It has been less than a few months that the European Parliament and the Council of the European Union has implemented the General Data Protection Regulation (GDPR). This necessarily translates into an era of increased data protection and privacy for all citizens in the EU and European Economic Area (EEA).
This means that organizations that collect data from citizens of EU countries will now have to comply with a new set of rules around protecting customer data. GDPR is a new standard for consumer rights pertaining to their data, and organizations who collect customer data have to put systems and processes in place to comply.
The European Parliament (which include all 28 EU member states) adopted the GDPR on April 2016 and set the implementation deadline by end of May 25 2018. Thereby, GDPR will replace an outdated data protection regime, which was set up back in 1995.
The primary reason to implement GDPR is the never-ending public concern over privacy. This is because the previous regulation known as - Data Protection Directive had become archaic, with technology taking gigantic strides over the past decade, and with the way data is processed and shared.
Let us try to delve deep into the key elements of GDPR and how it opens a world of good, for increased data privacy.
Some of the key types of data which are protected under GDPR include:
Now, let’s deep dive on what makes a website GDPR compliant.
Websites on which personal data is collected must be encrypted. It applies to cases where there are Forms, Newsletter subscriptions, etc.
Note : Encrypted pages can be recognized by their URL, which starts with HTTPS.
When a user navigates to an encrypted website, it means that all the communication between the user and the website is encrypted henceforth. Therefore, if there is someone intercepting the user’s internet connection, trying to get user personal details such as credit card number or essential bank information - the interceptor can only see the encoded content.
If the website has Forms, such as – a Contact Us form, or Sign Up for a Newsletter, or any other forms - organizations have to revise all such forms on websites. Henceforth, organizations are only allowed to collect personal data that they actually need for setting up an account or provide any products/services/information.
For example – to get a newsletter subscription, an e-mail address of the user is needed, and not necessarily the first and last name of the user. Therefore, all the non-required fields should either be marked as non-mandatory fields, or should be completely removed. If the website wants to collect more data, it must be clearly pointed out to the user, along with mandatorily informing the user why the data is needed. Moreover, users should be given clarity on what legal grounds is the additional data needed, and what the organization will do with that data.
Cookies are small files that store data locally on any device, and almost all websites use them. These are used to recognize the user and make it easier for them to surf the website.
On the website, organizations should obtain the consent from website users on the page which is first visited by the user with a ‘Cookie Warning’ method. The text on the cookie warning should state what the data is about, what it is used for, and with whom it might be shared.
If the website has YouTube videos configured on its pages, users can mechanically transfer information from the website guests to YouTube - notwithstanding whether or not the user clicks on the video or not.
Therefore, in order to protect user data and making it GDPR compliant, take care of the following:
Social Media Plugins
Upon visiting any website, users should be given the option to decide freely whether their data should be transmitted to the social networks, via plug-ins.
If websites embed YouTube videos on pages, users should have the ability to use the ‘advanced privacy mode’. Usera can find it after choosing Share, Embed, and Show More.
Most websites use analytics services like Google Analytics to analyze page views, and pull up details of actions that users have performed. For this purpose, IP addresses of the visitors are collected. These IP address must be anonymized, else no personal reference will be possible. Web administrators should enable ‘anonymizeIP’ so that the IP addresses can be anonymized, i.e. - the last octet of the IP address will be removed (for ex: the IP address becomes 220.127.116.11 - where the last portion/octet is replaced with a ‘0’). This will happen before storage and processing begins.
Note : Without IP anonymization, IP addresses are stored on Google's servers in a non-anonymized form.