Last Updated on May 21, 2018 by Kari McLain
What is GDPR you ask? Well… it’s a big load of rules you have to follow so the EU doesn’t rain fire on your website projects. GDPR has been quite the talk of the town the past few weeks, so naturally, I felt the need to make a post to highlight what exactly GDPR is and what it even means. I’ll go over how to see if it affects you or not and if you should take a look at your own projects to make sure they are compliant! If anything, the goal here is to have you at least understand what is happening so you can point yourself and your clients in the right direction!
What is GDPR?
Way back in April of 2016 during a warm spring day, the GDPR directive was officially adopted. What does GDPR stand for you ask? It stands for General Data Protection Regulation and its purpose is exactly what it sounds like: protecting all peoples of the EU regarding their data and privacy online. To get a bit more in depth, this is a regulation within EU law specifically put in place to protect all individuals who live within the European Union from any companies who want to capture, store, and sell their data. This puts the control back into the hands of the people. This will also simplify the regulatory environment for international business by unifying the regulation within the EU.
So does anyone here remember the 1995 Data Protection Directive? Yeah, neither do I, but after learning about GDPR, I learned about this one! The GDPR officially replaces this bit of ancient text to bring data protection into the modern era. Since GDPR is a regulation and not a directive, it does require national governments to pass any enabling legislation and is directly binding and applicable.
GDPR in more detail.
Let’s get into more what the regulation really does here. This regulation applies to the following:
- Data Controller. A company who collects data from EU residents.
- Data Processor. A company who processes data on behalf of a data controller. A good example of this would be cloud service providers.
- Data Subject. Basically a human who lives in the EU.
In other special circumstances, this regulation also applies if the company although being based outside of the EU is collecting data of people who live within the EU. Hello Google! In other words, no matter where you are on Earth – if your website or app is taking data from EU residents and storing them into a database and not granting them full control of said data within your database, you are in violation.
The European Comission have said:
“personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Now I know what you’re thinking! “But what about personal data for national security or law enforcement for the EU?” Nope – these guys don’t count. They can collect all they want, but that makes sense, right? They do it for a noble cause – at least to be able to predict if you’re going to go nuts and do some kind of harm to the community.
There are also tons of other details regarding how the GDPR is organized, how they expect compliance therein, and procedures in place for certain situations. Those types of situations can be citizens of the EU who wish to challenge decisions regarding their data made on an algorithmic basis, consent, and even data leaks. To get in more detail, you can visit the official site here or do some searching online.
“So, you’re looking to learn how to be GDPR compliant…”
One of the biggest questions today is how to check your compliance and in the future, be GDPR compliant by design. Basically, the GDPR has laid our certain rules for the collection, the storage, and the use of personal data. The regulation gives people eight specific rights on their data, lays out how to protect user data, and specifies the requirements for accountability. In other words, you must comply with the individual rights and ensure you are properly securing your user’s data and have the ability to document how you are doing this.
Personal Data Definition: Any data that can be used to identify a living person, directly or indirectly. It includes things such as a name, photo, email address, personal bank or medical details, or a computer IP address.
So what are these 8 rights everyone gets under GDPR?
- Right to Information. Any developer must be absolutely transparent about how they are using personal data. This is typically addressed within your site’s privacy policy which you are going to have to update regarding this.
- Right of Access. If a client of your website or app requests their data, you must provide it to them in an easy format such as a CSV file.
- Right to Rectification. You must allow the client to correct any information that is incomplete or inaccurate.
- Right to Erasure. If a user requests deletion of their personal data, especially if collecting their data doesn’t make any sense, they have every right.
- Right to Restrict Processing. Clients have the right to block processing of information that has already been stored.
- Right to Portability. In other words, the data you collected on their behalf – if they want to request an export and use that data elsewhere, they can absolutely do that. This would be sent to them in a format such as CSV.
- Right to Object. If a user doesn’t want their data used for marketing, research, or statistics, they can totally block you from doing so.
- Rights Regarding Automatic Decision Making & Profiling. This specifically targets sites or apps that use profiling to make automatic decisions and defines requirements that must be met in order to even do this. Since this one is a doozy, it’s a good idea to check out the official GDPR guide for more information on this one.
Security by design.
You basically have to demonstrate how you’re going to protect all of your users and their data by design (and default). The official regulations give some awesome examples of how to do this which mention designing databases to use pseudonymization and encryption. It’s also important to include some kind of user access control so people who really want to access their data and view it have no problem accessing it at their own will.
Also, as I mentioned above, there are some guidelines to follow in case of a data breach on your site or app and must be done within 72 hours.
Documenting your compliance.
You need evidence that you comply with these rules. Otherwise, you’re already in trouble. So in short, write down your procedures on how you handle this personal data. Also, document the security methods and how you plan to handle a potential data breach. Most importantly, if you’re collecting data, outline why you’re doing it and really explain why it’s important for your website or app to do so.
A compliance checklist!
Yeah, all of this sounds like a drag, right? Well… yeah. It totally is from a development standpoint. It’s no longer going to be easy to push out an app and just let it do its job – now we have rules! Lame! Well… here’s a list to help you out regarding your compliance on any of your projects:
- Identify and document your lawful reasoning for your data processing.
- Determine what personal information you have, where it came from, and who you are sharing this data with.
- Take a look at your site’s privacy policy and update it to provide information on your data collection shenanigans, the use, and your privacy practices.
- Come up with a plan on how you’ll delete personal data, how you’ll enable updating of this data, and what format you will use to hand off data upon user request.
- Make sure you obtain and record consent for every collection and use of all of this data. In other words, pre-ticked checkboxes for privacy policy agreements are not going to fly!
- Come up with a plan on how you’ll handle a potential data breach and document this procedure in detail.
- Learn how to implement data protection by design and incorporate this in all future design practices.
- You can also acquire a DPO (data protection officer) to help you with your compliance. Some large companies require having one, but ultimately this is optional.
Anything else I can do to ensure GDPR compliance on my current websites or apps?
Absolutely there is! Especially if you are running a larger Wordpress site that has a pretty decent amount of EU traffic. A few things to consider doing…
- Get that privacy policy up to date as mentioned above.
- A consent to use cookies. This must be a clear message explaining what cookies are, what they do, and why you need them.
- Check plugins for GDPR compliance. You can probably check the developer’s documentation or send them a message questioning them!
- If you have any forms on your site, check to make sure those aren’t storing any data, and if so, limit that.
- Clean up your mailing lists.
*Phew* That was a lot.
None of this GDPR stuff is an easy thing to absorb! It’s difficult to understand, even harder to implement, and kind of a tidal wave of procedure that you suddenly have to take into consideration or else the consequences kind of suck. Big fines aren’t cool, so this is totally worth the effort! So to put it super simply right here in the conclusion – if you’re using a framework or CMS for your projects, keep an eye out for GDPR compliance changes that should be happening now! This also goes for any plugins you are using. Make sure they’re being updated properly and aren’t going to get you in any trouble. As far as anything else goes, that work is up to you! Take the necessary steps and you should be fine.
Just to note, the above content should not be taken as legal advice, but only as an informative guideline on what the GDPR is doing. To ensure you are absolutely compliant, please consult a professional regarding your situation. And as always, happy developing!