New regulations ("GDPR") that govern personal data and data privacy within the EU come into force on May 25th 2018. These can apply to organisations with EU visitors even if the business and website are not physically located within the EU. The regulations are complex and Supadu is not qualified to provide legal advice, however, we have put together some information that might be useful.
Overall, Supadu sees GDPR as an opportunity to build trust with your users and and improve brand presence. The flip side is that non-compliance can result in large fines - €20 million or 4% of worldwide revenue. Most of the new regulations relating to your website are already required under the general data protection regulation but there are some new requirements that relate to the data collection and storage that we have outlined below.
This impacts all EU and many non EU websites that collect personal data, and/or provide goods or services to EU citizens even if you haven’t got a physical presence in EU. Here's an infographic from Piwik pro that provides a great overview: View infographic
5 Steps to Consider
In order to help our customers check they comply we will be opening JIRA tickets to offer our customers the chance to have their site audited and to implement any necessary changes required to collecting/storing any personal data.
1. Audit
What personal data is being collected on your website? Are you using cookies that are affected by GDPR? This will take an hour or two to check most websites and we will work on a time and materials basis. A question often asked is what is “personal information”? Any personal data about an identifiable person who can be directly or indirectly be identified - in particular by reference to their device, IP addresses, cookie identifiers, and GPS locations.
2. Consent Request
Implement a Consent Request procedure for all existing data collected and for all new personal data to be collected.
All personal data requires a “consent request” that means that inactivity and pre-checked boxes are not consent. Practically you need to have a form that is easy to understand, concise, and specific.
- Explain what data are you collecting, why you want it, how long will you keep it
- Include the name of your organization and any third parties
- Age request - you are not permitted to collect data for any subject under 16 without parental consent
- Remind data subjects that they can withdraw consent at any time and have a clear process to do so
- Data kept under periodic review
- Right to be removed and forgotten - for example if a user has asked for their preferences to be deleted then you do not keep a reference to the individual user at all.
This is very important and we expect some of our customers will have to change they way they collect data to be compliant. Pre-ticked boxes, opt-out boxes or default settings do not constitute a valid consent request.
3. Privacy Policy
All websites should have an up to date privacy policy that details how you gather, use, disclose, and manage a user’s personal data. This can be simple and easy to date. For example
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
4. Cookies and GDPR
When cookies can identify an individual via their device, it is considered personal data whether or not on its own or in conjunction with other information. The majority of cookies are subject to GDPR for example cookies for analytics, advertising and functional services, such as survey and chat tools. Google Analytics in some circumstances may also be subject to GDPR.
5. Processes to consider
How will you as Data Controllers respond to a request to update and remove any personal information? A user has a right to reveal what information is held about them, what they have consented to, where it is being stored and to have this consent removed at any time. As part of your site audit we can confirm where personal data is being stored and how it can be managed.
Useful Resources
- https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies/
- https://piwik.pro/blog/infographic-process-data-under-gdpr/
- http://www.blastam.com/blog/5-actionable-steps-gdpr-compliance-google-analytics
CONTACT SUPADU FOR MORE DETAILS OR FOR HELP AUDITING & ENSURING COMPLIANCE