What Is GDPR and How Will It Affect My Website?

The EU General Data Protection Regulation (GDPR) is a new set of laws and regulations to govern how the private data of EU citizens is collected, managed, and shared. This new legislation was approved by the EU Parliament in April 2016 and will take effect May 25^th, 2018, at which time websites and applications that handle private data and fail to comply with these new regulations may face heavy fines.

Since this will affect pretty much the entire World Wide Web, let's dive into the new regulations to find out what we as site owners need to do to prepare.

First Off, What's New?

Let's take it straight from the horse's mouth. According to EU GDPR:

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

EU GDPR provides an overview of the changes taking place next month. We'll summarize the points that are most likely to affect the majority of us below, but first, a few definitions:

Private/Personal Data

Any information (email, birth date, address, IP address, etc.) that directly or indirectly identifies a living person

Data Subject

The person whose private data is being collected, stored, and/or shared

Controller

The entity that determines the purposes, conditions and means of processing data – in this case, the person or organization who owns and operates the website handling private data

Processor

The entity responsible for processing private data on behalf of a controller – this is usually a service provider such as Google Analytics

Extra-territorial applicability

No matter where your organization is physically located, if you’re handling the data of EU citizens, GDPR applies to you. Yes, you.

Penalties

Ignoring these regulations could cost your company big money. For a serious infringement, the maximum fine is 4% of annual global turnover or €20 Million (whichever is greater) – and this applies to both controllers and processors. Yikes!

Consent

Long and unintelligible terms of service are out – consent must now be requested in clear and accessible language that also outlines the purpose for data processing. Data subjects must be able to easily withdraw their consent at any time.

Breach Notification

If you uncover a data breach that could “result in a risk for the rights and freedoms of individuals” affected, then you MUST provide notification within 72 hours.

Right to Access

Data subjects can receive information on how and why their personal data is being processed, and they can request a free electronic copy of that data at any time.

Right to be Forgotten

Once the data is no longer relevant or the data subject withdraws consent, personal data must no longer be stored, shared, or processed.

Data Portability

You must now be ready and willing to provide data subjects with an export of their personal data in a "commonly used and machine readable format" which they can take elsewhere.

Privacy by Design

Data protection should be a core part of your systems, not an add-on. You should only collect, store, and process private data as absolutely necessary while limiting access to essential personnel only.

What Do We Need to Do to Be in Compliance with GDPR?

Review Internal Procedures

Even though we're primarily addressing how GDPR affects your Website, it's important to remember that these new regulations apply to your entire organization. You should review your workflow for handling private data in its entirety and make sure that you and your data subjects are as protected as possible.

Revise Your Privacy Policy

There's a lot of new ground to cover in your Privacy Policy, and under the GDPR, what you say and how you say it are both pretty important. Your Privacy Policy has to provide explicitly clear information about how you're handling data in a manner that is accessible and understandable to the average person.

The European Data Protection Supervisor (EDPS) and Information Commissioner's Office (ICO) are great examples of the level of detail you will need to provide in your Privacy Policy:

• EDPS Data Protection Notice
• EDPS Cookie Notice
• ICO Privacy Notice

Add Secure Socket Layer (SSL) Encryption

If your site doesn't already use SSL Encryption, now is the time to change that. SSL provides a secure connection between your site and the end user's web browser that's authenticated and encrypted with an SSL Certificate. This makes it less likely (but not entirely impossible) that private data will be intercepted by a malicious third-party and is in line with the "Privacy by Design" aspect of the GDPR .

Since Google Chrome will start marking unencrypted sites 'Not Secure' in July and potentially scaring off visitors, it will definitely be in your best interest to secure your site now. You can pay a yearly fee to a Certificate Authority like DigiCert or you can use a free service like Let's Encrypt to provide an SSL Certificate for your site.

Provide Opt-ins for Consent

You might have noticed a significant uptick in cookie notifications as you’ve been navigating the Internet in the last few weeks. As part of GDPR, if your site uses cookies for any purpose, you have to clearly inform visitors before they interact with your content and allow them to opt-in (no pre-checked boxes!) to having cookies set in their browser.

If you have forms on your Website such as a contact form or email sign-up that collect private data, you will need to make data subjects aware of your intent to store that data before they hit 'Submit'.

Update Google Analytics and Other Processors as Needed

If (like most of us) you have Google Analytics installed on your site, you probably received an email like this:

Here are a few of the updates you may need to make to be in compliance with your Analytics:

• Check your Analytics data for Personally Identifiable Information (PII) to ensure that you're not transmitting private data to Google Analytics via form data or parameters in page urls
• Review your use of Pseudonymous Data – online identifiers and cookies which can be combined with other data to reveal an individual's identity – and make sure your opt-ins and policy documentation clearly inform data subjects of their use
• Modify the Data Retention settings in your account
• Turn on IP Anonymization
• Make sure your site allows users to opt-in or out of tracking

Your use of Google Analytics will also need to be highlighted in your Privacy Policy with a clear explanation of how and why this private data is being processed.

Hire or Designate a Data Protection Officer

Even if your organization isn't formally required to designate a Data Protection Officer under GDPR, you should consider having someone internally responsible for your data governance. These regulations — and data privacy in general — aren't something we can afford to take likely, and this might even be the push your organization needs to finally get on top of your data policies.

Good Luck!

EDUCO is always happy to help implementing your GDPR compliance updates, but none of the information we've provided in this article should be considered legal advice. If you're unsure of your organization's requirements for compliance, please consult the original text of the regulation and/or a legal professional. Good luck out there!

Useful Links

• EU GDPR Website
• GDPR Wikipedia Page
• Information Commissioners' Office (ICO) Guide to GDPR
• Full regulation

GDPR Drupal modules in the works:

• GDPR
• GDPR Compliance
• GDPR Consent
• Commerce GDPR
• Mask User Data
• GDPR Export

GDPR WordPress Plugins:

• WP GDPR Compliance
• GDPR
• Delete Me
• GDPR Framework
• GDPR Tools

Disclaimer

This is not legal advice. Do not rely on it as such. We recommend companies and individuals should assess their data capture and storage policies and definitely seek legal advice from their own attorney to make sure they're complaint with the new GDPR legislation.