The General Data Protection Regulation and You
The General Data Protection Regulation (or G.D.P.R.) is a new regulation in EU (European Union) Law, which supersedes the Data Protection Directive and has officially taken affect as of May 25th, 2018. The purpose of this new regulation is to:
- Clearly inform you that your personal data may be tracked and stored and/or shared with 3rd parties
- Safeguard your personal information to the highest degree when obtained
- Educate about what specific information is being collected, how it’s used, and where it goes
- Define a retention rate of the data being stored, and, in some cases, how to delete it
- Fully anonymize any/all personal information or identifiable information where appropriate
To help better understand the General Data Protection Regulation and it’s impact to the entirety of the Internet; it’s important to know about its predecessor, why it exists, and its benefits. Enter the Data Protection Directive (circa 1995).
Data Protection Directive (Officially Directive 95/46/EC)
Adopted in 1995 the Data Protection Directive regulates the processing of personal data within the European Union (EU). The directive consists of seven core principles:
- Notice—data subjects (you) are given notice when their data is being collected
- Purpose—data is only used for the purpose stated
- Consent—data is not disclosed without the data subject’s consent
- Security—collected data is kept secure from any potential abuses
- Disclosure—data subjects are informed about who is collecting their data
- Access—data subjects are allowed to access their data and make corrections to any inaccuracies
- Accountability—data subjects have a method available to them to hold data collectors accountable if above principles are not followed
Supervisory authority is put into effect and enforced through the EU’s Data Protection Directive. Each member state is required to create an independent body that will monitor the data protection level in their particular member state. This body also gives advice to the government about administrative measures and regulations and can start legal proceedings when data protection regulation has been violated. Individuals may file complaints about violations directly to the supervisory authority or in a court of law.
This may sound a bit extreme. The EU, in general, has always been more proactive than the United States when it comes to consumer rights and privacy. Businesses are held accountable when the rules aren’t followed and consumers have control when it comes to their data being tracked.
How Does This Affect Me or My Website in the United States?
Here’s where things get interesting. Several differences include more robust language and protections for consumers to increased oversight and penalties for businesses. However, the main distinction between the Data Protection Directive and the General Data Protection Regulation is overall scope.
The Data Protection Directive was enforced only by and within the European Union. The General Data Protection Regulation changed that, adding that all stored and tracked user data coming to and leaving from the European Union is subject to the G.D.P.R. This means that even if you have a US based website and the server is based in the United States, when a user based in the European Union views your site you’re now subject to the laws, regulations, and penalties of the General Data Protection Regulation.
What is defined as Personal Data?
What is considered to be personal data? And when is that data deemed privacy-sensitive? Basically, all data that can identify a person as an individual is personal data. Data, for example on a contact form, like:
- E-Mail Address
- Location Data
- IP address
Company information (e.g. the name of an organization, email address, postal address, etc.) is not considered personal data. On top of ‘standard’ personal data, there is an additional category: ‘privacy-sensitive’ personal data. Should you handle data within your organization that is categorized as such, there are additional requirements. Privacy Sensitive Personal Data can include:
- Social Security Numbers
- Medical Information
- Sexual Orientation
- Religious or Political Preference
What rights do I have as a consumer?
As mentioned above, the goal of the new privacy law (GDPR) is to protect the rights of the end user (consumer). But what exactly are their rights, and what can they demand from you as an organization?
Inform, Permit, and Refuse
People have the right to be informed before their data is gathered, processed, and edited by your website. Users must give their explicit consent to this process. You can provide a cookie announcement in the footer of your website and give the option to sign up for a newsletter via a tick box (that is not checked by default). Users must be given the option to withdraw their consent at any time; either by unregistering or reviewing the cookie settings again.
Individuals can request the personal data you’ve gathered about them at any time. You are then obligated to deliver the information within a month and are not allowed to charge a fee for this. Don’t forget to consider the data portability right. This right ensures that personal data is able to be read in a reasonable manner. Excel spreadsheets or CSV files are relatively easy to open and understand, but a direct database dump is not.
Edit, Limit, and Remove
Consumers are entitled to ask you to correct faulty information. They can also request that you refrain from further editing of their personal data. Every person has ‘the right to be forgotten’; you are required to remove people’s data completely from your database upon their request.
