GDPR Compliance for Websites

GDPR stands for General Data Protection Regulation, which is legislation intro-duced by the European Union (EU) and will be enforced from May 25, 2018. The good news is that the new law is not very technical and they don’t need expen-sive lawyers to adopt.

The GDPR was created to strengthen the rights of EU citizens when it comes to the collection and use of their personal data.

The GDPR applies to:

  • Any business or organization that offers goods or services, paid or free, to a citizen, resident, or simply a visitor to the EU.
  • Any monitoring of the behavior of a citizen, resident, or simply a visitor to the EU.

The regulations apply to data controllers (data collector) and data processors. Failure to comply could cost you up to €20 million or 4 percent of the annual revenue.

Collection, use, and storage of personal data

GDPR lays out rules for collection, use, and storage of personal data. The regu-lation:

  • Individual Rights.
  • Lawful basis for processing Or Privacy by Design.
  • Accountability and Governance

In short, you must abide by the individual rights, ensure that you are properly securing personal data and be able to document how you are doing so. Personal data is defined as “any information relating to an identified or identifia-ble natural person”. It includes things such as a name, photo or biometric data, email address, personal bank or medical details, or a computer IP address.

Complying with 8 Individual Rights

At the heart of GDPR are eight specific rights that individuals are granted re-garding their personal data:

  1. Right to be informed

    You must update the “Site Privacy Policy” and be transparent about how the personal data is handled.

  2. Right of access

    There must be an easy process for the user to receive all the information that you hold about them in a simple format such as CSV or XLS

  3. Right to rectification

    Users must be able to edit their information about them including data that you have collected from other sources such as third party login API’s

  4. Right to erasure

    There must be a process to erase all the data of a user if it is requested by him/her.

  5. Right to restrict processing

    Users must be able to allow access to their data but they can block processing the data, that means the back office staff or others will not be able to see their data.

  6. Right to portability

    You must be able to provides users data in an easy to use format such as CSV or XLS for their own purpose.

  7. Right to object

    Data owners can object processing their data for any marketing purposes such and email marketing and remarketing

  8. Rights related to automatic decision making, including profiling

    This rule applied when automatic decision making is implemented, including profiling of user information. This requires explicit content from the user.

Security by design

To comply with GDPR, by default you have to implement technical and organi-sational measures to show that you have considered and integrated data protec-tion into your processing activities. The regulations give examples of this, such as designing databases to use pseudonymization, which are designed to imple-ment data-protection principles, such as data minimisation, in an effective man-ner and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR and protect the rights of data owners. It’s also important to incorporate access control so that only people who truly need to see data can access the data.

Under GDPR, you must demonstrate that you’re implementing data protection by design and by default. This could change everything from how you design databases to who gets access to data.

GDPR also sets up reporting guidelines regarding potential data breaches. If a breach poses a risk to individuals, it must be reported to the DPA within 72 hours. In the UK, that means the Information Commissioner’s Office (ICO). Af-fected individuals must also be notified.

  1. Look for possible privacy infringements to remedy before an incident occurs.
  2. Protection and privacy compliance should be default for business IT systems and processes.
  3. Privacy should be embedded at every level of an organisations’ functionality.
  4. All compliance practices should stand up to independent verification process-es.
  5. The implemented privacy protection should offer end-to-end security.
  6. There must be full functionality of data protection, with no compromise to ei-ther business or security.

Documenting compliance

GDPR requires that you be able to provide evidence that you comply and the law contains explicit provisions about documenting your processing activities. That means writing down your procedures for handling personal data. You must maintain records on several things such as processing purposes, data sharing and retention.

You’ll also need to document the data security methods you employ and plans for handling a data breach. Ensure that your data processing has a lawful basis, and record what that is. Data controllers and processors both have documenta-tion obligations and they must keep the records in writing.

You also may be required to make the records available to the ICO on request.

GDPR compliance checklist

All of this can feel a little complicated, but the following checklist will help you power through the requirements:

  1. Identify and document your lawful basis for your processing activity.
  2. Determine what personal information you have, where it came from, and who you share it with.
  3. Review and update your site’s privacy policy to ensure it provides de-tailed information on your data collection, use, and privacy practices.
  4. Implement a plan for how you will delete personal data, enable updating, or provide it in a commonly used format upon request.
  5. Ensure that you obtain and record consent for every collection and use of personal data. For example, you can no longer use pre-ticked boxes to opt in or default to acceptance of policies.
  6. Plan for and document how you will detect, respond to, and report a per-sonal data breach.
  7. Familiarise yourself with data protection by design practices and work out how to implement these principles for your site.
  8. Consider designating an official data protection officer (DPO). Some or-ganisations are required to designate a DPO, but for others, it’s optional though recommended.

GDPR has consent specifications for sites that serve children, but if you’re complying with the Children’s Online Privacy Protection rule (COPPA), then you have this covered.

How AdamEve&Apple can help you to be compliant with GDPR

At AdamEve&Apple we always concern about the security and the data protec-tion. Following are the support we can provide you to become a GDPR compli-ant.

  1. Through and full Audit of your online presence (Website / Third-party plugins).
  2. Data sheet mentioning all your gathered data from your consumers, which can be used to include in your Terms & Conditions.
  3. A consent Banner / Popover in homepage about the data collection and ses-sion.
  4. Privacy Policy page with customised information for your website.
  5. Implementing “Security by Design” so that only people must see the data will have access to the data
  6. Writing down the procedures for handling the personal data and documenta-tion to provide evidence that you comply with GDPR regulation