mechanic’s help every time you wanted to change gears.

“Hey Bob, could you just drop to second as I approach this intersection. Thanks.”

Unsurprisingly this isn’t reality. We have gearboxes. They take the repeatable and technically complex task of gear-changing and make it accessible to the driver.

Increasing efficiency in big teams, or implementing workflow gearboxes, is perhaps the biggest problem category we work on with our clients. They find that in their day-to-day operations they have these repeatable and technically complex tasks being handled by their development team. For example:

  • Build a new page layout > Get a developer
  • Update the style > Submit a ticket
  • Move a banner ad > Add it to the backlog

The business impact of these bottlenecks is three-fold:

  1. Content production is dependant, or blocked, by the developments team’s capacity to respond to the task
  2. To move a task forward, content producers are required to understand and interact with the development workflow
  3. The development team spends their time on operational tasks rather than focusing on maintaining and enhancing the platform

Removing these kinds of bottlenecks results in massive time and resource savings.

Now remember, in a car a gearbox doesn’t do everything. It has a clearly defined range of influence. It doesn’t let the driver change the oil, swap out a fan belt, or replace a tyre. It lets them change gears. Defining what tasks should be handed over to a site manager, and how, or left in the hands of developers is just as important as the actual implementation. There is a process for identifying what should be gearboxed and what should remain in the purview of the development team, but for now, let’s explore some specific and current examples of how big teams are reducing day-to-day reliance on developers and unblocking their content creators.

Example 1 – Layout & Site Customization

Layout and Site Customization

Layout customization in the form of drag-and-drop page builders is something most site managers are at least familiar with. The WordPress eco-system itself has seen a boom in this quadrant with many businesses developing tools that deliver page-building powers to site owners. However, the translation of this kind of mass-market solution to big teams isn’t as simple as could be expected. There are a few factors that need to be considered. These can include:

  • Restriction – What should, and should not, be customizable by the team (gearboxing)
  • Sitewide PreviewingUnderstanding the impact of how a customization impacts the entire site
  • Reviews & Approvals – Like general content, layout and site customizations should go through a review workflow
  • Scheduling – When customizations should go live (more on this in example 2)

The good news is that even though the implementation can be unique to every team, the underlying methods and technology are becoming more standardised. For example, recent and arriving (changesets) updates to WordPress Core lay a very strong foundation for the kind of complex implementation big teams need for layout and site customization.

Example 2 – Complex Scheduling

Complex content and customization scheduling

Let’s use an example to illustrate the opportunity here. Imagine coordinating a 12 days of Christmas campaign that delivers unique content on a rolling 24-hour cycle for the 12 days leading up to the 25th. The number and variety of changes impact things like:

  • Headlines and other copy
  • Banner ads
  • Imagery
  • Page layouts
  • Styling

These changes include more than what is typically “scheduled” by site owners. Scheduling content (e.g. articles) is a familiar CMS feature, but big teams need to consider much more. Normally scheduling these kind of changes would involve working with a developer team to stage the changes on a separate instance of the site and scheduling a code-merge. For our above Christmas campaign, this would mean coordinating numerous code-bases and deploying, possibly manually, on a very strict timetable.

Recent updates in WordPress actually now allow the changes to be both made and scheduled within the WordPress user interface. The direct reliance on staging environments and developer teams can be removed through this.

The positive impact on efficiency is obvious when complex changes like these can be systemised (gearboxed) and taken away from developers and given to the content team.

Example 3 – A/B Testing

A/B Testing

Frequent, small, defined and measurable changes to a site will over time produce a far greater ROI than big redesigns. Unsurprisingly, the discipline of A/B testing is widely used and something we see a lot of our clients doing. Simply put, the process looks like:

  1. Select the metric to be improved (E.g. time on page)
  2. Define a hypothesis (E.g. if we increase the body text font-size from 14px to 16px we will see an increase in time on page)
  3. Create the assets required to deliver the alternate state (E.g. font styling)
  4. Set up an A/B experiment to deliver both the current and new state
  5. Measure impact on selected metric
  6. Implement the winner

Throughout this process there are potentially multiple developer touchpoints. I.e.:

  • Develop experiment assets
  • Set up mechanism for delivering the experiment
  • Collect data
  • Implement experiment winner

For the full value of A/B testing to be realised, experiments need to be run frequently. If developers were required to manage the above 4 points, the bottleneck would prove fatal to the entire process.

Big teams, especially those that are producing and managing high-traffic sites, are systemising this process as much as possible. Even the mechanisms for determining “the winner” of an experiment are being automated. Developers are freed from having to manage and implement and site managers can accelerate the A/B process significantly, properly realizing the ROI of a compounding A/B testing strategy.

These three are only a few of the ways we are seeing big teams remove their dependency on developers and unblock content creators. The industry and technology under it move at an incredible pace and we are constantly seeing innovative solutions enter the market.

How does your team handle these kind of repeatable and technically complex tasks? To what degree do you think your team is burdened by tasks that distract them from focusing on the work they were hired to do?

Want to reduce these kinds of bottlenecks? Contact us for a consultation.