Top 5 reasons why your site needs an SSL certificate
ALL websites should now be on HTTPS, not just banks and online stores. This can be done by installing an SSL certificate on your site.Read More
As a website owner, what does this regulation change mean for you? Let’s have a look at some of the big questions that are being asked at the moment.
The EU’s General Data Protection Regulation (GDPR) is a new regulation that will come into effect on 25 May 2018.
Its main aim is to protect the data and privacy of all individuals within the European Economic Area, and extends the scope of the current EU data protection law to all companies that process personal data related to people located within the EU.
As we understand it, they don’t need to be subscribers or customers, or to be EU residents. The limitation is a person located within the European Economic Area (EU plus Iceland, Lichtenstein and Norway) that accesses your site (article 14).
So if you have a website with visitors from the EU/EEA, this means the GDPR affects you, and you need to take action as a result of this.
According to the 261-page document, the GDPR defines “personal data” and “processing” as:
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (Article 4)
So, if you collect or hold in any way information like names, IP addresses, or email addresses, you are affected by this.
There are a lot of differences, because the way we store, share and process data has changed a lot in the last decade or so, and the regulation aims to deal with that. Plus, the new regulation doesn’t just apply to EU companies — it also affects any company that holds information web users located in the EU/EEA. (i.e. you.)
Some of the main points of the GDPR are:
People must give consent to you having their information. You must make it very clear what they are agreeing to, and it must be easy to withdraw consent.
People should have access to the data you have on them, on request. This data should be provided in a format that allows them to transmit it to another controller if they want to.
Data subjects can request that you delete their data under certain conditions. (You can’t erase data if it’s against the law in your country to do so, for example.)
You should only collect the data you really need (data minimisation), and should limit access to personal data to those people who need it to do their job.
Certain organisations must appoint DPOs to monitor internal compliance with this Regulation. If you turn over less than $5,000,000 a year, you probably don’t.
You need to document the data you collect and maintain records of what you do with it. Supervisory authorities have the right to ask to see those records. However, article 13 notes that there is “a derogation for organisations with fewer than 250 employees with regard to record-keeping.”
Companies must notify both the supervisory authority (within 72h) and customers (“without undue delay”) after first becoming aware of any data breach. Finding your supervisory authority could be a challenge.
If you’re in the EU, it’s the supervisory authority of your country. If you’re not, it’s a little unclear. IAPP suggests that Ireland could be a good choice for English-language speakers.
You can be fined quite heavily for non-compliance. However, you can only be fined by a supervisory authority within the EU. Since best practice is yet to be established, a good-faith attempt to meet regulations is likely to stand you in good stead. Also, there is a provision for a warning for a first offence, and if you take action as a result of the warning, harsh penalties seem unlikely, especially for blogs and other small businesses.
If you have a website, chances are some of your visitors are from the EU/EEA. If you collect any kind of data on your site visitors (through plugins or email signups) the law affects you.
In the strictest interpretation of the rules, nobody in the EEA would be able to access any website without explicitly clicking a button to give consent to opening the page. This is unfeasible and probably not the intention of the regulation.
We’re looking into simple technical changes that can be made for Performance Foundry clients, and will be in touch with suggestions.
Google also sent out one of these emails, which caused quite a lot of confusion and dismay in the Performance Foundry community, because while the email included an “action required” rider, it was very difficult to work out exactly what action to take.
Among the many issues touched on in the email was an announcement that Google Analytics was introducing granular controls, to be able to choose how long user data is retained in Google Analytics. The idea is that after the period of time you choose, the data is deleted automatically.
You can choose from the following options:
See Google’s help documentation for more information. for more information)
Google has set the default to 26 months, so if you do nothing, then data that is slightly over two years old will be deleted on a rolling basis each month. If you’d like to keep the data for longer than this, you’ll need to log in to Google Analytics and change the settings. This default setting was not made clear in the email, so it’s something to be aware of.
Another part of the email mentioned that before May 25, Google will also introduce a new user deletion tool. This is great, because if an individual user asks you to delete all data you have on them, you’ll be able to do a lot of that right in Google Analytics.
If you use Google’s advertising products, it seems that you have a couple of options:
According to Google’s help documentation:
For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area.
You must obtain end users’ legally valid consent to:
- the collection, sharing, and use of personal data for personalization of ads or other services.
When seeking consent you must:
- retain records of consent given by end users; and
- provide end users with clear instructions for revocation of consent.
You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.
So yes, it’s difficult and complicated. Action is definitely required, but our feeling is that if you take action now to show that you’re trying to comply, that will go a long way.