GDPR and your website

On 25th May 2018, the GDPR (General Data Protection Regulation) enacted by the EU will come into effect.

  • How do you make your website GDPR compliant?
  • What are the steps that you must take to ensure that you follow the guidelines?
  • What if you neglect this?

This article will help you in your endeavour to be ready when the regulation kicks in.

  • First, we’re going to talk in detail about the GDPR guidelines, the specific areas of your business that the guidelines affect, and why you should be concerned about your website and GDPR compliance.
  • Next, we will cover the basics of making a website site compliant with the guidelines.
  • Finally, we will discuss the implications of the use of tools on your website and how your GDPR compliance might be affected.

What is GDPR?

Disclaimer. This post is not legal advice. I am not lawyer.
GDPR stands for General Data Protection Regulation, and it is a new data protection law in the EU, which comes into force in May 2018.

The GDPR aims to give citizens of the EU control over their data and change the approach of organisations across the world towards data privacy.

The GDPR provides much stronger rules than existing laws and is much more restrictive than the “EU cookie law.”

For instance, users must confirm that their data can be collected, there must a clear privacy policy showing what data is going to be stored, how it is going to be used, and provide the user with a right to withdraw the consent to the use of personal data (consequently deleting the data), if required.

The GDPR law applies to data collected about EU citizens from anywhere in the world. As a consequence, a website with any EU visitors or customers must comply with the GDPR, which means that virtually all sites and businesses must meet.

To better understand the regulation, take a look at the publication of the rules in the Official Journal of the European Union, which defines all terms related to the law. There are two main aspects of the GDPR: “personal data” and “processing of personal data.” Here’s how it relates to running a website:

  • personal data pertains to “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address,
  • whereas processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user.

Should GDPR be taken seriously?

Organisation of websites has time until May 2018 to comply with the regulations set by the GDPR. The penalty for non-compliance can be 4% of annual global turnover, up to a maximum of €20 million.

There are various slabs of penalties according to the seriousness of the breach, which has been described in the FAQ section of the GDPR portal.

Such a high amount of penalties has been proposed to increase compliance. However, one may wonder what steps for the supervision of websites are in place. Supervisory Authorities (SA) of different member states are going to be set up, with the full support of the law. Each member state may have multiple SAs, depending on the constitutional, administrative and organisational structures. There are various powers that SAs will have:

  • carry out audits on websites,
  • issue warnings for non-compliance,
  • issue corrective measures to be followed with deadlines.

SAs have both investigative and corrective powers to check compliance with the law and suggest changes to be compliant.

It is too early to speculate how SAs of various member states would interlink and work together, but one aspect is evident; SAs would enjoy the considerable power to enforce the GDPR guidelines.

Six months after the guidelines were released, PwC surveyed 200 CXOs of large US firms to assess the impact of the GDPR guidelines. The results revealed that a majority of the businesses had taken up the GDPR guidelines as their top data protection priority, with 76% of them prepared to spend more than $1 million on GDPR. This shows that owing to a substantial presence in the EU, and large corporations are taking up the GDPR compliance seriously.

The details of your Website GDPR compliance

So with all the official information out of the way, let’s take a moment to talk about how to make sure that your website is compliant and that you won’t experience any Website GDPR problems.

Before you move on to each of the aspects and how to comply with them, a security audit on your website site should, in general, reveal how data is being processed and stored on your servers, and steps that are required to comply with the GDPR.

Some usual ways in which a standard website site might collect user data:

  • user registrations,
  • comments,
  • contact form entries,
  • analytics and traffic log solutions,
  • any other logging tools and plugins,
  • security tools and plugins.

Here are some key aspects of the website GDPR that users need to take care of:

(a) Breach notification

Under the GDPR compliance, if your website is experiencing a data breach of any kind, that violation needs to be communicated to your users.

A data breach may result in a risk for the rights and freedoms of individuals, due to which notifying users promptly becomes necessary. Under the GDPR, a notification must be sent within 72 hours of first becoming aware of a breach. Data processors are also required to notify users as well as the data controllers, immediately after early becoming aware of a data breach.

