The General Data Protection Regulation and You
The General Data Protection Regulation or G.D.P.R. is a new regulation in EU (European Union) Law, which supersedes the Data Protection Directive and has officially taken affect as of May 25th, 2018. The purpose of this new regulation is to:
- Inform you in unambiguous terms that your personal data may be tracked and stored by a website and/or shared with 3rd parties
- Safeguard your personal information to the highest degree when obtained
- Inform you about what specific information is being obtained, how it’s used, and where it goes
- Provide a definitive retention rate of the data being stored, and, in some cases, how to delete it
- Confirm that any/all personal information or identifiable information is pseudonymizated or fully anonymized where appropriate
To help better understand the General Data Protection Regulation and it’s impact to the entirety of the Internet; it’s important to know about its predecessor, why it exists, and its benefits. Enter the Data Protection Directive (circa 1995).
Data Protection Directive (officially Directive 95/46/EC)
Adopted in 1995 the Data Protection Directive regulates the processing of personal data within the European Union (EU). The directive consists of seven core principles:
- Notice—data subjects (you) are to be given notice when their data is being collected
- Purpose—data should only be used for the purpose stated and not for any other purposes
- Consent—data should not be disclosed without the data subject’s consent
- Security—collected data should be kept secure from any potential abuses
- Disclosure—data subjects should be informed as to who is collecting their data
- Access—data subjects should be allowed to access their data and make corrections to any inaccurate data
- Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles
The EU’s Data Protection Directive outlines how supervisory authority will be implemented and enforced. It requires each member state to establish an independent body that will monitor the data protection level in that given member state, give advice to the government about administrative measures and regulations, and start legal proceedings when data protection regulation has been violated. Individuals may file complaints about violations to the supervisory authority or in a court of law.
This may sound a bit extreme (especially considering the Data Protection Directive took effect in 1995) but the EU, in general, has always been more proactive than the United States when it comes to consumer rights and privacy. The whole point is that businesses are held accountable when they aren’t following the rules. Additionally, consumers need to have control and transparency when it comes to the data being tracked and the reason behind it.
How Does This Affect Me or My Website in the United States?
Here’s where things get interesting. Aside from more robust verbiage and protections for consumers and increased oversight and penalties for businesses, the main difference between the Data Protection Directive and the General Data Protection Regulation is overall scope.
Where The Data Protection Directive only protected and was enforced by and within the European Union. The General Data Protection Regulation changed this; adding that all stored/tracked user data coming to and leaving from the European Union be subject to the G.D.P.R. This means that even if you have a US-based website and the server is based in the United States when a user based in the European Union views your website you’re now subject to the laws, regulations, and penalties of the General Data Protection Regulation.
What is defined specifically as Personal Data?
What is considered to be personal data? And when is this data deemed privacy-sensitive? Basically, all data that can identify a person as an individual is personal data. For example, when someone fills in a contact form on your website. Data like:
- E-Mail Address
- Location Data
- IP address
Keep in mind that company information (e.g. the name of an organization, email address, postal address, etc.) is not considered personal data. On top of ‘standard’ personal data, there is an additional category: ‘privacy-sensitive’ personal data. Should you handle data within your organization that is categorized as such, there are additional requirements.
- Social Security Numbers
- Medical Information
- Sexual Orientation
- Religious / Political Preference
What rights do I have as a consumer?
As mentioned above, the goal of the new privacy law (GDPR) is to protect the rights of the end user (consumer). But what exactly are their rights, and what can they demand from you as an organization?
Inform, Permit, and Refuse
People have the right to be informed before their data is being gathered, edited and processed by your website. Users must give their explicit consent to this as well. This means providing a cookie announcement in the footer of your website, giving the option to sign up for a newsletter via a tick box (that is not checked by default). Ultimately, users must be given the option to withdraw their permission at any time; by unregistering or reviewing the cookie settings again, for instance.
Individuals that you have gathered personal data from on your website are allowed to request this data from you at any time. Organizations are obligated to deliver this data within a month and are, in principle, not entitled to charge a fee for this. In addition, there is the data portability right: personal data must be able to be inspected in a reasonable manner. Excel sheets or CSV files are relatively easy to open, but a direct database dump is not.
