Ready or not, GDPR is here to change the way we view privacy. And, unless you want to pay multimillion euro fines, you’ve got to take it seriously!
Of course, there is a silver lining and not everything is that bad. The new regulation has introduced very good privacy protection practices that will bring a lot of value to your users. So, whenever you feel intimidated, just remember that GDPR legislates common sense!
In this article, we deconstruct GDPR from the point of view of the impact it will have on the development of your website/web app. We did our best to extract the practical steps for making your website GDPR compliant.
The idea behind it is to give the control over personal data (any information regarding a certain person with identifiers like name, email, ID etc.) back to its owners. In order to achieve this, organizations have to adapt to the new standard of information protection.
Does this concern you?
Yes, if your website is targeted at EU audience and you collect and process data for EU citizens, regardless of where your company is based. This includes websites that offer goods and services (even free) to EU residents solely or among others.
Since Mark Zuckerberg announced that Facebook would provide the same level of protection worldwide (we wonder what made him change his mind?!), it can become a good practice for protecting data of all users around the globe. After all, what would your non-EU users think if you didn’t treat their information as nicely as that of your European audience?
Although there is a huge difference between wanting to be GDPR compliant and having to be. This difference can come at a cost of €20,000,000 or 4% of the global annual turnover (whichever is greater). This is the maximum fine which usually follows initial warnings, restrictions, and smaller fines.
But the reason you are reading this right now is probably because you are looking for ways to make it right. However, due to the complexity of the new regulation, there are no one-size-fits-all website GDPR compliance solutions or even a GDPR checklist for websites that will cover all your needs. All checklists we’ve seen, so far, are way too general to actually be used as checklists.
So, what we will do instead, is help you figure out the main principles of this legislation, so it will be easier for you to develop your own checklist. That is what this article is all about.
How Relationships with Your Vendor Change
Under the GDPR, you are not only a website/web app owner, you are also a Data Controller because you collect and process the personal data of EU users. And it is not just a new name to call yourself, but also a new set of responsibilities. These include collecting, storing and processing personal information in accordance with the GDPR standards (Art. 24).
If you work with a web development agency to develop your website or app, then your vendor can become your Data Processor. This is the role of an organization that collects and processes data for you. Only vendors that work with live personal data can be considered Processors.
In this case, your partner is also liable for complying with the GDPR (Art. 28). You share the responsibility and your web developers can also be fined for noncompliance!
This is why Controllers and Processors are required to sign a Data Processing Agreement (DPA), the contract that specifies, among others, the following key elements:
The types of information being processed
How it is going to be processed
The purpose of the processing
What measures are taken to ensure the security of processing.
The bottom line is that you and your web development partner can no longer work together without this agreement. And your vendor cannot perform any actions with the data that you haven’t already agreed to in writing.
How to Make Your Website GDPR Compliant
1. Make Sure to Receive Proper Consent from Users
Generally speaking, you can collect and process personal information only with the permission of your users. That is, unless you’ve already signed a contract with them, or are in some special category of organizations that are legally obliged to process personal data of individuals, or act on their vital interests, or other situations outlined in Art.23.
For the rest of us, we have to get proper consent (Art. 12), and ICO helps to decode what consent can be considered proper or genuine under the GDPR. In a nutshell, to give you genuine consent, a user has to be well-informed, have free choice and be in control.
Let’s deconstruct the GDPR website requirements for obtaining user consent to know how your online forms should look.
1. Transparent and informative
According to ICO, you have to provide the following information when asking for consent:
information about your organization
who else is going to be involved in the processing
what you need the data for
how you are going to use it
users’ rights to revoke consent
However, this is not a complete list! In the GDPR document itself, you can find additional details that you have to provide to users before asking them for personal information (Art. 13), such as:
how you can be reached
how your Data Protection Officer can be reached (check if you need to have one here)
how long you are going to keep and process the data
all of the users’ rights: to access, correct, delete, restrict from processing etc. (see the complete list in Chapter 3)
if you use any type of automated decision-making and profiling, and, if so, what logic is involved
2. Positive opt-in
This means that you have to refrain from using pre-checked boxes. Instead, give your users the opportunity to agree only on those options that they want.
You cannot ask for consents ‘in bulk’. Users have to give permission to each distinct processing action you want to make (like scheduling a demo and sending a Newsletter).
At the time of writing this article there aren’t many GDPR compliant website examples with such online forms. It seems no one has come to a unified understanding of how online forms should look in order to comply – at least not yet.