The General Data Protection Regulation and marketing automation
It is not uncommon to make use of marketing automation on your website. Automation can include email marketing software reminding you to respond to a comment or to send a follow up email once the first message has been viewed. It can even send an email offering the user a discounted deal as a result of an abandoned shopping cart order.
People have the right to demand from you that your software not make automated decisions based on their data or behavior. If you do use marketing automation, you must explicitly ask your visitors’ permission in addition to informing them that automated decisions are made based on their personal data.
How serious is the General Data Protection Regulation and what are the penalties?
The General Data Protection Regulation isn’t anything to sneeze at. This is a major regulation with some serious teeth on it, holding companies financially responsible on a small and large scale.
The maximum fine that can be imposted on organizations is up to 4% of annual global turnover or up to €20 Million. This can be imposed for the most serious infringements (e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts).
There is a tiered approach to these fines. For example, a company can be fined 2% for not having:
- records in order (article 28)
- notifying the supervising authority and data subject about a breach
- not conducting impact assessment
It is important to note that these rules apply to both controllers and processors. This means that ‘clouds’ are not exempt from GDPR enforcement.
Minors, Data Protections Officers, and Data Breaches
The EU and US have always had major differences when it comes to laws and regulations pertaining to their citizens. This is especially true when talking about minors, so make sure you’re keenly aware of applicable laws when implementing your General Data Protection Regulation compliance on your website.
Parents must consent to process the personal data of children under the age of 16 for online services. Member states may legislate for a lower age of consent, but it is not be below the age of 13.
A company must appoint a Data Protections Officers (or DPOs) in the case of:
- Public authorities
- Organizations that engage in large scale systematic monitoring
- Organizations that engage in large scale processing of sensitive personal data (Article 37).
If your organization doesn’t fall into one of these categories you do not need to appoint a DPO.
Proposed regulations surrounding data breaches primarily relate to the notification policies of the breached companies. The DPO must be informed within 72 hours if a data breach has occurred that may pose a risk to individuals. Individuals affected must also be informed without undue delay. Any company or website that fails to notify its users within 72 hours are immediately subject to the penalties listed above.
How do I specifically comply with the General Data Protection Regulation?
Before we outline a checklist to help you comply with the General Data Protection Regulation, please know that this is no way a comprehensive list, nor are we stating that this is a fully legally and compliant list. We’re supplying this as a good jumping off point. Once you’ve read through and implemented the following checklist, we recommend you take some time and read through the official General Data Protection Regulation website and regulations, linked at the bottom of this article.
Inventory & Document
To start off, describe the target group(s) that visit your website. Then make up a spreadsheet in which you document the kind of personal data your website collects for each group (see above what the General Data Protection Regulation considers personal data). As you specify per each target group, you’ll reduce the risk of missing something. After you’ve established the groups, complete this inventory by checking the following list:
Hosting & Administration
External service providers also have access to your website. Confirm how they handle your data and that you have made the appropriate agreements with them.
- Hosting Party
- Theoretically, your hosting party has access to all data on your website. For this reason, you will have to have a processing agreement with them.
- Managed Hosting, external developers, and administrators
- Which administrators have access to your website? If you contract with certain bureaus (or freelancers) on your website, then you will have to set up processing agreements each of with them as well.
- Backups Locations
- Where and how does your hosting party make backups? You’ll need to confirm that their policies and procedures comply with privacy regulations as well.
Log in as an administrator on your website and answer the following questions to complete your inventory. Each plugin’s collected data should be located and then determine what data is being stored:
- Contact Forms (e.g. Gravity Forms, Contact Form 7, etc.)
- What information do you require from your users? Where is the information being stored?
- Usernet Plugins (e.g. Ultimate Member, BuddyPress, etc.)
- What profile information is stored for each user? And what else can possibly be deduced about your users through membership? Think specifically about political activity, religious preference, financial status, or sexual orientation.
- E-Commerce (e.g. WooCommerce)
- E-commerce will contain basic personal data, such as names, addresses, and banking details. However, it can also reveal the kind of products people order. Do you, for instance, sell magazines with a political affiliation?
