12 Things to Know About the GDPR and Data Security
Personal data — it’s a buzz phrase that’s flooding the news and forcing us to think about our online identity and how it’s being used by other websites and companies.
Online businesses and website owners often act as stewards of sensitive personal data they’ve collected. With the recent implementation of the GDPR — sweeping regulations governing data security and privacy in the EU — you might be worried about how you’re storing and protecting other people’s information, and whether that data is safe and secure.
The new personal data laws from the EU are putting the onus on you to ensure you’re being compliant, but we’re here to give you a few pointers. The General Data Protection Regulation focuses on giving citizens more control over their data on the web.
In addition to empowering users to decide what happens with their information, the GDPR also includes new rules on how organizations should handle that data. All of this may require some action on your part — even if you’re not based in the EU. Here’s what you need to know, and what you can do to stay on top of it.
In case you were wondering, DreamHost is GDPR-compliant.
What You Need to Know about the GDPR
1. The GDPR is here.
That’s right: The GDPR went into effect on May 25, 2018. That means that if you haven’t already updated your website to comply, you need to start doing some catch-up. The rest of this article will give you some tips and resources about what that entails. Don’t panic! After reading this article, we recommend heading over to the official GDPR website to get up to speed.
2. The GDPR applies to the “personal data” of people in the EU.
There may be many reasons that a website collects user data: to facilitate a purchase, distribute a mailing list, target advertising, or determine the most popular kind of content. Whatever the purpose, if that data pertains to an individual visiting the site from an EU member state, the GDPR applies.
Website visitors don’t even need to be an EU citizen — if they’re visiting the EU from, say, Ghana or Brazil, and they visit your site, your site needs to protect their rights under the GDPR.
Although the regulation is based in Europe, it is actually more far-reaching than it seems at first glance. If your business has any connection to Europe, whether through customers or partners (even just one!), you should be aware of what the law requires.
3. The definition of personal data is expanded in the GDPR.
When we think of personal data, things like name, address, and phone number might come to mind. There is much more to it than that, according to the GDPR’s definition. Going beyond the details that would normally be considered personally identifiable information, the GDPR states that any information “specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person” are under protection.
Given these broad parameters, it’s safe to assume that anything that identifies a person can fall under the definition of personal data. If you’re not sure that it counts, it probably does! In fact, the GDPR’s definition of personally identifiable information is “any information relating to an identified or identifiable natural person.” So, there you have it.
4. Any entity that controls and processes this data must comply.
The actual GDPR documents make references to collectors and processors of personal data. Not sure if you’re a controller or a processor? Read on.
A data controller is an entity — a business, organization, or individual — that makes decisions about what data is collected and how it’s used. A data processor collects, stores, and transfers that data once it’s collected. So if your organization handles any sort of data of people in the EU, or partners with one that does, it’s time to get on board.
5. The new laws require consent to collect data.
You’ll want to add this item to your checklist of things to do when redesigning your website.
The updated policies must include information about what data is collected, why it’s being collected, how long it will be stored, as well as how it will be used and who will have access to the data. All of this needs to be stated clearly on the website in a noticeable place.
GDPR compliance requires active consent — not passive methods, like a pre-checked box. The GDPR will have little tolerance for dark UX practices that trick people into agreeing to or signing up for things, or poor blog design that hides pertinent information.
These notices are required even if the most basic type of data is being collected. USA Today has taken an interesting approach to GDPR compliance by hosting two separate instances of their website — one for EU users and another for all others. The EU-oriented site doesn’t collect any information other than a user’s IP address so it can direct them to the correct site — but USA Today still has to notify users that the company is collecting that information.
6. There are stricter requirements for data security under the GDPR.
Compared to the previous EU legislation on personal data privacy (the Data Protection Directive, implemented in 1998), the GDPR has more prescriptive responsibilities for data controllers and processors when it comes to security.
If you’re dealing with people’s personally identifiable information, you need to do your due diligence to guarantee the information is fully protected. There could be multiple solutions to this, depending on the data being collected, the technologies available, and your budget. Some security measures the GDPR suggests include encrypting data, ensuring that systems and services enable confidentiality, providing the ability to restore access to personal data, and maintaining a process for evaluating system security.
These are just some of the strategies that organizations can use to demonstrate they’re complying with the GDPR. You may have already taken them into consideration, or you may have to add some components to your security plan.
