EU's GDPR & what it means for Websites - Time to Act

Considering a website is a company's/organisation’s window to the world and avenue where many times personal data is initially collected and stored, GPRS is fundamental. It is also the most obvious, immediate and direct place that authorities are likely to first scrutinise. We look at the GDPR and how a new website solution just might be what the doctor ordered.

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.

Seemingly, it is all a daunting thought and process to become GDPR compliant, with many complexities involved. Indeed, the full GDPR is a very detailed document, full of legal and technical terminology.

But it is essential. Ultimately, GDPR will enhance privacy protection for all, and very likely it will enhance your company’s or organisation’s own internal processes and systems.

Be stringent and do your utmost from the beginning. As time goes by, things will become more obvious and easier to adopt. Such as this nature of innovative and fast-changing Internet technologies and associated legalities that things tend to start off somewhat unclear, while we all continue to learn from each other, adapt, and move forward accordingly.

What does GDPR mean for your website and what’s the best solution?

Let’s jump straight to the possible solution for your website and save you all the more ‘boring’ technicalities to read a bit further down.

Firstly a disclaimer on our part. We must be clear that all this is just a general overview of the situation, and of possible solutions for your website only. Indeed, GDPR is a lot more detailed, meanwhile, any final solution needs evaluation, planning, and execution; and of course be relevant to your company/organisation.

Nevertheless, our Agency is made up of a team of professionals located in the EU, experts in design, development, content, SEO and online marketing communications. So we are well positioned to offer some early tips on GDPR solutions for your website, and ultimately provide the services.

In most cases, the solution can be rather simple – avoid storing any personal data on your website, and voilà, problem solved!

But of course, GDPR for website solutions should be adaptable and scalable, very much depending on an organisation’s size and what their requirements are with data collection, storing and processing.

Thus, taking the possible GDPR for website solution a few steps further:

• Enhance security; both of the website infrastructure/platform and the data within, and of the server that hosts the website on the internet
• Be transparent with why you are collecting the data; clear and concise using simple understandable language and always seek active user consent
• Provide an easy method for users to access, amend, delete or opt out of such data, and
• For each of the third party data processors you are using, check their own respective privacy policies and make sure that they are also GDPR compliant, otherwise consider alternatives.

Website analytics (monitoring traffic and user behaviour) must also comply with GDPR, as this tracks IPs and some level of personal data.

Right now this is a bit of a ‘grey area’ in terms of solution. Generally, Internet browsers allow a user to adjust their cookies accordingly and prevent being tracked. On the surface this should suffice, and so then all you really need to do is clearly (and simply) inform users accordingly, directing them of their options and perhaps with some further guidance on how to control it. At the same time, obtaining consent – websites using different types of cookies for different purposes will need to obtain consent for each purpose and list them all in the Privacy Policy.

Many major companies and organisations throughout the EU and worldwide have adopted this approach until now. An easy and efficient solution.

To be full proof going forward, even after obtaining consent, website visitors should be provided with an easy and clear way to change their mind. It should be as easy to withdraw such consent as it is to give it. Thus, an “opt out” feature to your traffic analytics tool. Again problem solved!

So you see, it’s rather simple to make “a” website complaint to GDPR. The trick is to make your existing website as such, considering what it currently does, its current technology/platform, and the server security.

It might very well be more complex to adjust all this, and in many cases not even possible. Indeed, perhaps now is a perfect opportunity to upgrade and make a new website.

Our tailor-made solution – why it makes a difference with GDPR

We’ve been providing bespoke solutions in website development for over 15 years. Now is the time for this product and service to shine.

Our agency can provide bespoke services, ideal for GDPR compliance. We do not use ready-made CMS (Content Management Systems), but rather hybrid solutions, with fully custom-built back offices as needed. This means two key advantages:

1. We can build the website’s back office to be fully compliant with GDPR and not host any Personal Data at all, yet still allow you to manage certain dynamic pages and content for your website’s front end, i.e. the stuff that is already available to the public and OK to be so.
2. Even if the back office is built to host some amount of personal data, because it is fully custom built with our own programming, it has far less vulnerabilities than some ready-made solutions that are all too often breached/hacked. Furthermore, we can encrypt content within the database, therefore protecting information even further.

Our solutions come hosted on a fully managed and secure private server. This is ideal for small to medium sized companies/organisations, offering them a stable hosting solution at an affordable price.

Larger companies/organisations with greater responsibilities in protecting sensitive data should of course consider their own private server entirely, fully managed by our services, and protected by extra security, such as more advanced firewalls, intrusion prevention and DDoS attack protection.

Overview – What is the GDPR

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. It will enter in force 20 days after its publication in the EU Official Journal and will be directly application in all members states two years after this date. Enforcement date: 25 May 2018 - at which time those organizations in non-compliance will face heavy fines.

The EU GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.

The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data- and digital-driven world. Any business or organisation that provides services or products to customers located in the EU must take care and protect their personal data, and of course not misuse it – both data controllers (i.e. companies and organisations) and data processors (e.g. cloud-software vendors).

All public authorities and any organisation that processes personal data (the data controller) on a significant scale must appoint a Data Protection Officer (DPO) responsible for monitoring internal compliance of the GDPR regulations within the organisation. Even if you are smaller in size, it is still worth appointing a DPO representative to keep track and maintain GDPR aspects.

Penalties: breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) for serious infringements.

So actually, GDPR is a positive thing, helping to strengthen data protection for EU citizens and residents both within the EU and globally.

Key findings from the official EU GDPR: Data Subject Rights

Breach Notification

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

Right to Access

Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.

Right to be Forgotten

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

Data Portability

GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.

Privacy by Design

Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'The controller shall implement appropriate technical and organisational measures...in an effective way…in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

Data Protection Officers

Currently, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities, nor will it be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal record keeping requirements, as further explained below, and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. Importantly, the DPO:

• Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
• May be a staff member or an external service provider
• Contact details must be provided to the relevant DPA
• Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
• Must report directly to the highest level of management
• Must not carry out any other tasks that could results in a conflict of interest.​

More information can be found at the official GDPR website: https://www.eugdpr.org

For an initial free and no obligation discussion/audit of your website and subsequent professional advice on how a new website solution could make it compliant with GDPR, as well as benefit online presence, feel free to contact our Agency. We are based in the EU and happy to organise direct personal contact.

agency@web-conceptions.com

http://agency.web-conceptions.com