As an agency whose primary focus is building digital experiences, it makes sense that the 2016 rulings to roll out the General Data Protection Regulation (GDPR) would be a subject on which we need to be well-educated. We know first-hand that one of the main benefits of having a website is the ability to process data, whether it’s for eCommerce, entertainment, or a slew of other reasons.
Business owners, including WebDevStudios, and customers conduct transactions online. The laws governing those transactions directly affects our business and those of our clients. This is why we thought it was imperative to put together this article to bring you up to speed on the latest information and resources to help you navigate how this law may apply to your organization.
If you’re interested, we perform site audits and can work with you on ensuring your website and data processing are GDPR compliant.
What is GDPR?
General Data Protection Regulation is a European personal data privacy law. GDPR was approved in 2016 but had a grace period for implementation until May 2018. It will affect any business based in the European Union (EU) as well as citizens of the EU.
It is going to be absolutely binding throughout the EU and will have extraterritorial effects beyond its borders. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data.
It should be noted that the GDPR replaces Directive 95/46/EC, which is the current privacy law that has been around since 1995. The reason we’re bringing this to your attention is because Directive 95/46/EC is commonly found on sites across the internet today.
Disclaimer: Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.
When does it come into effect?
The GDPR has been in effect since April 2016, however, it had a grace period of enforcement till May 25, 2018. All organizations are expected to comply with GDPR after May 25, 2018.
Who does GDPR affect?
If you are familiar with the current Directive 95/46/EC throw out everything you know about where it needs to be enforced. GDPR dramatically expands the scope of enforcement to include:
- All organizations established in the EU
- All organizations involved in processing personal data of EU citizens
The second provision established an extraterritorial principle, which means that:
GDPR will apply to any organization processing data of EU citizens, regardless of the location of the organization.
Whether or not your organization is in or has servers in the EU, GDPR could apply to you if your business website contains personal data.
Please be sure to analyze what data your organization collects and whether it could contain data on EU citizens. It is also highly recommended you seek legal counsel to understand the full ramifications of GDPR to your organization.
What is considered “personal data?”
GDPR loosely defines personal data as any information relating to an identified or identifiable individual—meaning, information that could be used on its own or in conjunction with other data to identify an individual.
Some data known to be identifiable (this is not a complete list!):
- IP address
- Name
- Physical address
- Phone number
- Social security numbers
It then goes a step further and includes any data that could potentially link back to a person, such as, but not limited to:
- Financial data
- Religious views
- Political views
- Behavioral data
What does it mean to “process data?”
While “processing data” is still an ambiguous concept within the stated regulations of GDPR, broadly, it can cover any electronic interaction with personal data. That could include:
- Collecting
- Recording
- Storing
- Organizing
- Adapting
- Altering
- Disseminating
- Retrieval
- Consultation
- Usage of
- Transmission
- Publishing
In essence, if your organization is touching data of an EU citizen in any way, it will most likely fall under GDPR.
How is GDPR different than my existing cookie compliance?
GDPR expands rather than eliminates what already exists in Directive 95/46/EC. Here are a few of the key provisions worth noting:
- Expands scope: GDPR has expanded the scope of the law to include any data of any EU citizen anywhere in the world.
- Redefines what personal data is: Previously letting a user know they were being tracked via cookies was enough, but no longer. GDPR casts a much larger net to include any data that could possibly be linked back to the real identity of a person.
- Expands individual rights: EU citizens will have several important new rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability. You must ensure that you can accommodate these rights if you are processing the personal data of EU citizens.
- Creates stricter consent requirements: With Directive 95/46/EC, it was often enough to get implicit consent through displaying a banner telling the user that continued use of the site implies consent. This is not so under GDPR. Users must provide explicit consent for use of their personal data. Furthermore, each type of data used is required to be spelled out and consented to.
While we have outlined some of the major changes, GDPR has far-reaching effects. We highly recommend you seek legal counsel as to its specific impact on your organization.
What are the expanded rights of individuals?
GDPR introduces several new individual rights that are important. These new rights may require alteration to your organization’s service.
- Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
- Right to object: An individual may prohibit use of any particular data.
- Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
- Right of access: Individuals have the right to know what data about them is being processed and how.
- Right of portability: Individuals may request their personal data in a downloadable digital format that can be utilized by another organization.
But my business is not located in an EU country, why should I follow it?
As always, you should consult with legal counsel to determine the effect the GDPR will have on your organization. Per GDPR if you are located in the EU or processing any data on an EU citizen it is likely that GDPR will be applicable to your organization.
It is important to understand how GDPR affects your organization as the penalties for non-compliance are staggering:
Fines can be up to 20 million Euros or 4% of your annual revenue!
Enforcement is not consistent across the board either. Each EU member state is able to enforce compliance and levy fines as they see fit. Some countries, such as Germany, take privacy very seriously and are likely to be less forgiving in their tactics.
How do you prepare your site for GDPR?
In addition to seeking legal counsel, you should do a full audit of your site to determine where and what personal data is being processed.
Once you have identified all the areas data is collected on your site, determine what data is absolutely necessary for proper operation of your organization. If the data collected is of no real use/value, it would be an easy win for compliance to simply remove the data and its processing points. If the data is necessary, you will need to write it into the list of data collection and processing details for the user’s consent.
Next, you will need to implement measures that allow the user to provide consent, view, delete, update, and download their personal data.
How can WebDevStudios assist my site in GDPR compliance?
Here at WebDevStudios, we are passionate about partnering with you to create a high-quality site that your stakeholder, customers, and government regulators will enjoy. We happily work with your legal requirements to ensure your website meets and exceeds expectations.
We are having internal discussions and planning sessions regarding how this might impact our customers. This has led us to work on internal solutions that we’ll be bringing to our clients based on their specific needs and requirements.
Site audits can be onerous. Let us take that headache off your hands. WebDevStudios is well-versed in site audits. We would be happy to partner with you to audit your site for personal data collection points and any other audit requirements you may have.
Get in touch with us today to schedule your site audit!
Disclaimer: Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.
Additional Resources
Are you the type of person who loves getting into the dirty details? Here are some additional resources to dive deep into GDPR. Be sure to bring your diving gear and a flashlight. It gets murky in there!
Also published on Medium.