Another important part of the new standard for consent is that your users should be able to revoke their consent as easily as they have given it. So, you need to make sure all your communications with users contain clearly visible ‘unsubscribe’ buttons, and you need to be able to prove that any particular individual has given you his/her consent. To do this, you need to document it.
In the words of ICO: “Keep records to evidence consent – who consented, when, how, and what they were told.”
The following table illustrates how you must keep a record of personal data to comply with the GDPR.
2. Incorporate Protection by Design Principles
Under the GDPR you are obliged to implement technical and organizational measures of data protection. The ICO implies that, by following the Privacy by Design approach to software development, you’ll cover most of the requirements for data protection. The rest of the GDPR website security requirements will depend on the types of data you are using and your processing activities.
Privacy by Design (PbD) consists of principles which will help you form a privacy-oriented mindset so you can think of all the possible ways you can ensure data protection for users.
In summary, PbD is about prevention, making privacy a default and taking a holistic approach to data protection.
Data minimization is one way to put PbD into practice. You can minimize your data and, therefore, risks by following these steps:
Reduce the amount of personal information that you collect and store by asking only for essential information. Do you really need your user’s telephone number and physical address? Maybe just a name and email will suffice? Ask yourself these kind of questions to strip down your online forms to the bare minimum and increase your conversions as a bonus.
Reduce the period for which you keep the data. How long do you actually need to store the data? Keep it for no longer than is absolutely necessary.
Get rid of the data that has expired. Don’t keep the data just because you can – for example, simply because storage is cheap and you think you might use it someday. Delete the data as soon as you know you don’t need it.
Use the data only for the purposes you’ve stated to your users. It is easy to fall into thinking that, since you already have the data, you can do whatever you want with it. Why not send out promotions about new products to customers who once bought something from your business? Unless your users have specifically agreed to you sending them promotions, it’s a bad idea.
Limit the number of locations in which you store your data. Multiple back-ups and numerous spreadsheets spread across your organizations create vulnerability spots.
Remember, the more data you store the more liability you bear!
3. Make Your Website Secure
Adhering to PbD principles, including data minimization, is not all you have to do to ensure 100% protection. You still need to make your website and any other software you use secure from inside out, and the extent of these measures should be proportionate to the severity of risks and breach consequences for your users (Art. 32).
Here is a list of technical and organizational measures you can take to ensure safety.
Pseudonymization is any process of substituting the most identifying data (e.g. family name, postal address, IDs, bank account etc.) with artificial identifiers. If one cannot identify who the data belongs to, it won’t be of much use to ill-intending individuals, unless fraudsters can find the missing information and reverse pseudonymization. So, unfortunately, although this method is great and highly recommended by GDPR, you cannot rely on it solely.
There are several ways to pseudonymize:
Figure out which will work best for you and implement it.
The Content Management System that you use to run your website is a target for hackers. Therefore, you need to take all the measures you can to make it secure. Make it static where possible or go for 100% custom CMS to ensure maximum security.
Personal information can be stolen from your website even before it gets into your database, i.e. before a user submits his/her information (clicks the ‘sign up’). This is called a man-in-the-middle attack. To avoid this, use only https (instead of http) protocol on your website, as it is the most secure communication protocol that ensures privacy.
Physical access restrictions
If you use your own servers, you need to make sure that access to them is restricted.
Internal access restrictions
Only authorized staff members of Controller and Processor companies should have access to the data.
Data Protection Impact Assessment (DPIA)
DPIA is a process to identify and minimize breach risks (Art. 35). Not everyone is obliged to do it, only those organizations whose data processing can result in a high risk for individuals. ICO, however, considers DPIA to be a good practice for any organization that deals with personal information processing.
Although we are only in the beginning of the GDPR journey and, it seems, no one is 100% sure of how to apply it, by May 25th EU citizens will already have the new rights. So, we’ve got to figure it out as soon as possible.
The key takeaway from the new legislation that should guide you in this journey is that personal data is no longer only an asset, it is also a liability. So, now you’ve got to be very conscious of what user information you ask for, what you are doing with it, and how you are protecting it.
At Greenice, we are serious about implementing the new rules in our own business, as well as in the businesses of our clients. We can help you, too! Let’s discuss your website compliance with GDPR today.
Co-Author: Vlad Nekrutenko, the associate of Attorney Association Juscutum. Vlad has participated in a number of projects helping companies to become GDPR compliant.
Interested in building a GDPR compliant website? We can help!