The Internet as we know it is about to come to an end. The same goes for off-line marketing practices, digital and non digital data storage practices and life in general. GDPR is a biggie. It sets out the data ownership rights of people within the European Union’s borders and the data management obligations of data controllers and data processors who collect, store, process or otherwise handle data that belongs to EU Data Subjects, and GDPR has global reach.
Welcome to the brave new internet governed by the General Data Protection Regulation.
GDPR says that EU Data Subjects (i.e. people in the EU when their data is collected) own their own data that is personal to them. With that ownership right in mind GDPR means that people who collect (e.g. control or process) personal data about EU Data Subjects must protect that data, must use that data responsibly, must only use data for the purposes agreed by the EU Data Subject and must provide the EU Data Subject access to their own data so they can check its accuracy, make a copy of it, amend it or delete it.
Put more simply: Treat people’s data like you would family secrets.
There is a lot of well-meaning but poor advice flying around and it is freaking people out. Especially people in the US. There is no need to panic just yet. It will take a couple of test cases to pass through the courts before proper interpretation of the GDPR rules are established.
This guide to GDPR explains why 100% GDPR compliance is not yet possible for the majority of website owners and businesses that store data in digital format. The guide is written with website ownership and internet marketing in mind.
GDPR: What is it?
In a nutshell, GDPR affects all websites but there is no need to worry about full compliance immediately 25th May 2018 arrives unless you control or process sensitive data or large volumes of personal data.
Work toward GDPR compliance as best you can. Any GDPR compliancy officer who contacts you will do so initially with a view to assist your efforts to become GDPR compliant. Small businesses and common website owners are not likely to attract the attention of GDPR regulators unless complaint is raised by a member of the general public.
The GDPR regulation sets out:
- An EU Data Subject’s ownership rights over his/her data, and
- The responsibilities and obligations of any Data Collector, Data Processor and/or Data Controller to care for and to respect both
- Any Personally Identifiable Information (PII) data collected, processed or stored about an EU Data Subject, and
- The EU Data Subject’s ownership rights to his/her PII data.
- Defines the meaning of EU Data Subject, Data Controller and Data Processor.
Those ownership rights in 2.2 include:
- The right to view and export PII data
- The right to transport data to other Data Controllers
- The right to request amendment and deletion of PII data
- The right to control use of PII data
- The right to self-manage PII data
- The right to withdraw consent
Those obligations in 2.1 include:
- Specifying the basis for PII data collection
- Notifying the EU Data Subject of any change in basis
- Seeking permission from the EU Data Subject to change usage basis
- Notifying the EU Data Subject of any data breach
- Notifying the EU Data Subject of any 3rd party data sharing
- Seeking permission from the EU Data Subject before any data is shared with 3rd parties
- Ensuring all 3rd parties with access to an EU Data Subject’s PII data is GDPR compliant
Website and business owners are worried GDPR — the General Data Protection Regulation — will ruin their business or prevent them doing business with EU Data Subjects.
There is not much point running around like a headless chicken just yet because full GDPR compliance is impossible for most website owners and when GDPR enters life on the 25th May 2018 it will not immediately be enforced fully against regular sized website owners or small businesses.
[clickToTweet tweet=”If you think you are #GDPR compliant then you need to think again” quote=”If you think you are GDPR compliant then you need to think again.”]
Halfway through last year when I first spoke in forums about GDPR and said how far reaching this new privacy regulation is I was laughed at and shouted at by people who confidently said “Won’t affect me. I’m already GDPR compliant. GDPR is no different to any other data protection act.”
And when I said “Non EU businesses will begin geoblocking EU citizens.” I was shouted down and called an idiot.
Well, here we are. Already there are new ‘GDPR’ services built to help website owners and businesses block EU traffic, many sites refuse to serve content to EU Data Subjects, and everybody is freaking out about their unpreparedness.
Regardless what you might have been told by friends and consultants, GDPR affects non EU businesses and non EU website owners as much as it impacts the practices of people within the European Union who collect or process data about EU Data Subjects or who otherwise track EU Data Subjects.
If you are lucky enough to use WordPress you have less reason to worry about GDPR than your non WordPress using friends. This will become clear as you read the rest of this post.
Yeah, but what exactly is GDPR?
GDPR is the EU’s new General Data Protection Regulation. This regulation goes into force on 25th May 2018. GDPR has worldwide reach and concerns the handling of data collected about people within the European Union.
