GDPR: What is it and why should you care?

June 8, 2018

What is GDPR?

During the past few weeks lots of us have been bombarded with privacy policy notification emails from various companies. This is because of GDPR, a new data privacy regulation being implemented by the European Union. It builds on and expands on the prior regulation from 1995.

The General Data Protection Regulation (GDPR) was agreed on after more than three years of negotiations between the EU’s institutions. It went into effect on May 25, 2018.

Why GDPR May Matter to You

If your site has any visitors who are European Union citizens and your site collects personally identifiable information about said visitor, you should think about addressing GDPR. In short, any organization or business processing the data of EU citizens needs to comply.

What Counts as Personal Data?

Any information relating to an identified or identifiable person (a.k.a. ‘data subjects’) is considered personal data. That includes names, addresses, and personal information, but users’ IP addresses.

Privacy Should be Built In

Oftentimes sites will have long terms and conditions and complicated provacy policies. That won’t fly anymore with GDPR. Privacy has to be built into the design, with an assumption of privacy being built into the design. Sites can still have legalese, but what the user initially sees needs to be short and straightforward.

The Right to be Forgotten

Site visitors (“data subjects”) may request what information an organization has on them, and that organization needs to provide this within thirty days. The data subjects may also request modification or deletion of their data, which also needs to be complied with within thirty days. They can also request a copy of their data in a common, machine readable format (for example CSV); again, the thirty data guideline applies here.

Data subjects have the right to withdraw their consent at any time. This can affect how your site collects and stores cookies, among other things.

Security Breach Reporting

GDPR requires that data controllers (the person within your company/organization who is responsible for ensuring GDPR compliance) report any security incidents where personal data has been lost, stolen or otherwise accessed by unauthorized third parties to their Data Protection Agency (i.e. the agency within their EU country) within 72 hours of them becoming aware of it. If the company is not based in Europe and has no offices there, this may not come into play, but larger firms will certainly need to consider this.

Steep Penalties for Non-Compliance

The maximum fine that organizations can be hit with for the most serious infringements of the regulation is 4% of their global annual turnover or €20M, whichever is greater, and protection agencies will be able to impose smaller fines too. There is a tiered system of fines with a lower level of penalties of up to 2% of global turnover (or €10M). There have been some interviews with GDPR enforcement agency representatives indicating that they prefer the carrot to the stick, and would only use penalties after companies have shown a refusal to shape up.

Some Easy Steps Towards Compliance

  • If you use Google Analytics, enable anonymization. This is done within your local Analytics embed code. If you use the Drupal Google Analytics module, you can configure it in the module settings.
  • Check out the GDPR module for Drupal. It provides a handy toolset for achieving GDPR compliance.
  • Add a cookie consent widget to inform users of the use of cookies. This should include information on specifically what cookies are being collected, what they are being used for, and which ones are first vs third party. If the cookies collect personal information, the user should have a way to opt out.
  • Review and update your privacy policy, with an eye towards making it easy to read, without a lot of legalese.
  • Review what personal information your site may collect about your site’s visitors, and map out a plan for finding information on a specific user. You will need to be able to respond to requests for personal data within thirty days, so it makes sense to be prepared for this eventuality.