With these new standards, you might be concerned about the cost to your business to comply. Security doesn’t have to be expensive, however. Several providers — DreamHost included — include SSL/TLS certificates for free to encrypt web traffic to customers’ sites.
7. Data breaches must be reported to people whose data was compromised.
Another new aspect of privacy laws as mandated by the GDPR is the requirement to notify users when a data breach has occurred and may have affected their personal information. The GDPR defines a personal data breach as an event that leads to “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This protects well beyond the risk of fraud or identity theft (which would result from access to financial records) to include unauthorized access to anything defined as personally identifiable information.
If a personal data breach occurs that “is likely to result in a high risk to the rights and freedoms of individuals,” data controllers have the obligation to quickly notify the affected people. There are few exceptions to this rule, such as when encrypted data would be unintelligible to unauthorized users or when the controller takes actions after the breach to prevent risk. The particulars of this rule may be open to interpretation and discussion, but when in doubt, the GDPR takes a strong, comprehensive stance on protecting user data.
If the data controller has a main office in the EU, they must also notify the supervisory authority in the EU member state where the organization located. This communication needs to be made within 72 hours of when the breach is identified.
Hosting your organization’s website on a secure and stable server helps prevent personal data breaches. DreamHost’s plans all have top-notch security through Let’s Encrypt SSL/TLS certificates, which safely encrypt data traveling through a DreamHost site.
DreamHost believes your data should stay private. Get a free SSL/TLS certificate for your website with one click.
8. Data controllers must give users access to their data when requested.
The meaning of this aspect of the GDPR is straightforward: if a user wants to see the data that you’ve collected on them, you have to hand it over within a reasonable amount of time. The path to achieving this might be a little more winding, however, depending on your current circumstances.
To grant these requests, you’ll need a system for customers to submit requests and staff that can fulfill them. Technology that allows for personal data export will also be necessary. In Article 15, the GDPR outlines several other related rights to information, such as who has access to the data and how long it will be stored.
9. Users in the EU have “the right to be forgotten.”
Another provision related to data access is what the GDPR calls “the right to be forgotten.” In Article 17, citizens are given the right to request that their data be deleted from a controller’s system. They can do so for any number of reasons, which include withdrawing consent to process the data.
The law reads as if there may be any legitimate reason for requesting erasure of personal data. It does, however, give guidance on when an organization could deny such a request. If the processing of the data is deemed necessary for “exercising the right of freedom of expression and information,” meeting legal obligations or establishing legal claims, or serving the public interest in certain ways, an organization need not comply.
10. Brexit doesn’t exclude the UK from the GDPR — yet.
The GDPR still applies to companies in the UK, despite the country’s pending departure from the EU. Once Brexit formally happens, the GDPR will no longer govern British data security. However, the country’s Data Protection Act is nearly identical to the GDPR — all the way down to the same May 25 start date. If you’re GDPR-compliant, you should be covered with the UK law, as well.
11. Violating the terms of the GDPR comes with a hefty price.
Don’t try to get away with avoiding or ignoring the GDPR — it will cost you. The highest penalties for non-compliance include fines of up to €20 million (more than $23 million) or 4 percent of global revenue, whichever is larger. This level of punishment would be reserved for the worst offenders, but it’s not worth finding out how minor misdeeds will be handled.
Aside from taking your money, the EU data protection authorities could also take away some data collection privileges from your company — or even ban you from collecting data altogether. Just do the right thing!
Stay in the know! Sign up to receive our monthly newsletter and never miss advice from our experts.
12. The emphasis of the new rules is lawful use and fair business.
The GDPR is intended to unify the data regulations of all EU member states. With the new laws, the rules are clearer and the playing field is more level in how EU businesses handle the collection and use of personal data. At the same time, it puts a strain on businesses in other countries to be compliant.
However, the push for security and transparency could be good for business in the long run, and it all has to do with customer perception. In recent years, there has been an increase in data security breaches, as well as added publicity surrounding the collection and use of people’s data.
In this age of data exchange, the GDPR is also meant to increase citizen trust in businesses by providing them with greater protections. The regulations are widely considered a win for individual privacy rights. But while it might be painful to have to update privacy notices — and possibly change data usage policies in your company — the GDPR has the potential to give customers greater confidence in commerce. The philosophy, in a nutshell, is that what’s good for the customer is good for business.