In a website scenario, if you notice a data breach, you would need to notify all those affected by the breach within this designated time frame. However, the complexity here is the definition of the term “user” – it may constitute regular website users, contact form entries, and potentially even commenters.

This clause of the GDPR thus creates a legal requirement to assess and monitor the security of your website. The ideal way is to watch web traffic and web server logs.

(b) Data collection, processing and storage

Three elements of this: Right to AccessRight to Be Forgotten and Data Portability.

  • The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing and storage of the data. Users will also have to be provided with a copy of their data free of cost within 40 days.
  • The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their own data to be used.
  • The data portability clause of the GDPR provides users with a right to download their data, for which they have previously given consent, and further transmit that data to a different controller.

Privacy by design encourages controllers to enforce data policies which enable the processing and storage of only that data which is necessary. This helps site owners and controllers to adopt potentially safer procedures for data, by limiting the access to some data points.

As a website site owner, you first need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored.

Next, you need to have a setup to provide users with a copy of their data. This is perhaps the most challenging part of the process. However, we can assume that when the time comes, most plugin developers or tool developers – for the tools and plugins that you have on your site – will have already come forward with their solutions to this.

It is still advised, however, to have a system in place to derive the required data out of your database.

Further, it may be wise to avoid data storage altogether in some instances. For instance, contact forms could be set up to directly forward all communication to your email address instead of storing them anywhere on the web server.

(c) Use of plugins or tools – implications of GDPR compliance

Any plugin or tool that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.

This can still mean some tough times for some of the most popular plugins out there. For instance, solutions like Gravity Forms have a lot of modules that collect user data by nature. How are those tools going to comply with the GDPR accurately?

For plugins too, the same rules apply, although they must be approached from the website owner. Each plugin needs to establish a data flow and inform about the processing of personal data. If you are the developer of a plugin, consider providing users of your plugin an addendum that they may add to their website’s terms to make them GDPR compliant. Gravity Forms, for instance, needs to let the user know how personal data being filled in a contact form is going to be published, and an option to get it removed, if necessary.

Also, some tools that sit seemingly outside of your website will see the impact of this too. Take, email marketing tools, for example. It’s a common practice to have those integrated with your site and to send promotional emails based on a list of email addresses. Depending on how you run your newsletters/lists, those addresses might not have been obtained by getting explicit consent from users.

For instance, a checkbox that’s selected by default would count as a violation. Under the GDPR, everything that’s part of your online presence as a business will need to collect consent and have a privacy policy in place explicitly. There are other implications too – if you wish to buy a mailing list, you would be sending emails illegally to the recipients, since no one explicitly asked to receive emails from you.

Although the final responsibility lies with the site owner, webmasters themselves may have to look into its processes to become compliant as well.

Final thoughts

To sum up what it means to make your website GDPR compliant:

  • the law comes into effect in May 2018,
  • it applies to any site that deals with personal information of EU users,
  • it gives the user the right to control the flow of their personal information,
  • there are defined processes to monitor compliance, and huge fines are in place for non-compliance.

In a nutshell, to make your website GDPR compliant, you should

  1. look into all the different ways in which you’re collecting visitor data. Next,
  2. put mechanisms in place to make sure that users can control their data. Additionally,
  3. it’s probably a good idea to avoid collecting user data where it’s not necessary (like the contact form example from above). And most importantly of all,
  4. even if you’re using third-party tools and solutions, you still need to make sure that those are GDPR compliant as well.

If you don’t have all of the above-taken care of by May 2018, trouble.

Nonetheless, the GDPR regulation is the right step in ensuring transparency in the handling of data. Although this post has covered the basics of GDPR, you may want to go through the regulation in detail if you have a profitable business running on your website. Remember, not complying can be fined up to €20 million or 4% of your global revenue.

Some further reading:

Original article by Shaumik Daityari