Disclaimer
GDPR is the European General Data Protection Regulation, Compliance with the GDPR will be based on the specific facts of an organization’s business, operations and use of data.
In this blog, I will try and set out discussion points that may be useful in the development of an organization’s GDPR compliance efforts from the website/application owners and developer's perspective, and how to deal with accessibility and user data management and its relationship with GDPR.
What I discuss here is not intended to be legal advice, guidance or recommendations. An organization should consult with its own legal counsel about what obligations they may or may not need to meet it is all based on the presentation on the subject that I deliver to my clients in Europe.
Historical Overview
Before 25th May 2018 we had;
- Data Protection Act 1998 (DPA)
- Privacy and Electronic Communications Regulations 2003 (PECR) additional restrictions on direct marketing by electronic means (phone, fax, email, text, video messaging), rules on cookies etc.
- Regulation of Investigatory Powers Act 2000 (RIPA), covers ‘interception’ of communications (e.g. monitoring employee emails or internet usage)
- Since 25th May 2018, we have the new EU General Data Protection Regulation (GDPR) has required all organisations, that hold data related to EU data subjects, to more effectively manage data on their customers, employees, contacts and any other relevant persons on their digital media or traditional paper format.
GDPR and IT Governance apply to all verticals, all sectors, all organizational sizes.
There is no current formal certification for GDPR. ISO 27001 does not cover all of the new directives. BS 10012 is the new certification for GDPR, however, it is not easily available to most of the EU member states.
Natural person = a living individual
Natural persons have rights associated with:
- The protection of personal data
- The protection of the processing personal data
- The unrestricted movement of personal data within the EU
The Article 1-3 deals with who and where of personal data that is processed wholly or partly by automated means or the personal data that is part of a filing system or intended to be.
The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. Also, it applies to controllers, not in the EU and anywhere in the world serving EU citizen.
GDPR Importance
The GDPR is broadly the same as DPA (Data Protection Act 1998) but extends obligations and potential liability to data processors and controllers. The protections apply to any organisation (anywhere in the world) that process the personal data of EU data subjects. Below is two important reason for why it is so important for organisations to comply.
- Significant impact on organisations and how organisations that capture user data and manage the acquired data with some potentially very large penalties for violations set at 20 Million Euro – 4% of global revenues
- Impacts the storage, processing, access, transfer, and disclosure of an individual’s data records
GDPR also covers security, legal, compliance, risk, data management issues and much more…
GDPR – the value proposition
While there are challenges in complying with GDPR, but organisations will need to fully develop their approach to avoid reputational damage and fines.
GDPR will force changes in the way we manage user data and possibly, the once in a generation opportunity to transform the way organisations are compelled to manage data. It has many benefits that support digital transformation outcomes and will have IT opportunities for developers with:
- Newer web tools and web standards are required in the CMS and Email Marketing we engage today
- It impacts all web application and email processors for owners and administrators and therefore brings extra revenue for those that deal with fixing or finding good solutions.
Organisational Data Governance
- Need: to understand what all the in-scope data is used for, why and by whom
- Why: so you understand how you’re aligning to the principles
- Is all of the captured data really necessary?: limit the amount of data collected and reduce the potential for breach and non-compliance with GDPR. DO NOT ask for un-necessary data
- Conduct a personal data audit: delete inaccurate and out-of-date and ask questions about the data collected
- Disclose all usage of the data: create an in-house data policy and adhere to it to demonstrate to authorities when required.
What counts as personal data?
Practically any kind of data you collect from your users. This can include things like email addresses collected from newsletter sign up forms, a name from a contact form, or even using Google Analytics and more...
“Personal Data” is defined by the GDPR guidelines as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly in particular by reference to an identifier such as; a name, an identification number, location data, an online identifier to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
It also applies to site owners outside EU that provide their content to EU resident
Ask for consent to meet GDPR standards
- Contain a clear statement of consent - use plain language that’s easy to understand (no legalese)
- Require a positive opt-in - (i.e., no pre-ticked boxes, silence, or inaction)
- Self Contained - be separate from any other terms and conditions
- Reasons for Data Capture - explain why the entity wants the data and what it will do with the data
- Disclose the Consumers of Data - name any third-party controllers that will rely on the consent
- Clarity in consent options - explain how the data subject may withdraw consent
- Provide alternative if no consent is given - avoid making consent a precondition of service
- Update the Privacy Statement – revise the statement to cover GDPR & also revise Cookie Consent
- Right to be Forgotten – provide a way to withdraw consent & purge the collected personal data
Where to Start?
Where? Determine what data you hold, where it came from
What? Determine what information you have pertaining to customers
Who? Review which third-party service providers you use
Who would be involved in the process
Data Controller – How personal data is collected, for what purpose & how it is used
Data Processor - Maintains & processes the data on behalf of the Data Controller
Data Protection Officer - Oversees the data security strategy and GDPR compliance
DPO is required, if you process sensitive data or data relating to criminal convictions (ie religious/political views, sexual orientation, health data etc.) or are a public authority OR if solution regularly monitor/process data from EU citizens on a large scale.
Transparency
People anywhere, and now by law in EU have the right to know what kind of information is being collected from them, how it is being stored and what it will be used for.
Web Site or Application Manager To-Do-List (if not done yet?)
Unless you are a sizable organization and have all the resources and funding available to comply With GDPR in one go, you might want to do the work in 2 to 3 phases and prove it is work in progress.
What about Emails and Newsletters?
GDPR will require provable consent for someone being on a mailing list. For new subscribers to your list, gaining consent will be easier, but what about existing email marketing clients? The original consent might not have been kept.
Areas of the site or application that requires a review
You are likely to require consent from your users in many areas. Below are a few examples which include, but are not limited to:
Add Explanations to Forms
Tell your visitors why you need to ask the questions on the form and detail how they will be used and shared. Don’t collect more data than is absolutely necessary, and make sure to link to your Privacy Policy for more information. You also need to provide a checkbox for them to give explicit consent.
The GDPR Cookie Consent
To stay compliant with any new modification of regulations related to data protection, such as the GDPR. The existing Cookie Module will need to be enhanced. See example below where you need to explain all aspects of the cookie you capture, why and if the user can make them inactive.
Continuous Risk Assessment
If in doubt then please do contact a Professional for Advice
GDPR is a drastic overhaul of current EU privacy and data regulation; so naturally, the entire process can appear a little daunting. So speak to a professional, and see what steps need to be taken to make your site GDPR-ready, simply get in touch today.
Please do contact me if you have a requirement for GDPR consultation or require a more hands-on fixing of the elements within your organizational WebSite or Web Application as well as how to deal with existing user data. Naturally, bulk marketing Email or Newsletters to a user base that includes EU citizens are of utmost importance. Advise on how you send them and capture data from EU citizens are relevant in the new GDPR era.