The General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. This new law provides users with solutions to better manage personal data online and requires greater transparency regarding the collection and use of data. It is time to update your website to comply with the GDPR. In this post, we explain how to bring your website into compliance with the regulation.
What does the GDPR provide?
This is not the place to debate the appropriateness and purpose of the regulation. The famous GDPR seeks to initiate a start of control over the personal data we unwittingly spread while wandering around online. With an aim of harmonizing and unifying legislation within the European Union, the GDPR covers all residents of the European Union.
Personal data is defined as "any information relating to an identified or identifiable natural person, who can be identified directly or indirectly, in particular by reference to an identification number or to one or more elements specific to them" (Article 2 of the GDPR). Therefore, any collection of personal data must be based on one of the following legal grounds provided for by the GDPR:
- The vital interests of the person;
- The public interest;
- Contractual necessity;
- Compliance with legal obligations;
- The unambiguous consent of the user;
- The legitimate interest of the data controller.
Any one of the above-mentioned legal bases is sufficient to qualify the processing of "personal" data. For example, in the most common case of websites collecting data for marketing purposes, the legal grounds to justify data processing will be:
- The user’s unambiguous consent: for instance, a clear banner must be put in place with “Accept” and “Refuse” buttons, allowing the user to freely choose whether their data is collected. Internally, the company must keep a record of consents.
- The legitimate interest of the data controller: if data processing for commercial purposes is considered a legitimate interest, it is important not to forget to implement security measures to reduce privacy risks for users. Visitors should be clearly informed, especially about:
- The purpose of the collection: for what reasons are data collected? For what purpose?
- The data collected and its processing: what type of data is processed and does it benefit from GDPR protection?
- The data retention period: how long is the data kept in my records? After how long am I committed to destroying the data?
Generally speaking, internet users are able to control how their data is used and their user experience. They can easily opt out of data collection, and clear explanations should be available to help understand how this affects their user experience.
Thus, the application of the GDPR introduces new rights for internet users, such as:
- Better protection of user privacy through the requirement for express consent;
- The recognition of the right to be forgotten, allowing individuals to have their personal data deleted in cases of privacy breaches;
- Easier data portability, enabling users to move from one service to another without restriction;
- The ability to initiate class action lawsuits to halt the unlawful processing of data.
Who is affected by this law?
The GDPR covers all entities handling European personal data, including:
- The personal data controller, defined as “Any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4 of the GDPR);
- The personal data processor, defined as “Any natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” (Article 4 of the GDPR).
In short, if you have tools (such as a website or an application) that allow you to collect personal data, you must implement measures to comply with the GDPR.
Penalties for non-compliance with the regulation
In case of non-compliance with the GDPR, severe penalties are foreseen. The risks range from being barred from collecting data to fines between 2% and 4% of your annual turnover. Needless to say, bringing your website into compliance will cost you less.
But don’t panic! The regulation provides for a transition period to allow actors to achieve compliance. What’s important now is to initiate the compliance process.
Measures to implement on your Drupal site
We would like to emphasize that compliance with the GDPR is not limited to a “technical” update of your site. It also involves an internal reorganization of your overall data processing procedures (implementing a data register, designating a responsible person, etc.)
Actions to take:
1. Adapt your cookie banner by clearly offering the options to accept or refuse data collection;
2. Adapt forms during data collection by highlighting options to accept or refuse data collection or any other related decisions regarding data collection and processing;
3. Audit each cookie generated by the Drupal code to document and verify their compliance;
4. Audit and document third-party applications to verify their compliance;
5. Create a user-friendly data deletion request form for personal data;
6. Update your legal notices by adding a “Company Privacy Policy” clause stating information about data privacy and the rights related to provided personal data;
7. Have a valid SSL certificate for those behind schedule, to promote secure exchanges of sensitive data.
We are available to analyze your Drupal site, its users, their data, data collection, and placed cookies. This audit will help you plan interventions—which, most of the time, you can carry out independently—and map the personal data being handled. This step is important because it allows for transparent communication with users about data processing conditions, as required by the new regulation.
To go even further: http://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX:32016R0679
If you want to write a thesis on the GDPR :) ... Please contact Myriam!
