As a web developer or designer, you already have plenty of things to keep in mind — from performance to SEO to security — just to name a few. It’s a good thing you’re already a master of juggling priorities because now there’s a new one that needs to be added to your list: GDPR compliance. GDPR stands for General Data Protection Regulation, which is legislation enacted by the European Union (EU) that will go from proposed to enforceable on May 25, 2018.
The General Data Protection Regulation was created to strengthen the rights of EU citizens when it comes to the collection and use of their personal data.
Why GDPR compliance matters
The GDPR was created to strengthen the rights of EU citizens regarding the collection and use of their personal data. The GDPR applies to:
- Any business or organization that offers goods or services, paid or free, to data subjects in the EU.
- Any monitoring of the behavior of data subjects in the EU.
A data subject is any person who is a citizen, resident, or simply a visitor to the EU. The regulations apply to data controllers (those who collect data from EU subjects) and data processors (those who process data on behalf of a data collector).
So, as you can see, this doesn’t just affect websites that are EU focused, it applies to any website that potentially serves EU customers or tracks behavioral data related to them.According to the text of the regulations, simply having a website that’s accessible to EU data subjects doesn’t make you subject to the GDPR. However, intention to provide services to people there or track their behavior (for example, for advertising) definitely does. Failure to comply could cost you (or your client) up to €20 million or 4 percent of annual worldwide revenue.
You might be wondering how an EU data protection authority (DPA) could go after businesses outside the EU that don’t comply. At present, the answer isn’t spelled out, but experts say it’s plausible that the DPA could seek legal remedies and successfully shut down a non-EU service that’s violating the law. Then there’s the matter of those fines. Why risk becoming a test case?
What does GDPR cover?
GDPR lays out rules for collection, use, and storage of personal data. The regulation:
- Gives individuals eight specific rights regarding their personal data.
- Lays out principles for protecting user data, incorporating security by design and reporting data breaches.
- Specifies requirements for accountability, or your responsibility to demonstrate that you comply.
In short, you must abide by the individual rights, ensure that you are properly securing personal data and be able to document how you are doing so.
Personal data is defined as any data that can be used to identify a living person, directly or indirectly. It includes things such as a name, photo, email address, personal bank or medical details, or a computer IP address.
8 individual rights under GDPR
At the heart of GDPR are eight specific rights that individuals are granted regarding their personal data:
1. Right to be informed
2. Right of access
If a client requests their data, you must provide it to them in a commonly used format, such as CSV.
3. Right to rectification
You must allow a client to correct incomplete or inaccurate information.
4. Right to erasure
Clients can request deletion or removal of personal data when there is no compelling reason for its continued processing. Also referred to as “the right to be forgotten.”
5. Right to restrict processing
Individuals have the right to block processing of personal data. In such cases, you can store the data but no longer process it.
6. Right to portability
You must allow individuals to obtain and reuse their personal data for their own purposes. This means you must provide it to them in a common format, such as CSV.
7. Right to object
Individuals can object to having their personal information used. This includes for purposes of direct marketing, research and statistics.
8. Rights related to automatic decision making, including profiling
This rule specifies when you can use profiling and automated decision making. It also defines requirements that must be met, such as the individual providing explicit consent.
These rights are spelled out in further detail in the official GDPR guide.
Security by design
To comply with GDPR, you must demonstrate that you’re implementing data protection by design and by default. The regulations give examples of this, such as designing databases to use pseudonymization and/or encryption. It’s also important to incorporate access control so that only people who truly need to see data can access it.
Under GDPR, you must demonstrate that you’re implementing data protection by design and by default. This could change everything from how you design databases to who gets access to data.
GDPR also sets up reporting guidelines regarding potential data breaches. If a breach poses a risk to individuals, it must be reported to the DPA within 72 hours. In the UK, that means the Information Commissioner’s Office (ICO). Affected individuals must also be notified.
GDPR requires that you be able to provide evidence that you comply. That means writing down your procedures for handling personal data. You’ll also need to document the data security methods you employ and plans for handling a data breach. Ensure that your data processing has a lawful basis, and record what that is.
GDPR compliance checklist
All of this can feel a little complicated, but the following checklist will help you power through the requirements:
- Identify and document your lawful basis for your processing activity.
- Determine what personal information you have, where it came from, and who you share it with.
- Implement a plan for how you will delete personal data, enable updating, or provide it in a commonly used format upon request.
- Ensure that you obtain and record consent for every collection and use of personal data. For example, you can no longer use pre-ticked boxes to opt in or default to acceptance of policies.
- Plan for and document how you will detect, respond to, and report a personal data breach.
- Familiarize yourself with data protection by design practices and work out how to implement these principles for your site.
- Consider designating an official data protection officer (DPO). Some organizations are required to designate a DPO, but for others, it’s optional though recommended.
GDPR has consent specifications for sites that serve children, but if you’re complying with the Children’s Online Privacy Protection rule (COPPA), then you have this covered.
In a future article, we’ll discuss specific modifications to help make your website GDPR compliant. In the meantime, there are three key aspects to keep in mind: transparency, consent, and security. Make it clear what you’re using data for, obtain specific consent for every use (even for cookies), and keep personal data tightly locked up by using security best practices.
The above content should not be construed as legal or tax advice. Always consult an attorney or tax professional regarding your specific legal or tax situation.