The GDPR is now in effect. Learn about your rights as a user, and your responsibilities as a website owner, as of 25 May 2018.
Much of what the new regulations require of businesses is very straightforward. On the user end, however, despite the fact that one of the new regulations is that language for consent must be clear and unambiguous, many of the regulations seem complex and difficult to understand. But here at TechBoomers, we believe that everyone – especially the casual technology user – should be able to understand what’s going on and how things work. So this article will break down everything you need to know about the new GDPR rules.
In this article, we’ll explain:
- What is the GDPR?
- What is considered “personal data” under the GDPR?
- What does the GDPR mean for users?
- User checklist of what to do
- What does the GDPR mean for your organization’s website?
- Site owner checklist of what to do
- Terms you may not understand: explained
- More helpful resources for understanding the GDPR
61% of infosec pros genuinely believe that the GDPR will genuinely protect consumer’s privacy, so read on to learn everything you need to know about what the GDPR means for you.
What is the GDPR?
The GDPR is a set of regulations enforceable as of 25 May 2018 that requires any business operating within the EU digital economy to better protect user privacy in the online world. Companies must make users aware of how and why the collect their data, and proactively protect it from possible breaches.
These regulations have been in effect in EU countries since 2015, and have been followed by many EU businesses. Prior to the 14 April 2018 approval however, they were seen as suggestions, and were not legally binding. The new regulations force any entity operating within the EU, which includes essentially any website in the world that a person residing in the EU can access, to follow them or be fined €20 million or up to 4% of their annual global turnover.
Sanctions and fines will, of course, depend on the severity of the breach of these regulations. A significant breach in which all users’ names, addresses, and credit card numbers have been obtained is obviously more substantial than failure to appoint a qualified Data Protection Officer. Regardless, all new regulations laid out in the GDPR should be taken seriously, and certainly will make businesses more aware and cautious about how they protect their users’ privacy.
What is considered “personal data” under the GDPR?
Personal data, as defined by the GDPR, includes any information that can uniquely identify a user. This includes names, addresses, photos, IP addresses, genetic or biometric data, and much more. The GDPR extended the number of things that are considered data, to protect any unique component of a user.
What does the GDPR mean for users?
If you’re a user of any website, the GDPR is here to protect you – it is all about your new rights! The EU wants you to be fully aware of them so you can protect your privacy and use websites with full knowledge of what they are doing with your information. This is a brief summary of the new rights you have under the GDPR.
A right to: know how your data is collected and processed
A right to: know exactly what the website is doing with your data
You know the how, but what exactly do they do with your information? Is it given to third parties? Is it sold? Is it used for internal purposes only? You need to be aware of this to determine whether this website is one you want to use or not.
A right to: opt-out immediately if you don’t like it
The website must immediately explain to you if they are tracking you in any kind of way – before you actually use the website. If you don’t like what they are doing, you can decline the website using cookies to track you. The website has the option of not using the cookies and allowing you to use the site, or of preventing you from accessing it further if you do not agree with their policies.
A right to: understand with clear, general language, what is going on
If the way this organization explains what they are doing with your data is too confusing, or if at any time you don’t understand it, then the company likely needs to update their policy. Contact someone in customer service and ask them to explain the parts you don’t understand. Then suggest they update their policy to use the simpler terms they explained to you so that all users have a better grasp of what they are doing with user data.
A right to: know when your data has been hacked/there has been a breach
The GDPR’s most serious sanctions are reserved for companies who leave themselves open to a breach of user data, and especially those that fail to act on it. If your information is compromised in any way, the entity must notify you with 72 hours. They must explain what was compromised, how it was compromised, and what they intend to do to prevent that from happening in the future. This new regulation makes a lot of sense, given how frequently serious data breaches have occurred over the past 15 years.
A right to: be forgotten
If at any time in the future you want your data to be removed or erased, you have a right to this now. Even if you provided consent to data collection in the past, you are able to contact an organization and request that your information be permanently erased. If you do, they are not allowed to keep your data, even if you already agreed to them doing so in the past.
User checklist of what to do
Now that you are aware of your rights as a user, there are a few things you should be doing to make sure the online services you use comply with these new standards.
1. Think about what you are currently in agreement to
2. Think about the types of services you use and pinpoint the biggest potential risks
Think about the sites and apps you use every day, and identify the services where a breach of data privacy would hurt you the most: places you put in your credit card information, social security number, home address, or telephone number. Make sure you read these updated privacy policies, and understand both what the organization is doing with this information, and what they would do in the case of a data breach.
