- 10th August 2017
- Comments Off on New data protection regulations from GDPR mean stricter protection expected in websites.
- Posted by yellowcherrydigital
New data protection regulations from GDPR mean stricter protection expected in websites.
So, how do you make your website GDPR compliant and what is the General Data Protection Regulation anyway?
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at helping to strengthen data protection for EU citizens and residents both within the EU and the wider world. Essentially it says to businesses and organisations “If you want to offer your services or products to customers who are EU citizens, you better make sure you look after their personal data or else!”
Anyone who collects and processes personal data (defined by the GDPR as a Data Controller) will be required to comply with the new regulations to a certain degree. As well as organisations who run websites or apps, this also includes any organisations who use internal databases, CRMs or even just plain old email.
What in the name of Sir Isaac H Newton happened here?
A significant part of the GDPR is about transparency and informing data subjects (individuals) about what and how their personal data is being used, by whom and for how long. GDPR requires data controllers to state what data is being processed and for what reasons. Additionally, they are required to inform data subjects about how long the data will be stored for. They must also state who the subject should contact with regards to any part of the data controller’s data processing actions.
The digital Age Of Consent
Provable consent must be explicitly given to the data processor by the data subject before their data can be processed. Additionally, the data must only be used for the purposes that consent has been given. EG if someone contacts you through your website with an enquiry of some kind, that does not give you permission to add them to your email marketing list. Verifiable consent must be given by a minor’s parent or guardian before their data can be used. Consent must be able to be withdrawn by the data subject at any time.
Pseudony-who in the what now?
The GDPR makes reference to something called pseudonimisation. Put simply, this is a process to transform data in a way that stops it from being attributed to a data subject (an individual) without the use of additional information. An example of this might be using a unique reference ID for someone rather than their name when storing their data in a database. A second table of names and corresponding IDs stored on a separate system would then be used to join the tables together and recreate the data. In this way if a data breach occurred and the personal data was stolen, the data wouldn’t expose actual names just the additional data.
For us here at Fellowship, this is the most ambiguous part of the GDPR as it relies (to a certain degree) on how you interpret pseudonimisation. An often mentioned example of pseudonimisation is encryption whereby data is held in an encrypted fashion and requires a key (stored separately) to decrypt it. Websites that use HTTPS send data over an encrypted connection so you could say that if your website has an SSL certificate you’re on your way to GDPR compliance but the data in the database itself is likely stored unencrypted so if the database was breached the personal data would still be exposed. No CMSs that we’ve ever used have stored personal data in a truly pseudonimous way. We wait to see how WordPress and the other major CMS players address this.
The GDPR requires the data controller to have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, the data controller has a legal obligation to report a data breach (of identifiable or un-pseudonimised data) within 72 hours. Further information on the reporting of a data breach can be found on the Information Commissioner’s Office website.
Have I got a good site?
Another significant part of the GDPR is the idea that digital systems include privacy by design (also referred to as privacy by default). Put simply, a users privacy should be fully considered at the very core of any digital system. By default, privacy settings should be set to their highest level with a user given options to downgrade this if they choose to. As many social media users know, social networks often work in the opposite way to this! Data controllers should also be ensuring that data is only being processed when absolutely necessary.
When does the GDPR come in to force?
The GDPR replaces the data protection directive from 1995. It was adopted on 27th April 2016 and comes in to force on 25th May 2018.
So, how can you make your website GDPR compliant?
Take a personal data audit
A personal data audit will help you to identify all of your data processors. List them all with either a 1 or a 3 to help you track which are first and which are third party data processors.
For each data processor consider the following:
- What are you using the data for?
- Where is the data being stored?
- Do you still need the data?
For each of the third party data processors, check their respective privacy policies and make sure that they are GDPR compliant. US-based data processors should be Privacy Shield compliant. If the third party is not yet compliant with GDPR or Privacy Shield contact them and find out if and when they plan on becoming compliant. In the unlikely situation where a third party data processor is not compliant and has no plans to become compliant by the 25th May 2018 deadline, you should seek to replace them with a similar but compliant provider. In this situation you should also ask the current provider for a copy of the data that they hold for you and then insist that they securely delete your data from all of their digital systems including backups.