What is GDPR?
Why GDPR May Matter to You
If your site has any visitors who are European Union citizens and your site collects personally identifiable information about said visitor, you should think about addressing GDPR. In short, any organization or business processing the data of EU citizens needs to comply.
What Counts as Personal Data?
Any information relating to an identified or identifiable person (a.k.a. ‘data subjects’) is considered personal data. That includes names, addresses, and personal information, but users' IP addresses.
Privacy Should be Built In
Oftentimes sites will have long terms and conditions and complicated provacy policies. That won't fly anymore with GDPR. Privacy has to be built into the design, with an assumption of privacy being built into the design. Sites can still have legalese, but what the user initially sees needs to be short and straightforward.
The Right to be Forgotten
Site visitors ("data subjects") may request what information an organization has on them, and that organization needs to provide this within thirty days. The data subjects may also request modification or deletion of their data, which also needs to be complied with within thirty days. They can also request a copy of their data in a common, machine readable format (for example CSV); again, the thirty data guideline applies here.
Data subjects have the right to withdraw their consent at any time. This can affect how your site collects and stores cookies, among other things.
Security Breach Reporting
GDPR requires that data controllers (the person within your company/organization who is responsible for ensuring GDPR compliance) report any security incidents where personal data has been lost, stolen or otherwise accessed by unauthorized third parties to their Data Protection Agency (i.e. the agency within their EU country) within 72 hours of them becoming aware of it. If the company is not based in Europe and has no offices there, this may not come into play, but larger firms will certainly need to consider this.
Steep Penalties for Non-Compliance
The maximum fine that organizations can be hit with for the most serious infringements of the regulation is 4% of their global annual turnover or €20M, whichever is greater, and protection agencies will be able to impose smaller fines too. There is a tiered system of fines with a lower level of penalties of up to 2% of global turnover (or €10M). There have been some interviews with GDPR enforcement agency representatives indicating that they prefer the carrot to the stick, and would only use penalties after companies have shown a refusal to shape up.
Some Easy Steps Towards Compliance
- If you use Google Analytics, enable anonymization. This is done within your local Analytics embed code. If you use the Drupal Google Analytics module, you can configure it in the module settings.
- Check out the GDPR module for Drupal. It provides a handy toolset for achieving GDPR compliance.
- Review what personal information your site may collect about your site's visitors, and map out a plan for finding information on a specific user. You will need to be able to respond to requests for personal data within thirty days, so it makes sense to be prepared for this eventuality.