Monday, 9 April 2018 by Ian Ebden
Looks like this article is over a year old, so some of the technical solutions or opinions may be a bit outdated now.
The new EU General Data Protection Regulation (GDPR) replaces the previous Data Protection Directive 95/46/EC, and is designed to "harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy". The legislation comes into force on 25 May 2018 and those falling foul of it risk heavy fines.
Will it affect your website?
If you handle personal data on your website (e.g. through a contact form) you are a "data controller" and you will be subject to GDPR. The legislation will apply to businesses within the EU, as well as any entity globally that does business inside the EU. So yes, it will still apply to the United Kingdom when we leave the EU (if we're ever allowed to!).
So as data controller, what does GDPR mean for you?
Clear consent needs to be established before processing user data, and data should only be used for the purposes that consent has been given. So for example, it's no longer acceptable (if it ever was) to automatically subscribe someone to your mailing list if they submit details via a contact form.
For minors, it is essential to get verifiable consent from a parent or guardian before their data can be used; and consent must be able to be withdrawn by the user at any time.
Transparency is a key principal of GDPR, so if you are handling personal data you must explain how and why you collect that information, what you intend to do with it and how long you will keep it. You must also provide anyone with the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Note that GPDR stipulates users have the right to request erasure of their data from your systems. That means everything, including all backups!
Digital Protection Officer
If you process personal data on a significant scale you must appoint a Data Protection Officer (DPO) responsible for monitoring GDPR compliance. This could be an existing employee with a suitable skillset, or an outsourced position.
GDPR also makes reference to something called pseudonimisation. As well as being a great score in Scrabble, "pseudonimisation" is a process to transform data in a way that stops it from being attributed to an individual without the use of additional information. An example of this might be using a unique ID for someone rather than their name when storing their data in a database. A second table of names and corresponding IDs would then be used to join the tables together and recreate the data on the fly.
This is probably the most ambiguous part of the GDPR because it depends on how you interpret pseudonimisation. An example is encryption, whereby data is encrypted and requires a separate key to decrypt it. If your website uses HTTPS/SSL you could say that you’re on your way to GDPR compliance. But the data in the database itself is likely stored unencrypted so if the database was compromised the personal data would still be exposed. I'm not sure there's a content management system out there that has cracked this.
The GDPR requires you to have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, you also have a legal obligation to report any breach within 72 hours.
So what should you do to make your website GPDR compliant?
If you handle a significant level of user data then you should designate a DPO.
Going forwards, just make sure you always get consent and are clear with users about handling their data. Above all, it's about always treating your users' data with care and respect.
Feel free to read the full GPDR at https://gdpr-info.eu/.