The General Data Protection Regulation (GDPR) is a new EU regulation aimed at strengthening data protection for EU citizens.
The GDPR extends the powers of the Data Protection Act of 1998 to provide better ownership and control over personal data. It also brings much heavier fines for non-compliance.
The GDPR marks the beginning of the European Union’s General Data Protection Regulation focussing on: businesses accountability and obligations, stronger EU citizen rights and regulatory restrictions relating to all businesses (in or out of the EU) handling EU citizens data, introducing data breach notification within European law, with legal requirement for the provision of evidence showing compliance for the collection, management and protection of personal data.
The GDPR will come into effect on May 25th 2018 and will remain with us despite Brexit.
Apart from the legal requirement for businesses to follow The GDPR, you could face a massive 20,000,000 Euro fine or 4% of your annual turnover (whichever figure is higher), for non-compliance, so it’s definitely in your best interest to comply.
The GDPR requires websites to be upfront and clear about what data they are collecting, from visitors to their sites to how that data is going to be used, how long the data is going to be kept, and who it is being shared with.
You must provide an option to the user to reject cookies that are not essential (non-essential cookies means that if these cookies were removed the site would still function). And these non-essential cookies must also not be loaded until the user actively gives consent.
An example of a non-essential cookie could be Google Analytics, where it's purpose is for the collection of site tracking information and is not particularity useful for the user and the main important way of defining what an non-essential cookie is, would the site still function without it being there?
An example of an informative cookie banner asking for consent could be as follows:
For more information on cookies, the ico.org.uk has put out recent updated guidelines on cookies and compliance for your website. You can view them here.
Provable consent has to be explicitly given by a user to the data processor or controller before the data can be processed about the user, this means that there can be no automatic opt-ins on the submission of forms and alike, additionally only data that has consent can be collected and processed.
Moreover, if you own any data about users that originated before The GDPR was brought into effect, like email addresses as an example used for Email Marketing campaigns in the past, the user has to be re-contacted and consent has to be re-submitted by the user for the continued use of the data.
With these changes the development of forms has been heavily impacted and old forms will most likely need to change to be GDPR compliant.
For activities, such as email marketing, the simplest way to get explicit, record-able consent from user, which provides necessary evidence of compliance, is by adding a checkbox to your form.
The GDPR makes it mandatory for any data breaches to be reported by the data controller to the relevant supervisory authority such as the ICO (Information Commissioner's Office) within 72 hours of the breach.
Additionally, if the breach is serious enough then the individuals affected by the data breach also need to be informed within the same time limit.
Under The GDPR users have the right to withdraw consent for the collection and processing of their data at any time, and it has to be just as easy for the user to opt-out of consent as it was to opt-in!
Furthermore, users also have the right to request total removal of all of their data. This means that all data from your systems have to completely remove from any data about the user, including any references and backups.
Appointing a Data Protection Officer or DPO within your organisation could help to solve your GDPR woes. This is mandatory requirement for organisations responsible for managing large quantities of personal data, such Public or Health authorities.
A DPO is designated by the data controller to be responsible for monitoring the internal compliance of legislation within an organisation.
For smaller organisations the DPO could be a suitably trained in-house employee. Despite the cost, this significantly reduces the risk of non-compliance, and the possibility of potentially disastrous non-compliance GDPR impacts.
Do I Need an SSL Certificate to Be GDPR Compliant?
The short answer is yes, most websites need an SSL certificate to be GDPR compliant, but it depends on what information your website collects.
The GDPR may seem overwhelming at first; threatening huge fines for non-compliance and specifying volumes of rules to be followed. But, with the right approach you can take action to ensure that your site gets recorded permission from users to collect and process data, avoiding costly mistakes, such as nasty automatic opt-ins.
Ensure consent, compliance and evidence. Review internal data security policies, train staff and develop guidance and practice to ensure that people, processes and technologies are ready to meet the new legal challenges presented by The GDPR.