- Email marketing widgets (e.g. sign up via MailChimp or CreateSend)
- Which information do you require? What will you do once you obtain it from your users, and to which service do you forward it?
- Links with external services, like accounting package (e.g. a link between WooCommerce and Exact Online)
- WordPress reaction plugins (e.g. Akismet or Disqus)
- These plugins filter spam based on data gathered from your users’ reactions, email addresses and IP-addresses.
- Safety (e.g. Wordfence)
- These process IP-addresses and user locations.
- Backups Plugins
- Complete copies of your site are a liability should they end up in the wrong hands. Where are backups stored and how are they secured?
- Statistics (e.g. Google Analytics, Google Tag Manager)
- Which parts of your users’ data is stored on your site?
- Logging (e.g. activity monitors etc.)
You have to be able to justify reasons for all personal data you are storing on your website, so best practice is to make sure that your data gathering stays within the boundaries of the law. You must meet one or more of the following criteria if you intend to store data:
- The user consents through a user agreement
- Like paid subscriptions on your website for which you require banking details.
- The law obligates you
- Like customer data in your WooCommerce shop, you also need to store data for your administration according to tax administration demands.
- You have received explicit consent
- By virtue of a cookie announcement on your website or a registration form by which one subscribes to your newsletter. Make sure that consent is:
- Given freely (not coerced)
- Explicit (tick box not checked by default)
- Given per component (e.g. someone registers for an event, and also subscribes for a newsletter), and that
- Users are to be able to withdraw their permission at any time.
- The gathering of the data is justifiable
- Tracing the location of a logged in user as an additional safety check to determine the user is logging in from a likely location on the planet.
Of course, determining what is justifiable data gathering is somewhat of a grey area. All the more reason to explain in detail why you consider it justifiable. And, when in doubt, it never hurts to consult a lawyer.
Remove personal data that you cannot legitimately gather and store in your website, and deactivate plugins that don’t comply or search for alternative plugins that do.
Draw up procedures
Record different protocols for situations that may occur in the future. Make sure it is crystal clear where information is located, so you don’t waste time later on. In any case, record the following procedures:
- Personal Requests
- Individuals may demand access to their personal data stored by your website, but may also want to edit or delete their data.
- Record how you will guarantee that data is to remain confidential, now and in the future. Adopt a consistent update policy for your website, plugins, and theme.
- Safe back up storage and a complex password policy for every new user should be in place.
- Data Breaches
- The law requires you to inform the Personal Data Protection Authority within 72 hours in case of data breaches. Therefore, make sure you have a phased plan ready, as speed and accuracy is crucial in such cases.
Inform & Ask for permission
Inform visitors of your website in a clear and transparent manner. Clearly referring to a privacy statement in the footer of your website and in the cookie statement satisfies this requirement. Also, ask visitors of your website explicitly for permission of data handling activities as documented in your privacy statement.
Additional Compliance Resources
Using the above-outlined checklist, you have a good foundation to be General Data Protection Regulation compliant. However, it’s always good practice to read through the official regulations and keep them for later reference. Below we’ve provided the official General Data Protection Regulation site, in addition to helpful links and resources:
- G.D.P.R Official Website
- G.D.P.R. Wiki
The General Data Protection Regulation is no joke in scope or penalty. The GDPR has officially taken effect as of May 25th, 2018. If you haven’t already implemented a policy on your website – do so immediately.
This regulation only affects websites that track, obtain, or otherwise identify user data, but it’s good practice (and a public relations win) if you still introduce protections on static websites that don’t track or store data.
Contact us if you’re unsure of exactly how to start protecting your company and users. If all the aspects of compliance overwhelm you, reach out anytime. We’re extremely familiar with and understand exactly what the General Data Protection Regulation is and requires – and we’re happy help your website and company comply.
Additional Helpful Tips
If you’re interested in ways to further optimize your website or presence, check out our article on The Psychology of the Web where we detail the process leverage specific visual techniques to improve your overall conversion rates and sales.
A believer in the pursuit of genuine ideas, the power of numbers and all that is the internet. Michael has been a full stack web systems engineer for 10 years. Focusing specifically on WordPress based systems, usability, UX/UI, and delivering Human Solutions in a digital world.