What Is The GDPR?
The GDPR is widely considered to be the most important change in data privacy regulation in the internet age, and has wide-ranging implications. It is designed to give EU citizens more control over how their personal data is stored and used. The GDPR was approved and adopted by the European Union (EU) Parliament in April 2016 and will become law in all member states on May 25th 2018. You can access the full text of the GDPR on the GDPR website.
Who Does The GDPR Affect?
You must adhere to the GDPR if your business offers goods or services to, or monitors the behavior of, people living in the European Union. This is regardless of whether or not payment is involved, and regardless of where your business is located. If your business is based in the United Kingdom you will have to follow the same rules until at least the end of March 2019 (the expected end of the United Kingdom's EU membership),even if you don't have customers in other parts of the EU. In addition, the UK Government has indicated it will implement an equivalent or alternative legal mechanism.
How Will The GDPR Be Enforced?
If your business should be complying with the GDPR but is found not to be, you will first be given a warning and a limited amount of time to comply, followed by a reprimand. If you still fail to comply, you may then be required to suspend processing of data about EU citizens, depending on your location and what relationship your country has with the EU. Finally, your business may be fined up to a maximum of 4% of annual global turnover or €20 million (whichever is greater),depending on the severity of the breach.
Public authorities and businesses engaged in large-scale systematic monitoring or large-scale processing of sensitive personal data must also appoint a Data Protection Officer (DPO),who can be a staff member or an external service provider. A DPO must have expert knowledge on data protection law and practices, report directly to the highest level of management, and must not carry out any other tasks that could result in a conflict of interest.
Consent
The GDPR's philosophy is that you should only collect data that you have a specific plan for, and that plan must be justified using one of six lawful grounds. For example, you have lawful justification to collect and store someone's shoe size if that person is paying you to provide them with new socks every month, but you do not have lawful justification to collect and store details of that person's religious beliefs. If you wish to collect and store such information the only lawful grounds to do so is if you have consent from that person.
The GDPR spells out how your business can attain consent to use someone's personal information. You only need to have implicit consent to use non-personally identifiable information from your website visitors (such as having a privacy policy and linking to it from every page on your website ). However you now need to have explicit consent to use personally identifiable information such as name, email address, telephone number etc. and parental consent will be required to process the personal data of children under the age of 16 for online services. Each request must adhere to the new GDPR rules:
- It must state in clear and plain language what the consent is for.
- It must require opt-in. For example, checkboxes should not be checked by default.
- It must not be bundled with other requests. For example, users should not have to give consent in order to sign-up to a service.
- It must be specific. For example, your request for permission to send marketing emails to someone should be separate from a request to share their information with a third party.
- It must inform the person that they have the right to withdraw their consent at any time and how they can do so simply and easily.
The way in which you should seek consent for your website's use of cookies may also have changed. A cookie is a small package of data that a website stores on your device, allowing the website to associate you with various actions, information or behaviors. In 2011 the EU introduced legislation that meant websites had to seek consent from users to use cookies. This consent was considered to have been given if a visitor continued to use the website after receiving a fair notice (an example of implied consent),but following the GDPR websites may have to attain explicit consent for some types of cookie and also provide a mechanism for easily withdrawing that consent at any time. At this time, it is not completely clear what types of cookie will require explicit consent, but this part of the GDPR may have wide-ranging implications for many websites, the third-party services they use, and the user-experience.
The GDPR also states that you will need to keep records to demonstrate what someone has consented to, as well as how and when they consented.
Rights: Data Access, Rectification, Portability & Deletion
Under the GDPR, anyone who has had contact with your website or business now has the right to request a copy of the personal data you have stored about them, along with details of what data is processed, where that data is processed, by whom, and for what purpose. An individual may also request that you update any information that you may hold about them if they suspect such information is no longer accurate. They are also entitled to request the personal data you have stored about them in a "commonly used and machine readable format" so that it is portable to another party (for example, data that is provided as a CSV file could easily be imported into another system, but a scribbled note could not be).
People also have the right to end their association with your website or business and request that you (and any third parties involved) cease storing, disseminating or processing their data by withdrawing their consent for you to do so. However, such requests should not violate any other laws, and it is recognized that some data will need to be retained for purposes such as tax records. In such circumstances where you need to retain a lot of data about an individual, they can demand that you limit the ways in which you use their data instead of deleting it.
When any of these types of request are made, you must first verify that person's identity to avoid the risk of committing a data breach and you must never charge them for carrying out the request. It is also recommended that you log all such requests, but it is difficult to see how this could be accomplished without creating additional personal data.
Breach Notification
Under the GDPR, you are required to notify someone within 72 hours if data your business holds about them has been stored, processed or disseminated, by you or a third party, in a way that they have not given consent for. Likewise, any third party service providers you use (such as email marketing providers) must notify you as soon as they become aware of any breach. Here are some examples of a breach:
- You decide to sell your customers' data without their consent.
- Your website database is accessed by an unauthorized third party.
- You accidentally send sensitive information to the wrong customer.
System Design
The GDPR is primarily a regulation about user data, so it is fitting that it is calls for businesses to "hold and process only the data absolutely necessary for the completion of its duties". This means that your website (and any offline paperwork) should be designed from the outset to request from your customers and visitors only that information that is absolutely required. For example, if a user needs to register as a member to use a feature on your website, you might only need to ask them for an email address and password - there is no justification to require them to provide their age or sexual orientation too.
The GDPR also calls for the protection of data to be a primary focus of the design of any system ("Privacy by Design"),rather than an afterthought. One solution proposed by the GDPR is the process of "pseudonymization", which is a database structure which stores sensitive data and personally identifiable information in separate places. For example, patient names could be stored with unique identification numbers in one database, while medical records relating to those patients could be associated only with those unique identification numbers (not names),and stored in another database. In this scenario, if the data in one of the databases was stolen it would not expose sensitive information. Another approach would be to store all your data in an encrypted format which can only be unencrypted using a key which is stored in a separate location.
In addition, the GDPR states that you should only keep data for "as long as necessary", meaning that systems should be designed to either flag data that is no longer required for manual action, or automatically expire data after a certain period of time. An example of this in actions is the new option from Google Analytics which allows you to set how long they should retain your user data.
Conclusion
While the GDPR may be seen as an inconvenience to a lot of website and business owners, it is worth remembering that it's aim is to better inform all of us about who is storing and using our data, and to better protect it from misuse. The recent scandal involving Facebook and Cambridge Analytica should also remind us that it's time for many internet businesses to take privacy and data security more seriously.