On 25th May 2018, the General Data Protection Regulation (GDPR) will come into effect. It is a new data protection regulation of the European Union (EU). This regulation will impact how each and every website handles and stores private data of their visitors from the EU. Meaning that any website opened to EU citizens is affected.
What is GDPR?
The General Data Protection Regulation (GDPR) is part of the Data Protection Reform of the European Union. It comes into force on 25th May 2018 and will replace the current data protection directive (Directive 95/46/EC) of 1995.
GDPR is also seen as a key enabler of the European Digital Single Market Strategy as it brings additional digital rights for EU citizens.
The fundamental objective of the regulation is to give the EU citizens back the control over their personal data. Key elements of the regulation are:
- Easier access to your own data
- The right to data portability
- The “right to be forgotten”
- The right to know when your data has been hacked
GDPR is a EU law, but it is not restricted to companies on EU territory, only. It impacts all organizations across the globe when offering services in the EU or handling data from EU citizens.
Of course, the new regulation should also bring advantages to companies. E.g. an EU-wide data privacy regulation allows small and medium enterprises (SMEs) to break into new markets without additional administrative requirements.
Not to forget, GDPR is very restrictive. Breaches or non-compliance with the rules could result in fines of up to €20 Million or 4% of the annual global company turnover. The value of the fine will depend on the severity of the infringement.
This infographic from the European Commission provides a good overview. In case you would like to read the General Data Protection Regulation in its entire scope, you can find the regulation at the EU publications website.
How does GDPR impact your website
The key element of GDPR is the processing of personal data.
According to Art. 4 GDPR Definitions:
- “‘processing’ means any operation or set of operations which is performed on personal data” which could be the collection, storage or transmission
- “‘personal data’ means any information relating to an identified or identifiable natural person” which could be the name or just an IP address
Today, nearly any website collects data from its visitors. It is often difficult to know in which form the data of users are recorded and stored in the systems or transferred to a 3rd party for further processing. The very common use of Google Analytics is breaching the GDPR. Google Analytics collects, transfers, stores and processes personal data without a clear consent from your users.
We can not assume that users/visitors give their consent to the collection of their personal data. Users must give their consent to the collection of their data in a clear manner. In addition, users need to be informed about what data will be collected and how it will be used. This information must be in clear and plain language. Not to forget, users should also be informed about their right to withdraw their consent to the use of their private data at any time.
What do you need to do?
First you need to understand what data from users/visitors your website processes and how, which starts already with the user’s IP address. Therefore, you need to perform an analysis of your website to understand how the collection, handling and storage of any personal data is done and to identify any potential infringements. This analysis needs to include how your users’ data is transferred and handle by any 3rd parties. As mentioned previously, the most common and known 3rd party collecting and processing your users’ data is Google Analytics. The analysis should also consider any 3rd party plugins you are using on your website. As the owner of the website, it is your responsibility to secure that the used plugins are compliant with the GDPR.
The next step is driven by the principle of Privacy by Design and Default. This means basically that you need to limit the user data collection to the necessary minimum. You need to ask yourself if you really need to collect all these personal data from your users. Or could you run your business without knowing certain details.
In the third step you need to do the necessary changes to secure that you collect and process the minimum necessary data from your users. And you need to secure that you gain sufficient user consent to process these data. In addition, you need to define and publish a clear and easy to understand policy. A policy about what type of personal data your company collects about its website visitors, how the data is used and how users can control the data that is gathered.
How we can help you!
GDPR compliance is important for the success of your business. We have designed the following steps to secure that your website complies with the upcoming regulation:
- Create a data privacy audit of your website
- Design solutions for identified data protection gaps
- Implement appropriate technical and organizational measures
Create a data privacy audit of your website
We run a detailed analysis of your website and will provide you with a report laying out how user data is collected and processed. The report covers also any transfer of user data to a 3rd party. Of course, the report will highlight any identified potential breach of the user’s data privacy.
Design solutions for identified data protection gaps
We design the right solutions to close any potential data privacy breaches while still fulfilling your business needs. The core principle of Privacy by Design and Default will be the guiding principle of our solution development.
Implement appropriate technical and organizational measures
- The European Union General Data Protection Regulation comes into effect on 25 May 2018
- Your website that handles personal data of EU citizens is affected
- You should avoid the collection of unnecessary personal data
- Your users consent to data collection needs to be clear and can not be presumed
- Your users should be informed about the collection and processing of personal data in plain language
- You need to have the processes in place to inform all stakeholders about any harmful data breach