The GDPR (General Data Protection Regulation) is the biggest and most important European legislation regarding privacy and data protection in the last two decades. It is a regulation approved by the European Parliament in April 2016 and will come into effect on 25 May 2018.
Put simply, the aim of the GDPR is to give all European citizens much greater control over their personal information and to force companies and organizations to take more seriously the handling and the protection of their client’s personal data.
GDPR applies to any business or organization that processes or stores the personal data of European citizens, regardless from which country they operate. The fines for non-compliance can reach up to €20 million or 4% of a company’s turnover, which means GDPR is not to be taken lightly.
An individual’s rights under the GDPR
The GDPR seeks to establish eight rights for individuals regarding the protection of their personal data.
1. The right to be informed
Persons have the right to know who is processing and storing their personal data. They also have the right to know how you collect their data, for what purposes and for how long.
2. Right to access
Data subjects have the right to access their personal information that are save in an organization’s systems.
3. Right to rectification
An individual has the right to edit any stored personal information about them.
4. Right to erasure
Also known as “the right to be forgotten”. Persons have the right to request the permanent deletion of their personal data.
5. Right to restrict processing
Individuals in certain circumstances can restrict organizations from processing their information and only allow them to store it.
6. Right to data portability
Individuals have the right to request their information in a commonly used format, like a csv file, in order to transfer it to different services for their own purposes.
7. Right to object
Persons have the right to object to their information being used for purposes of direct marketing, research or statistics.
8. Rights related to automated decision making including profiling
The GDPR specifies when profiling and automated decision making can be used. There are requirements that must be met, one of which is the individual’s explicit consent.
How can website owners prepare for the GDPR?
Disclaimer
This article is by no means a legal advice. It contains general suggestions and recommendations regarding the GDPR. If you want to be sure that your business or website is fully compliant with the GDPR, you need to get proper legal advice for your own particular case.
User’s consent is important
One of the most important issues that GDPR attempts to address is that of consent. A user’s consent can no longer be implied or inferred from her activity or even inactivity.
You need to go through all the forms your website uses and make sure that the personal information you request from your users is absolutely necessary. Remove any fields that request information that is not necessary for your specific purposes. This will have the added benefit of improving your user’s overall experience on your website.
The language used while trying to get consent has to be simple and clear. GDPR forbids long texts of hard to understand legalese. You must clearly state the purpose you need the individual’s data for, as well as the approximate time period you will be storing it.
The fact that a user has given her consent to a website does not mean that it cannot be revoked. The user has the right to revoke her consent at any given time with ease.
You must have a Privacy Policy on your website
Having a Privacy Policy on your website was always a legal requirement, but under the GDPR, you will need to update it to inform your visitors of their new rights and let them know what types of information you collect, how you use it and for how long.
Be ready for user requests
Make sure you have procedures in place that will allow you to easily amend or completely delete a person’s data should they request it. You must also be able to export user data upon their request in a commonly used file format (i.e. CSV file). Remember that you are required to provide all of these services completely free of charge.
Prepare for a data breach
You must also have a procedure to deal with data breaches should the worst case scenario happens. Under the GDPR you are required to inform all of your affected users within 72 hours.
WordPress plugins and Joomla Extensions
If you use a Content Management System like WordPress and Joomla to run your website, then you need to make sure that any extensions or plugins you use are also GDPR compliant. Many plugins in order to provide their functionality might make use of personal data, i.e. the IP address of your visitors and store it in your site’s database. You need to verify with the creators of these plugins that they are GDPR compliant.
Google Analytics are OK
Most websites gather visitor data to study their audience behavior and flow on their pages in order to improve their services. Google Analytics is the most widely used service for this purpose. Since the data collected through Google Analytics is anonymous and cannot be used to identify individuals then it’s OK to use it. You can also read what Google has to say on this link https://privacy.google.com/businesses/compliance.
Do not forget though, that according to Google’s own policy, if you use Google Analytics on your website you must have a Privacy Policy posted on your site that makes this clear to your visitors.
GDPR, a 200-page document, with up to €20 million in fines, will certainly look intimidating for businesses and website owners, but overall I think it will actually be a good thing. It unifies current privacy laws under one regulation. Companies throughout Europe (and other parts of the world), will only have to comply with just one set of rules instead of worrying about different privacy laws in each country they do business. It will also help build more trust between individuals and organizations and address the issue of imbalance of information between them.