In regular speak, GDPR defines
- The ownership rights a person within the European Union (EU Data Subject) has to any of his/her Personally Identifiable Information, and
- The obligations to EU Data Subjects that any data collector, data controller or data processor has with respect to an EU Data Subject and that EU Data Subject’s Personally Identifiable Information.
The key terms used within GDPR conversations are
- The Data Subject. This is the individual within the EU whose data has been collected.
- The Data Collector. This is the person/company that collects the data.
- The Data Processor. This is the person/company that analyses the data.
- The Data Controller. This is any person or company that has control of any collected data.
- Personally Identifiable Information (PII). This is any data obtained from or about an individual Data Subject that either identifies an EU Data Subject or that can be used to identify an EU Data Subject. For example: email address, IP address, geographic location (address), name, race, gender and date of birth or any data which by itself might not identify the EU Data Subject but which can be combined with other data to enable identification and tracking of an EU Data Subject.
The definition of EU Data Subject is broad in the context of GDPR. In this context, EU Data Subject means both any person who is a natural resident of the EU and any person who just so happens to be travelling through the EU at the time their PII data is collected. An EU Data Subject can be anyone within the borders of the EU.
Data Controllers and Data Processors must abide by GDPR when data is collected about an EU Data Subject or from an EU Data Subject.
So, Margot who lives in France, and who was born in France, is perpetually protected by GDPR because she is an EU Citizen, and John from the US who is on holiday in France when his data is collected is classed as an EU Data Subject who is protected by GDPR with regards to any PII data collected while John is (or was) in France which is an EU member nation. Margot is always covered by GDPR. John is only covered for the data collected during his time in an EU state (or any location that has ratified GDPR into its legal code).
Any Data Collector who obtains Personally Identifiable Information about an EU Data Subject is deemed to be the Data Controller of that collected data.
The Data Controller is obliged to
- Advise the EU Data Subject that data is being collected about him/her, what data is being collected, the purpose for that data collection (i.e. any of the 6 basis defined within GDPR), of any change of basis for collection (i.e. usage change), of any data breach, and of any data shared to 3rd parties (i.e. to Data Processors or subsidiary companies).
- Must collect only data necessary for the purposes specified to the EU Data Subject.
- Must only keep data for as long as necessary for the purposes specified to the EU Data Subject.
- Must provide a means for the Data Subject to view their data, amend their data, remove their data, transport their data and the means to be totally forgotten by the Data Collector and by any 3rd parties their data may have been passed to.
- Must ensure any 3rd party processor(s) of the data is also GDPR compliant.
- Must advise a Data Subject of any breach of their data within 72 hours of the discovery of any such breach.
- Must respond to data access requests within 1 month of receipt of that request from the EU Data Subject. This applies to amendment, export and deletion requests also.
- Must send EU Data Subjects a consent reminder every 2 years.
- Must send an occasional reminder to the EU Data Subject that the Data Controller holds PII data about the EU Data Subject. Every 6 months should suffice.
- Must display the privacy policy (or link to it) wherever data is being collected.
- Must include in email (and marketing communications) details of how recipients can manage their data, opt-out of future communications and view the Data Controller’s privacy policy.
If a Data Controller (being also the Data Collector) obtains data on an EU Data Subject then the EU Data Controller must maintain control and oversight of that data. This means that when that data is shared to 3rd parties then that Data Collector
- Must know how that data is to be (or is being) used.
- Must be informed of any breach of data known to that 3rd party.
- Must inform the 3rd party when a Data Subject has requested data amendment or data removal, and must confirm any such alterations are processed.
- Must ensure any other parties whom data has been shared with also observe GDPR.
- Must ensure the data is used only as permitted by the Data Subject when initial permission was granted for that data’s collection.
The 6 basis for processing data are:
- Consent: been given clear consent
- Contract: necessary for a contract
- Legal obligation: to comply with the law
- Vital interests: to protect someone’s life
- Public task: a task in the public interest
- Legitimate interests: for your legitimate interests
Data Processors are bound by the above obligations and responsibilities too.
Data Controllers must maintain oversight of any Personally Identifiable Information (i.e. data) they store, have access to or have shared with others.
Both Data Controller and the Data Processor are liable to be fined if either (or any party) is in breach of GDPR.
So what does all this mean?