Make sure you also stay wary of possible phishing scams using the GDPR as a guise for obtaining your information. If you receive an email from a website or app you use, they won’t be asking for more information; they will be asking for your permission to keep the information on you that they already have! So don’t click any suspicious links in emails, or provide any additional information to anyone. Watch out for scams like this appearing to be from Airbnb while trying to steal your credit card information.
What does the GDPR mean for your organization’s website?
If you don’t have a proactive privacy protection plan in place, your organization could be headed for trouble; you’re opening yourself up to future fines and sanctions if you don’t comply with the GDPR. The old relaxed viewpoint of “guidelines” is gone; with the GDPR, you now have regulations that legally bind you to protect your users’ data and make sure they are informed of what you do with it.
One of the most important changes is that geographical borders are no longer relevant to data protection. If your website, app, or service is available to anyone within the EU, you are responsible for adhering to these regulations. The other most important point is that you are most likely to receive a fine if you are responsible for a breach of data, and you a) could have easily prevented it, or b) are not transparent about it and do nothing to respond to it to help your users.
If you’re unsure about what exactly it is you need to start doing, read the checklist below. In most cases, you’ll likely find you are already at least partially adhering to these regulations – you just need to spruce up your policies or put plans in place to be a little more proactive.
Site owner checklist of what to do
You are now aware of your responsibilities. They may seem like a lot; are you ready for this shift? Where do you start? Is what you’ve done so far to comply really complying? Even the U.K. plans to comply in entirety with the GDPR, despite Brexit; so you should, too. This checklist will help you make sure you’ve done what you need to do to protect your users.
1. Identify the channels you use to collect data
This is quite obviously step 1. Make a list of all the ways in which you obtain any form of information from your users. These might include:
- Newsletter subscriptions
- User profiles
- User accounts
- Images sent in to your service
- Tracking locations
- Tracking where users come from/go to on your site
…and many other things. You need to know every avenue through which data is coming into your website so you can figure out what needs to be done at each step to ensure you are compliant with the GDPR.
2. Update every channel of data retrieval so that consent is clear and obvious
Once you know where the data is coming from, you need to make sure each step has clear and obvious consent when the user agrees to have you collect their data or information. All language needs to be clear – no legalese, no confusion – just simple, clear language that any average person can understand. If they have to sit and mull over 2-3 sentences that explain why you are collecting their data, you aren’t doing this right.
3. Re-contact anyone if consent wasn’t explicit and clear in the past
If you noticed through this check-up that your consent was not very clear in the past, you need to reach out to any person who has agreed to your service, or whose data you control in any way. This is technically only true of users who reside in the EU, but it is good practice to make sure you take all your users’ privacy seriously. Make sure they consent to your control of their data now. If they decline or don’t respond, it is your responsibility to permanently delete that information.
4. Get rid of info you collected that did not comply, or information you simply don’t need
Identify any forms of data you collected without asking for consent, as well as information you have but simply don’t need anymore. For example, if your service used to require phone numbers for verification, but no longer does, permanently remove any of that information.
If you don’t need the data for any reason currently, or you obtained it without consent, ask yourself: why are you still keeping it? It’s safer to get rid of it and protect your users than be fined for harboring information you don’t even need.
5. Appoint a Data Protection Officer (DPO)
A Data Protection Officer is a person who would be responsible for all levels of the data coming into your website. This person would deal with any issues related to user privacy, and make decisions based on policies regarding privacy.
Though this would be a good practice for any entity, some companies simply don’t have the resources to employ a person solely for this reason. In many cases, this is because your site does not obtain data in large enough quantities for this to be a necessity. You are only required to have a Data Protection Officer if your entity:
- Is a public authority
- Engages in large-scale systematic monitoring
- Engages in large-scale processing of sensitive personal data
If your organization doesn’t do any of these three things, then you probably don’t need a DPO. You do, however, need at least one person who is versed in the GDPR, what it means, and what you are responsible for.
6. Make all employees aware of the GDPR, and what their responsibilities are
Especially in the case of customer-facing employees, you want to make sure your employees know what they need to do to assist users through any issues related to data or privacy protection. This would be the responsibility of the DPO (if you have one). Make sure that, at every level, your employees know what they need to do to comply with any issue that will arise in the future.
