May 2016, we received the final text of the new European Union’s General Data Protection Regulation (GDPR). It will become enforceable in all EU member states on 25 May 2018.
This regulation aims to address the new ways of exploiting personal data through the internet and cloud technology. It also wants to offer businesses a clearer legal environment to operate in throughout the EU.
The GDPR introduces new accountability obligations, stronger rights and restrictions on international data flows. It gives people more say over what companies can do with their data.
The data protected by this regulation are all information about an identified or identifiable person. For example their name, address, e-mail address, but also cookies, photos or ip-addresses. In case the data can be used to find out who the person is, it is personal data and therefore protected by the GDPR.
Whoever wants to store this data needs to have demonstrable permission from the person to collect his/her data. The user needs to be able to view his/her stored data, adapt, remove and transfer it.
Controllers and processors
Not only the 'controller' needs to abide by the GDPR, but also the 'processor'. A processor is doing the actual data processing and could be an IT firm. The controller is the organisation that collects the data. Even if controllers and processors are based outside the EU, but keep track of data belonging to EU citizens, they need to follow the rules defined by the GDPR.
It's the controller's responsibility to ensure their processor follows the regulation and it's the processors responsibility to maintain records of their processing activities. Controllers must ensure the personal data is processed lawfully, transparently and for a specific purpose. Once this purpose is fulfilled and the data is no longer required, the data has to be deleted.
Controllers need to keep a record of how, and when, a person gave his/her consent. Additionnally, they need to give individuals the possibility to withdraw their consent whenever they want.
Individuals can ask access their personal data at "reasonable intervals" to view, adapt, remove or transfer it. The controller needs to respond within one month.
The controller should implement measures which meet the principles of data protection by design and data protection by default, and it's the processors responsibility to implement these measures. What happens in case of a data breach that puts the rights and freedoms of individuals at risk? The controller is responsible to notify a data protection authority within 72 hours after they became aware of the leak, and also needs to notify the persons whose data has been leaked.
The regulation requires controllers and processors to be transparent about how they collect data, what they do with it, and how they process it. They need to be clear, using plain language, in explaining this to people.
What a website owner needs to know
Any Cookie or other identifier uniquely attributed to a device and therefore capable of identifying an individual or treating them as unique, is personal data, and falls under the GDPR, even if it's a third party based plugin planting this identifier.
This means that lots of web analytics cookies, advertising and target cookies and quite a few functional services like survey and chat tools store personal data.
A few actionable steps:
- Get rid of cookie boxes: Information like “By using this site, you accept cookies” won't qualify as consent for storing visitors' data.
- Your visitors should be able to accept/decline the trace: It needs to be a manual action and visitors need to be able to opt-out at ANY time.
- Don't just collect data because it's possible: You need to be able to justify and describe every purpose of usage of the personal data you collect.