GDPR affects website owners, site admins, data storage service providers, web server admins, web server owners, content delivery networks and any other person or entity that collects, stores, controls or processes PII data.
When someone visits a website a huge array of data is logged. Most website admins and business owners are oblivious to the data collected.
Example points at which data is collected when a website is visited include
- When the web server detects a request for a resource (e.g. page or image) the server logs the request. This data includes the request made, the time of request, the device used, the software used, and the IP address of the visitor.
- Stats/Analytics programs collect data such as visitor time and visitor location. Some scripts collect IP addresses too though WordPress Stats and Google Analytics claim not to collect IP addresses under typical circumstances.
- Email lists contain personally identifiable information such as email addresses and subscriber names.
- Comment forms and forums collect user data. Sometimes this is limited to name, email address and website, and the comment(s). All of this is regarded as personally identifiable information or data that belongs to the Data Subject.
- Web server data backups contain data.
- Off-site website backups contain data.
- Website scrapes in archive.org (for example) or scrapes performed by bots are data that might belong to a Data Subject.
- Web server error logs contain data about Data Subjects and resources accessed when errors occurred.
- Social networks such as Facebook and Twitter track visitors through social sharing buttons.
- Ad networks collect data on site visitors then reuse this data to show targeted ads to Data Subjects as they browse the web.
- Websites place one or more cookies into a visitor’s web browser. These can be abused for profiling and tracking purposes.
- HELP!!!! THE INTERNET IS SCREWED!!!!
GDPR stipulates that neither data collection consent nor permission to set cookies must be required before access to a digital resource is permitted. We cannot say “We add cookies to your web browser and collect stats about your visit. You cannot browse this site until you give us permission to do both.” Nope, we are not allowed to say that. We are supposed to say “Do you consent to our data collection and cookie policies?” then only set cookies and collect data when consent is given.
Website admins must alert any visitor who is an EU Data Subject about any data collection or visitor tracking that might take place while they are on their websites and must ask permission before any data is collected and before any tracking is done. If you understood this correctly you will be thinking ‘OMG! How can the Internet work now?’
Think you can just block EU Data Subjects?
Think again. There is no reliable way to block EU traffic. People use VPNs and Tor browsers to hide their true location. That the EU Data Subject tricked you is not a defence against GDPR.
GDPR is retroactive. All the obligations of GDPR apply to data already collected prior to GDPR going into force.
Plus, when someone requests a data amendment or requests data removal then that data change request must be reflected in data backups as well as reflected in data passed to 3rd party processors. The original Data Controller must take reasonable steps to ensure 3rd party handlers comply with data amendment requests.
GDPR affects anyone who collects, holds or stores data about EU Data Subjects. Whether the Data Controller is in the EU or not is irrelevant. The only question is whether the Data Subject is classed as an EU Data Subject at the time their data was or is collected.
There is some good news. There is a limitation to GDPR. Data collected for domestic (home) purposes are excepted from GDPR. We can take a friend’s phone number to call to arrange a dinner date and not be worried about that number falling into the wrong hands due to the phone being stolen. But be careful with CCTV cameras. Data collected by CCTV might bring the Data Controller into GDPR’s territory.
What are the fines for non compliance?
The terminology used in the regulation’s text has lead to widespread confusion about the fines that can be awarded for non compliance. The gist is that,
- Any company found guilty of non compliance will be fined up to 2% (tier 1 companies) or 4% (tier 2 companies) of their global turnover (not profit but turnover)
- Any non company found guilty of non compliance will be fined up to €10,000,000 (tier 1) or €20,000,000 (tier 2).
- If 2% or 4% (tier 1 or 2, respectively) of a company’s global turnover is under €10 million (tier 1) or under €20 million (tier 2) then the maximum fine will be set at €10 million or €20 million.
3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
(b) the obligations of the certification body pursuant to Articles 42 and 43;
(c) the obligations of the monitoring body pursuant to Article 41(4).
5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects’ rights pursuant to Articles 12 to 22;
(c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
(d) any obligations pursuant to Member State law adopted under Chapter IX;
(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Regulators are supposed to assist non compliant parties to attain GDPR compliance before fines are issued. The current intention is that fines must be used as a last resort.
How do you get to be GDPR compliant?
1) Review the ways you capture and use data regarded as Personally Identifiable Information.
2) Update your privacy policy to ensure it is GDPR compliant and takes into account the ways you capture and use data. Ensure it includes the who, what, where, how and why about any data collected.
