29. March 2018
8 (easy) steps to be GDPR ready if you own a website
Disclaimer: Please note that we are not a law firm and this is not a legal advice! The information in this blog post is provided for general informational purposes only, and may not reflect your legal/GDPR needs.
To make sure that you (and/or your business) are GDPR compliant, we highly recommend you to consult an attorney.
The General Data Privacy Regulation (GDPR) is the most important change in data privacy regulation in 20 years. To make it shorter (and easier to understand): the GDPR replaces the Data Protection Directive 95/46/EC and it is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.
As a person: your personal data will be easier to manage. As a business owner, website admin or organisation that offers goods or services to (or monitor the behaviour of) EU data subjects you will have to comply with it. Therefore, if you have EU customers or data from anyone residing in the European Union, you have to respect the GDPR no matter where you are actually located. If not, you can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million.
What is personal data?
- Phone numbers
- Online identifier
- Health information
- Cultural profile
- and more
What does non-compliance mean?
Let’s say that you have some personal data from your customers, leads or someone who stumbled upon your organisation at some point. Personal data implies any information related to a natural person, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Furthermore, if you have this kind of data, you have to make sure that you have everyone’s consent and an easy process to withdraw consent as well since this is the core of Privacy by Design concept. Being GDPR compliant involves a set of measures to avoid any data breach and, in case of a security breach, it requires you to send a notification to everyone involved within 72h of first having become aware of the breach.
What should you do now, to be more precise?
Basically, if you have any analytics tool, a list of e-mails to send newsletters and everything helping you gather data, you have to comply with the GDPR and make everything as transparent as possible.
Here is what you can start with:
- Sign a DPA (Data Processor Agreement) with all your third-party apps (Visitor Analytics or any other analytics tool, E-mail client service, etc). To sign a DPA you just have to check your notices from all your third-party apps (in case you already received it) or ask them to send you one.
- Make a clear Terms&Conditions section where you will specify the data that you will gather and its purpose
- Mention all the used cookies and details about them (name, lifespan, the need for it)
- Provide the right to access: as in, if anyone in your lists/database wants to obtain from you the confirmation as to whether or not personal data concerning them are being processed, where and for what purpose, you have to respond and shall provide a copy of the personal data, free of charge, in an electronic format.
- Offer the right to be forgotten aka Data Erasure. One can ask at any moment to erase her/his personal data. So, be careful with this one because the conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.
- Create a set of measures to avoid any data breach and, in case of a security breach, you should notify everyone involved within 72h of first having become aware of the breach.
- Offer the Data Portability right. This means that someone can ask for the personal data concerning them, which they have previously provided in a ‘commonly use and machine-readable format’ and have the right to transmit that data to another controller. Shortly, everyone can export their data from a controller and send it to another one.
- Be more organised with the data! There is a Privacy by Design key change in the legislation as well. To make it more easy to understand, Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
There is a lot more info on this topic, but here is the GDPR structure and chapters, so you can easily understand what is this major shift in data protection about:
- Chapter 1: General Provisions (GDPR goals and definitions)
- Chapter 2: Principles (everything related to personal data processing and conditions for consent)
- Chapter 3: Rights of the Data Subject (this chapter is focused on transparency, access to data, erasure, decision making and restrictions)
- Chapter 4: Controller and Processor (general obligation of both controllers and processors, security of personal data, Data Protection Officers and codes of conduct information)
- Chapter 5: Transfer of personal data to third countries or international organizations (well, no need to explain this one)
- Chapter 6: Independent Supervisory Authorities (general conditions when it comes to independent status, competence, tasks and powers within an organisation)
- Chapter 7: Co-operation and Consistency (this one is quite complex and it explains lots of co-operation concerns, consistency mechanisms, procedures, confidentiality and lots or European Data Protection Board things)
- Chapter 8: Remedies, Liability, and Sanctions (an important chapter, if you want to know what are penalties and how to make sure that you will not get them)
- Chapter 9: Provisions relating to specific data processing situations
- Chapter 10: Delegated Acts and Implementing Acts
- Chapter 11: Final provisions
We, at Visitor Analytics, are working hard to make sure that we will keep providing all the features for our customers while being GDPR compliant!
In the next article, we will tell you how we will adapt our services in order to respect all the GDPR expectations and how can we help you, as a website owner using our app, to be compliant with no effort! We know that all these compliance steps might sound complicated, but if you are just starting your journey for a 100% GDPR compliant website, here is the most comprehensive GDPR checklist to get started.
PS: If you managed to reach the end of the article, here is a nice infographic about GDPR created by the amazing EU team: http://ec.europa.eu/justice/smedataprotect/index_en.htm