General Data Protection Regulation (or short GDPR) is new legislation referring to personal data and how it’s stored. It’s European legislation but it will influence websites and businesses outside Europe as well if the website is accessed by users in Europe.
What is general data protection?
The General Data Protection was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to remake the way organizations across the region approach data privacy. After four years of preparation and debate, the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.
This European legislation applies to any data collection which will impact European citizens. It will include most websites around the world.
GDPR points relevant to website owners and web developers are:
- Increased territorial scope
General Data Protection applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, the territorial applicability of the directive was ambiguous and referred to data process ‘in the context of an establishment’. General Data Protection makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
The conditions for consent have been strengthened, the request for consent must be given in an intelligible and easily accessible form. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
- Breach Notification
This will be mandatory to report within 72 hours if you have become aware result in a risk for the rights and freedoms of individuals. Data processors will also be required to notify their customers, the controllers, “without undue delay” after becoming aware of a data breach.
- Right to access
The data controller is obligated to send the confirmation as to whether or not personal data concerning them are being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change helps with data transparency and empowerment of data subjects.
- Right to be forgotten
This regulation is giving the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data Portability
General Data Protection introduces data portability – the right to transmit data to another controller.
- Privacy by design
The controllers must hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.
- Data Protection Officers
Currently, controllers are needed to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
The DPO must:
- Be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices;
- Maybe a staff member or an external service provider;
- Contact details must be provided to the relevant DPA;
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge;
- Must report directly to the highest level of management;
- Must not carry out any other tasks that could result in a conflict of interest.
Companies need to be very careful with a new regulation they can be fined up to 4% of annual global turnover for breaching General Data Protection or €20 Million (this is the maximum fine that can be imposed).
Main ways in which General Data Protection will hit website owners:
- Collecting data via forms (contact forms, newsletter signups etc.);
- Collecting analytics data;
- The way how you want to use that data;
- Where the data is stored;
- How you interact with your customers and contacts;
- The code you use – plugins and themes.
Collecting any personal data on an individual via a form will already be covered by data protection legislation, but General Data Protection may mean you have to put additional safeguards in place.
Not only names and addresses but also photos of individuals, such as avatars and photos they upload will be covered by the legislation.
When collecting data via any form on your site, you must also provide details of how you will use the data. You can provide that information through a pop-up, redirection to another page on your site, or an email with the information.
Providing people with details of how to contact you to get access to their information or to have it deleted is mandatory. And you should inform them if you will be sharing that data in any way.
When you sell via your website, you are collecting even more data. Be sure you are doing it in the right way:
- Be sure your contact forms are consistent with the terms;
- If you will be using data you obtain in the sales process for other targets, such as emailing recommendations or special offers, state this when collecting the data and give users the option to opt-out;
- Avoid collecting financial data yourself and use a third-party service to make payments such as Neteller or Paypal;
- Give the users the possibility to access and delete their data;
- If a data breach occurs on your website the data is stolen or lost, tell users as soon as possible and give them the opportunity to delete their data;
- Use an e-commerce plugin that is GDPR-compliant.
Most analytics software won’t effort to track individuals, in which case you’re fine. But if you track sales in your analytics software, be careful not to track to the level of individual customers.
What should you do as an SEO? Don`t use analytics software to track individual data. Keep your reporting and analytics to the level of anonymous group data and avoid to use analytics software to track IP addresses. GDPR also measure your website performance but only if the data can be straight traced to an individual.
The ways how General Data Protection will affect developers are:
- In the use of third-party themes and plugins when creating sites for a customer;
- Creating plugins or themes which include a form where users will add personal data;
- Linking to third-party APIs to obtain or process data;
- Coding analytics functionality or anything which can identify a user via their IP address, location or other means.
Third-party themes and plugins
Ensure that the themes and/or plugins you use are GDPR-compliant and that you configure them in a way that is obliging. You should ensure that your client is informed of the legislation and tell them if their site includes functionality that is affected. The owner is obligated to manage the data in a way that is compliant, however: they are the holder of the data, not you.
There are some themes and plugins, such as Jetpack and Gravity Forms which are already working on GDPR-compliance and provide advice for making sure you use their plugins in a way which complies with the legislation.
Inform your client if their site includes functionality affected by the legislation and point them in the direction of relevant information. If in the course of development and test you accumulate personal data, delete all of it at the end of this period. When you return the site over to the client, ensure that any data collected is going to the client and not to you.
Developing Themes and Plugins
If your code includes any kind of input for personal data for example names, addresses, email addresses, social media account details, photos and more, add information on how the data will be used and that where relevant you include a double opt-in. You can’t use directly identify individuals if your code tracks data via cookies. If your code links with a third party API, make sure that API is GDPR-compliant. You should include the option for website users to opt-out. If your code is affected by the regulations, leave some information to your documentation. You can also include guidance on how website owners can use your theme or plugin in a way that is GDPR-compliant.