Following the announcement and upcoming introduction of the GDPR regulations Internet sites worldwide will need to be updated. The owners will need to implement all requirements in order to safeguard the privacy of their visitors and customers as outlined in the law. Our article showcases all required changes in detail.
Imminent Effects of the GPDR Regulations
The upcoming GDPR regulations effects that are related to consumer privacy protection require major website changes for all Internet companies that process sensitive information. They have been approved by the European Union and in comparison with previous laws they will affect all companies, even those outside the union, that process private data. The website owners will need to implement new elements and carefully redesign their sites in all cases where data is processed. In comparison with previous laws which were directives and were non-mandatory and non-binding in their original form, the GDPR policies are EU-wide regulations that are going to be enforced in their entire contents. According to experts these are some of the biggest changes in this area for the last decade. The list of required changes is very extensive and the website administrators will need to implement all items in due time.
GDPR 101: From Where To Start
Webmasters should begin by becoming aware of the required changes and implement all components of the GDPR policy. The key concern that the law regulates is the provision of accountability for the users data. The requirement for this comes out of the fact that the majority of web services process the data in countries outside the Union where privacy protection is not ensured the same way as it is inside the EU. One of the most important amends are connected to this issue — now every company that processes data of an EU citizen will need to adhere to the strict policies no matter the server location.
|Its important to note that the regulations is applied to the following definition of private data:|
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.
The web site owners will need to clearly showcase answers to the following questions to all visitors:
- Why the site requires the personal data?
- Your Email address
- How is the data obtained?
- How is the data being kept?
- How the Internet services are going to secure it?
- Is it shared with any third parties and under what conditions?
In addition to these changes the website owners will need to reorganize and implement a new technological mechanism for all data processing activities when EU citizen information is concerned. Note: The regulations also affect government institutions.
GDPR Regulations and Its Basic Provisions
An important principle that sets the ground for the data processing activities is the proof of adherence. The organizations (and their sites) need to clearly show that they have the legal ground to process sensitive data. At the moment practically all Internet services are build on the foundations of consent by default — they set out the condition that upon use of the relevant services the visitors give their consent automatically. The GDPR regulations outline five different legal grounds for the processing of sensitive user information:
- A legally binding contract with the individual visitors.
- Compliance with the legal obligations.
- Vital interests as defined by the various obligations.
- The performance of public tasks.
- Legitimate interests.
One of the most important advice to follow is to make aware all personnel of an Internet service aware of the upcoming changes. The people that are in some way related to data processing need to implement in full the GDPR regulations. When bigger services are concerned it would be important to perform a complete information audit. The experts note that this is needed in order to examine how the data is gathered and if it is stored under the right conditions as outlined in the provisions.
All procedures need to be amended in order to protect all user rights that are guaranteed by the GDPR changes. Procedures for the deletion of personal data upon request should be mandatory and available at any given moment.
In addition to changes regarding the storage and access controls to the privacy data itself the website administrators need to maintain a separate database of the users consent. This is related to the fact that the GDPR regulations enforce that the visitors and service users need to have an easy way of withdrawing their consent to personal data processing. As a consequence the site needs to be able to automate their options — to have the ability to serve all processed data in a machine-readable standard format and remove all traces of private data upon request.
An important part of the new sites is the implementation of a system that verifies the visitors age and the mechanism of obtaining parental or guardian consent. The new laws enforce immediate notification in case of personal data risks coming from breaches. The GDPR regulations include makes it mandatory for the data holders to notify all affected users in case of a possible violation. In relation to this all affected companies, sites and Internet services need to define a Data Protection Officer who is the person that delegates the implementation and coordination of the GDPR regulations and take full responsibility for the compliance and correct operations of the private data.
GDPR Effects — Enhanced Users Private Data Rights
We remind our readers that the policy provisions for several different types of user rights that need to be guaranteed by the GDPR compliant sites. The Right to be informed is the first and foremost article in the list. Thiss is related to the fact that the website owners and Internet services need to inform the visitors and customers that they are about to obtain and process user information that may be sensitive. As a result the notices must be displayed in a prominent way and written in a very clear, intelligible and accessible way. The regulations upholds that the notice must be written in a way that makes it understandable even by children or underage people as they are under protection as well.