7. Put a data breach plan into place
As we mentioned above, one of the most serious issues related to these new regulations is what happens if your organization leaves itself vulnerable to a breach of data. If your users’ information is compromised in any way, your company is liable for that, and may face fines and other discipline. However, what you do proactively to prevent a breach, and how you respond to one if it does happen, will greatly affect the severity of the consequences against your company. Here’s a rundown of what you need to know:
- By law, a breach needs to be reported to your users within 72 hours
- The reporting must include information including the categories of information exposed, the number of users who were compromised, and the categories and numbers of personal data records concerned
- Transparency during this process is your best bet at not being fined, or reducing the fines coming at you
- You must explain the situation and communicate it clearly to all employees, especially those who will be responding to and assisting customers that have concerns about their data
- Create a social media response and make sure you have enough available employees to respond to social media outreach from users
- Publicly publish as much information as you can, as fast as you possibly can, explaining what happened with the breach
- Direct users across as many channels as possible (newsletter, emails, social media, website popups, etc.) to a blog post or micro-site that explains what happened.
- Provide your users with clear instructions for filing complaints, reporting suspicious behavior, or getting assistance from your organization
- Provide constant updates going forward until the situation is resolved
By creating a plan for each of these steps before there is a breach of data, you will be much more likely to handle the situation in a way that is satisfactory to not only the EU Commission, but your users as well. On the other hand, failing to prepare for a breach will not only certainly result in fines, but will probably encourage your users to ditch your service in favor of one that better protects their information.
Terms you may not understand: explained
Many of the terms thrown out to make sure you are compliant or understand your rights are surprisingly unclear. Here are some definitions that anyone can understand about what they really mean.
- Consent: A person must actually agree to you using their data, as well as understand what it is being used for. If they haven’t in the past, you need to either get their consent now or remove their data.
- Data breach notification: An explanation to your users that a breach has occurred with their data. You must tell them what was compromised, what it means for them, and what you are doing to ensure this does not happen again in the future.
- Data Erasure or “Right to be Forgotten”: A person has the right to have their data erased, prevent further dissemination of it, and prevent third-parties from further processing of the data. This includes situations where the data is no longer relevant to the service being provided, or the person later withdraws their consent.
- Data portability: A person can receive the data collected about them in a commonly-readable format, and can transmit that data to another party if they so choose.
- Data Protection Directive: The previous version of the GDPR that contained most of these regulations, but as suggestions only for businesses operating within the EU.
- Data Protection Officer (DPO): A person appointed to be in control of data collection, protection, and all other things concerning a users’ data privacy. This is really only necessary for organizations that collect and use data on a larger scale, or are a public/governing entity.
- Directive: A legislative act that is seen more as a goal for entities to aspire to achieve. This is opposed to a regulation, which is a binding legislative act that an entity must abide by.
- EU Digital Single Market: Digital economy activity taking place related to any businesses or person residing in the EU.
- “Extra-territorial applicability” or “Increased territorial scope”: The GDPR rules apply not just to businesses operating in the EU, but to any business possessing the data of citizens within the EU.
- Personal Data: Any information that uniquely identifies a user, either directly or indirectly. Common data items include name, location, and identification number.
- “Privacy by Design”: When you are designing your system, it needs to have privacy in mind from Stage 1 – not as an afterthought to what you have created.
- Pseudonymisation: Data is stored in such a way that it cannot be understood without the use of additional information (such as a decryption key).
- “Right to Access”: A person’s right to know whether or not their data is being processed, where it is being used, and for what purpose you are using it.
More helpful resources for understanding the GDPR
If you need any additional help, or want to learn more straight from the source, check out these other helpful articles and websites.
- The EU General Data Protection Regulation | eugdpr.org – get your information straight from the source
- Facebook and Google Hit With $8.8 billion in lawsuits on day one of GDPR | The Verge – find out what happens when your website doesn’t comply with the GDPR
- GDPR Article Summaries | eugdpr.org – a short summary of each article within the GDPR
- How the GDPR will Make Consumers King of Their Data | TechRepublic – a summary of how the GDPR put consumers first when it comes to data protection
- How GDPR is Affecting the Games You Love | Engadget – the gaming industry had to comply with these rules too – find out what that means for you
- GDPR: US News Sites Unavailable to EU Users Under New Rules | BBC News – find out which sites couldn’t comply in time
- GDPR FAQs | eugdpr.org – frequently asked questions (with answers) about the GDPR