How do you make your website GDPR compliant, and what is the General Data Protection Regulation anyway?
What is the GDPR (General Data Protection Regulation)?
The General Data Protection Regulation (GDPR) is new set of EU regulations that will lead to better data protection of EU citizens and residents both within the EU and the rest of the world. In short it tells businesses, clubs and organisations “If you offer membership, services or products to customers who are EU citizens, you better make sure you look after their personal data or there’ll be serious consequences!”
When does the GDPR come into force?
The GDPR replaces the data protection directive from 1995. It was adopted on 27th April 2016 and comes in to force on 25th May 2018.
Anyone who collects, stores and or processes personal data (defined by the GDPR as a Data Controller) is required to adhere to the new General Data Protection Regulations to some degree. This includes websites or apps, organisations internal contact databases (address books), CRMs and even plain old email.
The full GPDR is a massive document and it’s tough going to ensure compliance, so we’re here to help you along the way.
A Data Protection regulation to rule them all
The GDPR is a set of rules that apply to all EU member states. Each of the member state designates a Supervisory Authority (SA) to oversee and ensure compliance with the legislation. SAs work closely together by virtue of the cross-border nature of digital data.
Much of GDPR demands transparency; informing data subjects (individuals) about what elements of and how their personal data is being processed, by whom and for how long. GDPR requires that data controllers state what personal data is being processed, for what reasons and for how long. Data controllers must also state who the individual / data subject should contact regarding any aspect of the data processing activities.
Provable consent must be explicitly given to a data processor by the data subject before their data can be processed. Data can only be used for the purposes that consent has been given. EG if someone contacts you through your website with an enquiry of some kind, that does not give you permission to add them to your email marketing list. Consent must be able to be easily revoked by the individual / data subject any time, should they so desire.
GDPR compliance requires pseudonimisation. This is a process of transforming data in such a way that stops it from being associated with an individual / data subject without the use of additional information. For example to use a unique reference code for someone rather than their name when storing data about theme. A secondry / separate record of names and codes stored on another system would then be used to join the data together and recreate the complete records. In this way if a data breach occurred and the personal data was stolen, the data wouldn’t expose actual names just the additional encoded data.
This is an ambiguous part of GDPR as it relies on how you interpret pseudonimisation. An often mentioned example of pseudonimisation is encryption whereby data is held in an encrypted fashion and requires a key (stored separately) to decrypt it, for example websites using the HTTPS protocol to send data over an encrypted connection. Therein you could say, that if your website has an SSL certificate you’re on your way to GDPR compliance. But data gathered then stored in a database is itself most likely stored unencrypted; so if the database was breached the personal data would still be exposed.
No CMSs that we’ve ever worked with have stored personal data in a truly pseudonimous way. We eagerly await to learn how WordPress and the other major CMS platforms address this issue.
GDPR demands that your data controller has a suitable process defined and in place in case of a data breach. Depending on the breach and the nature of data effected, the data controller has certain legal obligations to report a data breach (of identifiable or un-pseudonimised data) within 72 hours to your Supervisory Authority. Further information on the reporting of a data breach can be found on the Data Commissioner’s website.
Many organisations that processes personal data of a significant scale are required to appoint a Data Protection Officer (DPO). Your Data Protection Officer is responsible for monitoring compliance with GDPR regulations within the organisation. Even if you don’t think you are in this category, it is a good idea to appoint a DPO for your organisation. Your DPO can keep data protection high on your organisation’s agenda and help to ensure that GPDR compliance is achieved and maintained.
GPDR provides that all data subjects have the right to deletion of their data. If an individual requests that you remove their data from your systems you must comply. This includes current data setl, all backups, all references to them on all systems in every location, etc.
A significant aspect of GDPR is the requirement for privacy by design (also referred to as privacy by default). This simply means that a users privacy should be fully considered and its security be at the very core of all digital system. By default, privacy settings must be set to the highest level with a user given options to downgrade this should they choose to. Up to now, many systems and services have not; for example social networks often work in the opposite way to this! Data controllers must also ensure that data is only stored or processed when absolutely necessary.
What are the penalties for not complying with gdpr?
The maximum penalty for non-compliance with the GDPR is 20,000,000 Euros or up to 4% of your annual worldwide turnover (based on figures from the the preceding financial year), whichever is the greater. Yes, I’m afraid you did read that right!
I don’t process any personal data but my Mailchimp, Woocommerce, Salesforce etc. etc. system do
GDPR refers to these systems as third party data processors. In effect they are processing the data controller’s data on their behalf. Many of these services are run by US-based companies who themselves are going through the process of becoming GDPR-compliant if they have not already done so. US companies must also be Privacy Shield compliant; the US Privacy Shield framework was co-developed by the US Department of Commerce and the European Commission to provide systems to protect the transfer of data between the EU and the US.
So, how can you make your website GDPR compliant?
Conduct a personal data audit, which will help you to identify all of your data processors. List them all with either a 1 or a 3 to help you track which are first and which are third party data processors.
For each data processor consider the following:
- What are you using the data for?
- Where is the data being stored?
- Do you still need the data?
For each of the third party data processors, check their respective privacy policies and make sure that they are GDPR compliant. For US-based data processors, ensure that they are Privacy Shield compliant. If the third party is not yet compliant with GDPR or Privacy Shield contact them and find out when they plan on becoming compliant.
In the unlikely situation where a third party data processor is not compliant and has no plans to become compliant by the 25th May 2018 deadline, you need to replace them with a similar but compliant provider. In this scenario you should also ask the current service provider for a copy of all the data that they hold for you, then insist that they securely delete your data from all of their digital systems including backups and confirm it has been done.
Storing data is a massive liability to you so, unless you need to keep the data, we highly recommend deleting it.
As mentioned, a large part of GDPR being about transparency and communicating with your users about how and why you collect and use data about them. Be clear and concise in letting them know and ensure to give them an easy way to request a copy of their data or to have it deleted should they wish.
During your data audit the weaker parts of your website should become apparent. An example could be a non-compliant third party data processor as mentioned above. Other examples would be insecure (unencrypted) email accounts or website traffic (no SSL). Another example would be that the contact form submissions have been saved to your website’s database; most likely these are long since acted on or replied to so they no longer need to be kept. Whatever the weak links are you should aim to strengthen or remove them.
Employ or designate a data protection officer (DPO)
Your DPO is an individual or group of individuals designated by the Data Controller, responsible for overseeing internal compliance with GDPR in your organisation. This should be a specifically trained employee within the data controller’s organisation or could be a position that is out-sourced. Unless you are carrying out large scale processing of personal data a suitably informed in-house member of staff should be perfectly sufficient for this role.
If you are storing personally identifiable data then you really need to be working towards pseudonymising this data. This is quite a technical undertaking and a lot of developers seem to be arriving late to the party.
GDPR compliance might seem intimidating and over the top with a maximum fine heavy enough to give business owners brown trousers, but it’s important to remember where it comes from. At it’s core, GDPR is about protecting people like you and I from the myriad of ne’er do wells that stalk the internet. The internet is still a highly unregulated space that needs far greater levels of international legislation to protect us and our data; the GDPR is a significant contributor to this. So keep in mind, GDPR will help the Internet to take care of your data and help us take better care of each other.