In this article, we’ll explain a little bit what the GDPR is and we’ll give you some tips to be actively compliant with this new regulation in case you collect, store and share EU citizen’s information.
The EU General Data Protection Regulation hereinafter GDPR changed the rules for a lot of people over the internet, and we are not strangers to this. Many companies and online business has been forced to make changes to their structures, products, and activities regarding with the collection of data, which are basically almost every commercial or marketing activity on the internet.
On the GDPR.eu site, we can read the following:
“The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
GDPR.eu is provided to you as a helpful resource to quickly find all 99 Articles and 173 Recitals of the Regulation, as well as helpful guides and checklists that walk you through how the Regulation may apply to you. Here you can find the official PDF of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version.”
As we can read, GDPR is an active way to practice privacy and security of personal data by modifying the organization’s methods of collecting, storing, and sharing the information, with an emphasis on compliance
The GDPR defines a lot of legal terms to refer to the activities of the companies in regard to data collection. The most important ones are the following:
Personal data: Personal data is any information that relates to an individual who can be directly or indirectly identifies. Name and email address. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political standings. Pseudonymous can be considered personal data as well if it’s relatively easy to ID someone from it.
Data processing: Any action performed on data, whether automated or manual. These are: Collecting, recording, organizing, structuring, storing, using, erasing, or, basically, anything you do with the data.
Data subject: The person whose data is processed, these are your customers or site visitors.
Data controller: The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.
Data processor: A third party that processes personal data n behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers or email service providers like Google.
Data protection principles:
If you are a data processor you have to do it accordingly to seven principles:
- Lawfulness, fairness, and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
People’s privacy rights
You are a data controller and/or a data processor. But as a person who uses the Internet, you’re also a data subject. The GDPR recognizes a litany of new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organizations. As an organization, it’s important to understand these rights to ensure you are GDPR compliant.
Below is a rundown of data subjects’ privacy rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling.
How can affect you:
The GDPR applies when you process EU citizen’s information even if your company is not located in the EU.
The fines for violating the GDPR are pretty high and in accordance with the amount of money your organization generates annually maxing out at €20 million and with a minimum of €10 million.
It’s very easy to violate the terms imposed in this regulation especially if you use third-party software on your sites that you don’t know how it handles the information. For example, if you download a simple plugin to execute a function of displaying something visual if this asset is not stored locally and the request is made to another web, it’s possible for that web to collect all the ID direction of your visitors, as we will see in the next section. It’s that simple to be non-compliant. So to have awareness about this is paramount for medium and small companies.
How this affects us on Themekraft.
We have a plugin called TK Google Font which function is to display the Google Fonts on your web. To do this we created an Ajax request to Google to load the asset into the web, and that it’s loaded directly from the Google server in charge of storing the font families and other assets.
When the Ajax request is made Google is able to acquire the IP direction from where the request is being made and also all its visitors, violating the GDPR, by giving information about the user to Google, in this case, the IP direction.
Now, with the premium version of the plugin, this is no the case. With the new GDPR Compliant functionality, the web will download the assets and load them locally instead of from Google so they can’t acquire the IP, nor any other information, of your visitors. Now, the asses are stored in your backend and loaded from there as well, so no request is being made.
You can download the TK Google Fonts plugin from here.
All the documentation about it is here.
How can we help you with BuddyForms?
Within Buddyforms there is a GDRP Compliance feature for you to add to your forms and get a GDPR Compliant form in an instant, as you can see in this video.
Whit this function you can have a safe and compliant newsletter subscription form or any other kind of data collecting form you need.
As mention in the video, all the information input into those forms is locally stored and there is no third party involved in it.
You can download the BuddyForms plugin here.
And you can check all the documentation available for it here.
We can give you some tips so you are GDPR Compliant and ready in case any of your clients, customers, or subscribers demand their information or their right to be forgotten.
- First of all, allow people to “positively opt-in” to sharing their information ad to you storing it. People have to take explicit action to allow you to collect and use their data. Have evidence when someone opted-in to you collecting the data, like an email or some other method.
- Write a fair processing policy, easy to read and understand and have it in an easily accessible place on your site, or even better, sent it as soon as you have a new email address. In this policy you should state which data are you collecting, how are you collecting it, how are you storing it, how are you using it, why are you collecting the data, and whit whom you’ll share the data.
- Have a process for providing the information you have on a person. you have to provide the information in one month’s time and free of charge, according to this new regulation.
- Have a process in place to erase all the information you have on a person if they demand it. Remember they have the “Right to Be Forgotten” now. This process should be straight forward and it should be done by someone with technical knowledge and access to the information. Don’t assign this task to someone who is not prepared to do it because the consequences can be fatal for a small or medium-sized company. Basically, make it easy to opt-out
- Organize the data as soon as you collect it, so you know which information you have on who and where. this way you’ll never forget, misplace or erase data by mistake.
- Store the data in a secure location. If you have a lot of information, and especially if it is sensitive, you better have a secure location, either in a cloud or in a physical place such as your own server or an external hard drive, you should have a protocol in place to access, erase or copy the information.
- Record the safety measures you have in place and create a document, written or recorded in video, so every employee of your company is aware of the importance of keeping this information secure and organized.
Don’t store unnecessary data, not all data is useful for you or your goals, only store the data you may use. For this, you should have a clear vision of your objectives and how to accomplish them.
- Finally, make your team aware of the new GDPR laws. If you have a lot of information, especially if it’s sensitive, appoint a Data Protection Officer (DPO), to take care of all the tasks described above. This way you are sure these measures are carried out by someone who is technically prepared to do it. The DPO should read the entire 88 pages document and consult with an attorney.
Thanks for taking the time to read our perspective about this important and interesting subject. Please, if you have doubts about this subject or any of our products or services, reach out to us at [email protected]. We are more than happy to answer all your questions.