Edit, Limit, and Remove
Consumers are entitled to ask you to rectify faulty information, as well as request to refrain from further editing of personal data (apart from storing it). Also, every person has ‘the right to be forgotten’. Put differently, upon request, you are required to be able to remove people’s data completely from your database.
The General Data Protection Regulation and marketing automation
It is not uncommon to make use of marketing automation on your website. This may consist of email marketing software reminding you to respond to a comment, send a follow-up email once the first message has been viewed, or maybe an email offering you a discounted deal due to your abandoned shopping cart order.
People have the right to demand from you that your software cannot make automated decisions based on their data or behavior, unless they have explicitly given their permission to do so. Therefore, in the case that you do use marketing automation, make sure you explicitly ask your visitors permission in addition to informing them that automated decisions will be made based on their personal data.
How serious is the General Data Protection Regulation and what are the penalties?
To be honest, the General Data Protection Regulation isn’t anything to scoff at. This is a major regulation with some serious teeth on it. Holding companies financially responsible for both big and small equally.
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements (e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts).
There is a tiered approach to fines e.g. a company can be fined 2% for not having:
- records in order (article 28)
- notifying the supervising authority and data subject about a breach
- not conducting impact assessment
It is important to note that these rules apply to both controllers and processors, meaning ‘clouds’ are not exempt from General Data Protection Regulation enforcement.
DPO’s, Minors, and Data Breaches
The EU and the US have always had stark differences when laws and regulations pertaining to its citizens, especially when talking about minors. This is also something to be keenly aware of when implementing your General Data Protection Regulation compliance on your website.
This means that parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
Data Protection Officers (or DPOs) must be appointed in the case of:
- Public authorities
- Organizations that engage in large scale systematic monitoring
- Organizations that engage in large scale processing of sensitive personal data (Article 37).
If your organization doesn’t fall into one of these categories you do not need to appoint a DPO.
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches that may pose a risk to individuals must be communicated to the DPA within 72 hours and to affected individuals without undue delay. Any company or website that fails to notify its users within 72 hours is immediately subject to the penalties listed previously.
How do I specifically comply with the General Data Protection Regulation?
Before we outline a checklist to help comply with the General Data Protection Regulation, please know that this is no way a comprehensive list, nor are we providing this a fully legally compliant list. We’re supplying this as a good jumping-off point. Once you’ve read through and implemented the following checklist, we recommend you take some time and read through the official General Data Protection Regulation website and regulations.
Inventory & Document
To start off, describe the target group(s) that visit your website. Then make up a spreadsheet in which you document the kind of personal data your website collects for each said group (inform yourself here on what the General Data Protection Regulation marks as personal data). As you specify per individual target group, you’ll reduce the risk of missing something. Complete this inventory by checking the following list:
Hosting & Administration
External service providers also have access to your website. Confirm how they handle your data and that you have made the appropriate agreements with them.
- Hosting Party
- Theoretically, your hosting party has access to all data on your website. For this reason, you will have to have a processing agreement with them.
- Managed Hosting, external developers, and administrators
- Which administrators have access to your website? In the case you contract with certain bureaus (or freelancers) to work on your website, then you will have to set up processing agreements with them as well.
- Backups Locations
- Where and how does your hosting party make backups?
Log in as an administrator on your website and answer the following questions to complete the list above. Locate the data is being collected by each plugin and determine whether this data is being stored or not:
- Contact Forms (e.g. Gravity Forms, Contact Form 7, etc.)
- What information do you require from your users? And where is it being stored?
- Usernet Plugins (e.g. Ultimate Member, BuddyPress, etc.)
- What profile information is stored for each user? And, what else can possibly be deduced about your users through membership? Think in terms of political activity, religious preference, financial status, or sexual orientation.
- E-Commerce (e.g. WooCommerce)
- E-commerce will contain basic personal data, such as names, addresses, and banking details. However, it also reveals the kind of products people order. Do you, for instance, sell magazines with a political affiliation?