3) Show a privacy banner on your website. Link to your privacy policy in this banner. The banner can be dismissible.
4) Contact all your subscribers and business contacts to tell them about your updated privacy policy. In the contact message include information that tells people how to view and manage their PII data that you control.
5) Configure software that tracks visitors to observe Do Not Track requests and to allow user opt-outs. This includes Google Analytics.
6) Update your MailChimp forms to add GDPR form fields. There is no absolute need to ask people to reconfirm their agreement to receive blog post updates by email.
7) If you intend to use email addresses, contact information or personal data for marketing purposes then you do need to get agreement from data subjects first unless consent has already been explicitly granted and this consent is documented.
8) Provide a way for people to view, amend, delete or export any personal PII data you, your website, partners and storage units/services might store about them. WordPress 4.9.6 provides a tool to allow registered users to manage their data stored in the WordPress website.
9) Document data collection and data management processes.
10) Ensure 3rd parties who handle data on your behalf are GDPR compliant.
Business to business (B2B) communications are slightly excepted.
Personal communications between friends and family are also excepted.
My opinion
In my opinion GDPR is too well written and the implications of GDPR were not fully realised by lawmakers when it was finalised in 2016. That’s right, we had 2 years to prepare for GDPR. I expect the regulation will be adjusted as the realities of GDPR show themselves.
Unless you are a major company already in the EU’s cross-hairs try not worry about full GDPR compliance. Do what you can do to be as compliant as possible. Work toward full compliance as the structure and functioning of the Internet adapt to GDPR.
The main concerns for bloggers and small business website owners are email lists, data analytics and any shopping carts they might have.
Until the purposes for which people added themselves to your email lists change then you will be okay to continue to email those subscribers for those stated purposes provided you can prove communication consent was granted, when it was granted and the route through which it was granted.
Email addresses collected by shopping carts must not used to email old and existing customers about exciting new offers if the email address owners did not explicitly agree to be contacted for this purpose. Only use data for the purposes that EU Data Subjects agreed when they provided it.
Though Google and other Data Controllers are trying to push their obligations onto publishers responsible Data Controllers have taken steps to make their products and services GDPR compliant. Google Analytics and AdSense are technically GDPR compliant but website owners need to advise visitors about their use.
Web hosts will need to make their server environments GDPR compliant. I am not aware of any web host that has taken steps to become GDPR compliant. Such steps would take into account error log purges, stats log purges and the amendment of data stored in database and file backups.
WordPress will be somewhat GDPR compliant before 25th May 2018. WordPress 4.9.6 introduces a new Privacy Page generator with content guidance notes and it introduces user data management tools. Details can be found here https://wptavern.com/wordpress-4-9-6-beta-1-adds-tools-for-gdpr-compliance.
Highlights of these new GDPR features in WP 4.9.6 are,
- New user content management panel. Anyone who comments on a post or otherwise interacts with the site while logged in will be able to see, edit, delete and export their personal data.
- New Privacy Page generator. This will publish a privacy page tailored to the site’s functionality. Plugin and theme developers will be able to add notices to the page that apply to their software.
There is the matter of GDPR interpretation
I can see two ways to interpret GDPR:
- If GDPR regards the Data Controller as being also, by default, the Data Collector then GDPR affects any entity that collects PII data; but
- If GDPR does not regard the Data Controller as being (by default) the same entity as the Data Collector then the Data Collector is off the hook with regards to EU PII data unless the Data Collector actually also controls and/or processes the data collected.
The difference is subtle but important.
The former (1) means website owners are also responsible for data collected by a web server and any software integrated with the website whether the website owner controls those software or not i.e. if you were party to the data collection then you are responsible for that data.
The latter (2) means the conduit via which data is collected is only considered responsible for the data when the owner of the conduit also controls or processes collected data.
Whichever of those interpretations is correct will determine whether or not website owners are responsible for data collected by web servers, trackers and analytics software and similar agents of data collection even where they have no control over those elements. We need to wait for the first few judgments to fly out of the courts before we can safely apply one or the other interpretation.
For now I think we can only proceed under the assumption that interpretation 1 is correct and that the conduit of data collection is not considered to be the Data Controller.
References & Further Reading
Official Legislation Summary at Europa
UK Information Commissioner’s Office
Consent, datasets and avoiding a visit from the information commissioner