The EU General Data Protection Regulation (GDPR) is a new set of laws and regulations to govern how the private data of EU citizens is collected, managed, and shared. This new legislation was approved by the EU Parliament in April 2016 and will take effect May 25th, 2018, at which time websites and applications that handle private data and fail to comply with these new regulations may face heavy fines.
Since this will affect pretty much the entire World Wide Web, let's dive into the new regulations to find out what we as site owners need to do to prepare.
First Off, What's New?
Let's take it straight from the horse's mouth. According to EU GDPR:
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
- Private/Personal Data
- Any information (email, birth date, address, IP address, etc.) that directly or indirectly identifies a living person
- Data Subject
- The person whose private data is being collected, stored, and/or shared
- The entity that determines the purposes, conditions and means of processing data – in this case, the person or organization who owns and operates the website handling private data
- The entity responsible for processing private data on behalf of a controller – this is usually a service provider such as Google Analytics
No matter where your organization is physically located, if you’re handling the data of EU citizens, GDPR applies to you. Yes, you.
Ignoring these regulations could cost your company big money. For a serious infringement, the maximum fine is 4% of annual global turnover or €20 Million (whichever is greater) – and this applies to both controllers and processors. Yikes!
Long and unintelligible terms of service are out – consent must now be requested in clear and accessible language that also outlines the purpose for data processing. Data subjects must be able to easily withdraw their consent at any time.
If you uncover a data breach that could “result in a risk for the rights and freedoms of individuals” affected, then you MUST provide notification within 72 hours.
Right to Access
Data subjects can receive information on how and why their personal data is being processed, and they can request a free electronic copy of that data at any time.
Right to be Forgotten
Once the data is no longer relevant or the data subject withdraws consent, personal data must no longer be stored, shared, or processed.
You must now be ready and willing to provide data subjects with an export of their personal data in a "commonly used and machine readable format" which they can take elsewhere.
Privacy by Design
Data protection should be a core part of your systems, not an add-on. You should only collect, store, and process private data as absolutely necessary while limiting access to essential personnel only.
What Do We Need to Do to Be in Compliance with GDPR?
Review Internal Procedures
Even though we're primarily addressing how GDPR affects your Website, it's important to remember that these new regulations apply to your entire organization. You should review your workflow for handling private data in its entirety and make sure that you and your data subjects are as protected as possible.
Add Secure Socket Layer (SSL) Encryption
If your site doesn't already use SSL Encryption, now is the time to change that. SSL provides a secure connection between your site and the end user's web browser that's authenticated and encrypted with an SSL Certificate. This makes it less likely (but not entirely impossible) that private data will be intercepted by a malicious third-party and is in line with the "Privacy by Design" aspect of the GDPR .
Since Google Chrome will start marking unencrypted sites 'Not Secure' in July and potentially scaring off visitors, it will definitely be in your best interest to secure your site now. You can pay a yearly fee to a Certificate Authority like DigiCert or you can use a free service like Let's Encrypt to provide an SSL Certificate for your site.
Provide Opt-ins for Consent
If you have forms on your Website such as a contact form or email sign-up that collect private data, you will need to make data subjects aware of your intent to store that data before they hit 'Submit'.
Update Google Analytics and Other Processors as Needed
If (like most of us) you have Google Analytics installed on your site, you probably received an email like this:
Here are a few of the updates you may need to make to be in compliance with your Analytics:
- Check your Analytics data for Personally Identifiable Information (PII) to ensure that you're not transmitting private data to Google Analytics via form data or parameters in page urls
- Review your use of Pseudonymous Data – online identifiers and cookies which can be combined with other data to reveal an individual's identity – and make sure your opt-ins and policy documentation clearly inform data subjects of their use
- Modify the Data Retention settings in your account
- Turn on IP Anonymization
- Make sure your site allows users to opt-in or out of tracking
Hire or Designate a Data Protection Officer
Even if your organization isn't formally required to designate a Data Protection Officer under GDPR, you should consider having someone internally responsible for your data governance. These regulations — and data privacy in general — aren't something we can afford to take likely, and this might even be the push your organization needs to finally get on top of your data policies.
EDUCO is always happy to help implementing your GDPR compliance updates, but none of the information we've provided in this article should be considered legal advice. If you're unsure of your organization's requirements for compliance, please consult the original text of the regulation and/or a legal professional. Good luck out there!
- EU GDPR Website
- GDPR Wikipedia Page
- Information Commissioners' Office (ICO) Guide to GDPR
- Full regulation
GDPR Drupal modules in the works:
GDPR WordPress Plugins:
This is not legal advice. Do not rely on it as such. We recommend companies and individuals should assess their data capture and storage policies and definitely seek legal advice from their own attorney to make sure they're complaint with the new GDPR legislation.