- Email marketing widgets (e.g. sign up via MailChimp or CreateSend)
- Which information do you require? What will you do once you obtain it from your users, and to which service do you forward it?
- Links with external services, like accounting packages
- e.g. a link between WooCommerce and Exact Online
- WordPress reaction plugins
- Akismet, which filters spam based on data gathered from your users’ reactions, email addresses and IP-addresses. Or, Disqus, which also stores such information.
- Safety plugins, like Wordfence, process IP-addresses and user locations.
- Backups Plugins
- Complete copies of your site are privacy-sensitive should they end up in the wrong hands. Where are backups stored and how are they secured?
- Statistics (e.g. Google Analytics, Google Tag Manager)
- Are you aware of which parts of your users’ data is being stored?
- For instance, activity monitors that register user activity.
You have to be able to justify reasons for all the personal data you are storing on your website. Make sure your data gathering stays within the boundaries of the law. If you intend to store data on your website, this is only allowed when meeting one of the following criteria:
- Because it is by consent, backed up by a user agreement
- Like paid subscriptions on your website for which you need users’ banking details.
- Because you are obliged to record this data by law
- Like customer data in your WooCommerce shop, you also need to store data for your administration according to the Tax Administration demands.
- Because you have been given explicit consent to do so
- By virtue of a cookie announcement on your website or a registration form by which one subscribes to your newsletter. Make sure that consent is:
- Freely given (users are not to be misled or forced)
- Explicit (that means tick box not checked by default)
- Given per component (e.g. someone registers for an event, and also subscribes for a newsletter), and that
- Users are to be able to withdraw their permission.
- Because the gathering of the data is justifiable
- Like tracing the location of a logged in user as an additional safety check to determine if the user is logging in from a likely location on the planet.
- Of course, determining what is justifiable data gathering is somewhat of a grey area. All the more reason to explain in detail why you consider it justifiable. And, when in doubt, it never hurts to consult a lawyer.
Remove personal data that you cannot legitimately gather and store in your website; and deactivate plugins that can’t, or search for alternative plugins that do comply.
Draw up procedures
Record different protocols for situations that may occur in the future. Make sure it is crystal clear which information is found where, so you don’t have to figure that out later on. In any case, record the following procedures:
- Personal Requests
- Individuals may demand access to their personal data stored by your website, but may also want to edit or delete their data.
- Record how you will guarantee that data is to remain confidential, now and in the future. Think about a consistent update policy for your website, plugins, and theme, but also a safe back up storage and a complex password policy for every new user that is added.
- Data Breaches
- In the case of data breaches, you are required by law to inform the Personal Data Protection Authority within 72 hours. Therefore, make sure you have a phased plan ready, as speed is crucial in such cases.
Inform & Ask for permission
Inform visitors of your website in a clear and transparent manner. This can be realized by clearly referring to a privacy statement, for instance in the footer of your website and in the cookie statement. Also, ask visitors of your website explicitly for permission of data handling activities as documented in your privacy statement. Make sure that you get their permission as described above.
Additional Compliance Resources
Using the above-outlined checklist will provide a good foundation to be General Data Protection Regulation compliant. However, it’s good practice to read through the official regulations and save them for later reference. Below we’ve provided the official General Data Protection Regulation site, in addition to some helpful links and resources:
- G.D.P.R Official Website
- G.D.P.R. Wiki
The General Data Protection Regulation is no joke in either scope or potential penalty. The General Data Protection Regulation has officially taken effect on May 25th, 2018. If you haven’t already implemented some sort of policy on your website – do so immediately.
Granted, this regulation only affects websites that track, obtain, or otherwise identify user data. That being said, it’s good practice (and a public relations win) if you implement some sort of protections on static websites that track no data at all.
Contact us if you’re unsure of exactly how to start protecting your company and users or if you are truly overwhelmed by all of the various aspects to comply with. We’re extremely familiar with and understand exactly what the General Data Protection Regulation is and asks for – and can help your website and company comply.
Additional Helpful Tips
If you’re interested in how to further optimize your website or presence, check out our article on The Psychology of the Web and how to leverage specific visual techniques to improve your overall conversion rates and sales.