There is a lot of information out there regarding General Data Protection Regulation, or GDPR compliance. There is even more information out there in “reports” for you to pay for and download. Many of those reports discuss an idealistic view of GDPR compliance that is not attainable for all websites.
Say you manage a website for a small nonprofit focused on a local cause: How compliant does your website really need to be? What if you manage a website for an international company that sells staplers? How compliant should that website be?
Different websites have different audiences and intentions, therefore, they need different levels of compliance. GDPR is not a hard set of rules; rather, it is a flexible set of guidelines which aims to make website managers think harder about what data is collected, how it is used, and what visitors should expect in regards to privacy. Compliance varies from site to site, so here are some ways to gauge how much privacy control your audience might need.
What is “GDPR”?
The General Data Protection Regulation is a law enacted by the European Union that sets guidelines for how internet users’ data can be collected, stored, and processed. What people may not understand is that this regulation applies to all EU citizens, regardless of their current location — an EU citizen who is accessing your website in Boston is afforded the same rights as if they were accessing your website in Brussels.
If you love lengthy legal documents, the entire law is available for your reading pleasure.
While GDPR may only technically apply to EU citizens, it behooves American-based companies to comply because:
- EU citizens can access your website from all over the world
- There is a chance that similar regulations may be enacted in the US, so you should try to get on board now
If you are a visual learner and would prefer to watch a presentation on this subject, feel free to watch Web Development in the Post-GDPR World presented at Design4Drupal 2018:
Overview of GDPR Roles
There are five distinct roles that have been created as a result of the GDPR regulations:
- Data Subject — the individual whose personal data has been collected.
- Supervisory Authority — Public authorities appointed in European Union countries for monitoring compliance of GDPR at the country level. An example would be the Information Commissioner’s Office in the United Kingdom or Commission Nationale de l’Informatique et des Libertés (CNIL) in France.
- Data Protection Officer — A GDPR-required leadership position in public organizations or groups that monitors compliance of the handling of personally identifiable information.
- Controller — Legal entity or person determining the need and means for processing personal data. An example would be a digital design and/or development agency like Oomph.
- Processor — Legal entity or person processing the actual data on behalf of the controller. An example of this would be a third-party entity like Google Analytics or Marketo.
Overview of Users’ Rights
The GDPR legislation is essentially the first draft of the internet’s new “Web Consumer Bill of Rights.” Users now have six inalienable rights when accessing the internet. These rights include:
- Breach Notification — A mandatory notification given by Data Processors to Data Subjects when a data breach occurs that is likely to “result in a risk for the rights and freedoms of individuals.”
- Right to Access — Data Subjects have the right to obtain their data from the Controller and the right to ask why Controllers are collecting data, and what type of data is being collected. Controllers are required to provide a copy of a users personal data free of charge in an electronic format.
- Right to be Forgotten / Data Erasure — Data Subjects have a right to have their data deleted by Controllers/Processors and to cease collection of their data. A Data Subject needs to provide specific reasons in order for data to be deleted. An example might be that the Subject wishes to unsubscribe from a service and the data is no longer needed, or the Subject can prove that the data is being used improperly in an undisclosed fashion.
- Data Portability — Data Subjects have the right to receive the personal data concerning them, provided in a “commonly used and machine readable format,” and have the right to transmit that data to another Controller.
- Privacy By Design — Data Subjects have a right to a reasonable expectation that a website allowed to access their data has built-in privacy measures and was developed with a consideration of a user’s privacy.
- Data Protection Officers — Data Subjects have the right to contact an appointed Data Protection Officer. This person must be knowledgeable about GDPR requirements and regulations and assist the organization in complying with user’s rights and requests.
From a business point of view, all Controllers and Processors have to comply with these rights. We are also all people and users of the internet. It is important to consider your own internet behaviors and how you would like to be treated on the internet because, when push comes to shove, we all want our data protected.
When they understand GDPR’s roles and users’ rights, many people ask the same question: “So what?”
For anything as dramatic as these rules, they don’t mean much unless governing bodies have the ability to levy heavy penalties. A lack of compliance can lead to fines upwards of €20 million or 4% of a company’s global annual revenue. That can be a lot of money, and recent news has already picked up on the application of these penalties:
- British Telecommunications was fined £77,000 by ICO in the UK after it sent nearly 5 million nuisance emails to customers without consent
- Yahoo! was fined £250,000 in the UK after systematic failures put customers data at risk
- OPTICAL CENTER was fined €250,000 by CNIL for failure to secure data that lead to a breach with personally identifiable information and personal credit information, including health data
The European Union is serious about advancing GDPR regulations and has clearly sent the message to the world that they will apply fines to those who do not treat an individual’s data with the respect and security that it deserves. The fines are the teeth that GDPR needs to actually be taken seriously by businesses.
But we are not here to scare you. We’d like everyone to understand that complying is not nearly as complicated as these rules make it seem. In its simplest terms, GDPR compliance means only tracking users with their explicit consent, and limiting the tracked information to behaviors necessary for business operations.
So what does GDPR Compliance look like in the United States? We will cover that in Part 2: What does GDPR mean for US-based websites?
Want to discuss how to make your site GDPR-complaint? Feel free to drop us a line.
Our GDPR series:
- Part 1: What is GDPR? A “relatively” simple explanation (this article)
- Part 2: What does GDPR mean for US-based websites?