How General Data Protection Regulation (GDPR) Will Reshape the Way Businesses Use User Data

How General Data Protection Regulation (GDPR) Will Reshape the Way Businesses Use User Data

Author: Ajinder Singh | Categories: Personalization, Web Content Management, Website Design & User Experience, Website Security, Websites

It has been less than a few months that the European Parliament and the Council of the European Union has implemented the General Data Protection Regulation (GDPR). This necessarily translates into an era of increased data protection and privacy for all citizens in the EU and European Economic Area (EEA).

This means that organizations that collect data from citizens of EU countries will now have to comply with a new set of rules around protecting customer data. GDPR is a new standard for consumer rights pertaining to their data, and organizations who collect customer data have to put systems and processes in place to comply.

Why and How GDPR Has Come into Existence

The European Parliament (which include all 28 EU member states) adopted the GDPR on April 2016 and set the implementation deadline by end of May 25 2018. Thereby, GDPR will replace an outdated data protection regime, which was set up back in 1995.

The primary reason to implement GDPR is the never-ending public concern over privacy. This is because the previous regulation known as - Data Protection Directive had become archaic, with technology taking gigantic strides over the past decade, and with the way data is processed and shared.

Let us try to delve deep into the key elements of GDPR and how it opens a world of good, for increased data privacy.

Types of Data that GDPR protects

Some of the key types of data which are protected under GDPR include:

  • Identity information - such as user name, user address, and any personal ID numbers

  • Web data such as user location, web IP address and cookie data

  • User Health and Genetic information

  • Biometric information

  • Racial or ethnic information

  • Political opinions

Now, let’s deep dive on what makes a website GDPR compliant.

How to Make Your Website GDPR compliant

Make Sure Your website is encrypted

Websites on which personal data is collected must be encrypted. It applies to cases where there are Forms, Newsletter subscriptions, etc.

Note : Encrypted pages can be recognized by their URL, which starts with HTTPS.

When a user navigates to an encrypted website, it means that all the communication between the user and the website is encrypted henceforth. Therefore, if there is someone intercepting the user’s internet connection, trying to get user personal details such as credit card number or essential bank information - the interceptor can only see the encoded content.

Revise Your Privacy Policy

All services and plug-ins that you use on the website, which make data accessible to a third party should be listed within the Privacy Policy.

Privacy policy must contain significantly more information about user rights have as per the GDPR guidelines.

Privacy Policy should clearly mention:

  • What information website collects
    • Types of information the website collects from users, as and when the user uses the site services

    • How user activity was stored and used by the website

    • How user location information (such as IP address, sensor data from devices, information about things near your devices such as Wi-Fi access points, cell tower) was stored and used by the website
  • Why the website collects data
    • To provide better service to the user

    • To develop new services

    • To provide personalized services

    • To communicate with users
  • User Privacy Controls
    • How users can control his/her personal discretion while sharing information

    • What are the ways to review and update information

    • How to export and delete personal user information

    • How the data is shared with other organizations
  • Sharing of information
    • When the website shares user information (only after user consent)

    • Who gains access to the user data - i.e. - all 3rd party plug-in or external processing firms who are allowed to get access to user information, by the website

    • How the information is shared for legal purposes
  • Storing the user information secured
    • Ways and mechanisms with the help of which security is built into the system to protect user information. ( ex: data encryption)

Review All Forms on Your Website

If the website has Forms, such as – a Contact Us form, or Sign Up for a Newsletter, or any other forms - organizations have to revise all such forms on websites. Henceforth, organizations are only allowed to collect personal data that they actually need for setting up an account or provide any products/services/information.

For example – to get a newsletter subscription, an e-mail address of the user is needed, and not necessarily the first and last name of the user. Therefore, all the non-required fields should either be marked as non-mandatory fields, or should be completely removed. If the website wants to collect more data, it must be clearly pointed out to the user, along with mandatorily informing the user why the data is needed. Moreover, users should be given clarity on what legal grounds is the additional data needed, and what the organization will do with that data.

Note : Before submitting any form, users should read to the privacy policy and have to provide a confirmation that he/she has read the policy.

Inform Users about Cookies

Cookies are small files that store data locally on any device, and almost all websites use them. These are used to recognize the user and make it easier for them to surf the website.

On the website, organizations should obtain the consent from website users on the page which is first visited by the user with a ‘Cookie Warning’ method. The text on the cookie warning should state what the data is about, what it is used for, and with whom it might be shared.

For example, the cookie warning can read, “To make our website and services optimal, we use cookies. To continue using the website, you must agree the use of cookies. More information on cookies can be found on our privacy policy page."

The privacy policy should also include a section on cookies which should clearly specify the use of cookies. In addition, also provide a note to users in the privacy policy on how users can prevent the use of cookies.

Check Social Media Plugins and Embedded Videos

If the website has YouTube videos configured on its pages, users can mechanically transfer information from the website guests to YouTube - notwithstanding whether or not the user clicks on the video or not.

Therefore, in order to protect user data and making it GDPR compliant, take care of the following:

Social Media Plugins

Upon visiting any website, users should be given the option to decide freely whether their data should be transmitted to the social networks, via plug-ins.


If websites embed YouTube videos on pages, users should have the ability to use the ‘advanced privacy mode’. Usera can find it after choosing Share, Embed, and Show More.

Check Your Analytics Tool

Most websites use analytics services like Google Analytics to analyze page views, and pull up details of actions that users have performed. For this purpose, IP addresses of the visitors are collected. These IP address must be anonymized, else no personal reference will be possible. Web administrators should enable ‘anonymizeIP’ so that the IP addresses can be anonymized, i.e. - the last octet of the IP address will be removed (for ex: the IP address becomes - where the last portion/octet is replaced with a ‘0’). This will happen before storage and processing begins.

Note : Without IP anonymization, IP addresses are stored on Google's servers in a non-anonymized form.