Another important consideration is that from the point of view of the site administrators. There are two basic types of data: directly supplied to the users and secondary data subjects gathered information. The difference between the two is made on the basis of the data processing itself. The webmasters can determine the relevant category by looking up the information gathering mechanisms. Here is a breakdown of these two categories and specific examples and how they fit in:
Type Of Data
Data obtained directly from Organizations
Data obtained indirectly from Organizations
Identity and contact details of the controller, the Controller’s representative and the responsible Data Protection Officer.
Purpose and lawful basis of the data processing operations.
Legitimate interests of the service or the third party responsible for the data activities.
Personal data categories.
Recipients or categories of the obtained/processed data.
Details of transfers to other parties and mechanisms of protection.
Retention Period and criteria.
Storage of user consent.
Mechanism of consent withdrawal and its storage.
Mechanisms of complaints and storage/processing of such events.
Source of personal data and relevant meta data.
Provision of personal data procession status — this field checks if the processes are part of an obligation and holds the possible consequences of failing to provide the required service.
Automated mechanisms for decision making.
The right of access is the second individual right that needs to be protected by the sites. The website owners are required to uphold the individual’s will and grant them access to their processed user data free of charge in a machine-readable form. The GDPR regulations specify that the site administrators can charge a “reasonable fee” reasonable fee when the request is found to be excessive or repetitive.
The right to rectification gives the individual users the ability to change or remove personal data supplied to the Internet services. Site owners will need to pay special attention to this fact if they are working with a third-party data processing company or facility. The site owners are responsible for informing every agent of the made amendments.
A related article is the right to be forgotten which is under protection as well. It enables the individual users to request the deletion (and subsequent removal) of their personal data when there is no compelling reason for its continued processing. However this is not an absolute right. The individuals can do this under the following conditions:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the user has withdrawn their consent.
- When the user objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed.
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
The Internet visitors are ensured with right to restrict processing of their private information. The GDPR regulations contains an article that prescribes the ability of the users to restrict or block processing of data. In this case (after the user consent has been given) the site owners are still permitted to store the data, but they may not process it further.
The right to data portability is one of the most important aspects that are introduced with the GDPR regulations. This means that the users now receive the right to obtain and reuse their private data for their own purposes across different Internet services. They should be allowed to move, copy or transfer the bulk of data from one environment from one environment to another in a safe and secure way. The site webmasters are required to enable this technological feature and implement it on their sites. When the users request the data they will need to obtain it in a machine-readable form — open formats like CSV are given as the most prominent example. The responses should be within one month. Extensions can be made if the request is deemed too complex or the site administrators cannot cope with the number of received requests.
The users also receive the right to object to processing of their personal data. This is important to web masters as this includes all forms of direct marketing that utilize profiling actions. To comply with this prescription the administrators can setup mechanisms that stop such actions automatically upon the confirmation of a received objection.
GDPR Regulations Compliance Mechanisms
The website administrators will need to reorganize their newsletter subscription options and contact preferences in order to align them with the policy changes. As a result of the changes the default position is not consent by default. The forms will need to be readjusted. Designers note that these changes may not be perceived instantly by the users as the standard practice to this date was consent by default. Users previously needed to actively opt-out of sponsored messages and newsletters, the GDPR regulations will make them opt-in optionally.
In addition the terms and conditions related to the privacy data processing will need to be set out in a separate form. A good way of organizing such data would be to use a template layout that sets out individual opt-in fields:
- Opt-In to the Terms of Service (TOS) conditions.
- Contact & Newsletter opt-in check.
When it comes to marketing messages and newsletters the individual users may also be presented with the opportunity of changing the frequency of received messages. The administrators can also consider having two options listed in any unsubscription options: the reason for opt-out and a separate confirmation procedure.
- A GDPR compliance message.
- The type of data and contents that is collected and stored by the Internet service in detail. Examples include IP addresses, geolocation, access information, browser, cookies, visit duration, user interaction, demographic data and etc.
- The webmasters will need to specif y who has access to the personal data.
- Details of the Data Protection Officer and their contact details.
- The policy also needs to outline how the organization will hold and process the personal information in a secure manner.
One of the most important changes are related to E-commerce sites where the new rules will implement major usability and data procession changes. Almost all of them use a payment gateway which is the service that actually processes the financial transactions. The site owners will need to modify the relevant processes and remove all traces of personal information and align it according the regulations.