The End is Nigh, or is it? The Internet as we know it is about to come to an end. The same goes for off-line marketing practices, digital and non digital data storage practices and life in general. GDPR is a biggie. It sets out data ownership rights and obligations with regard to EU Data Subjects, and it has global reach.
In a nutshell, GDPR affects all websites but there is no point worrying yet.
The GDPR regulation sets out:
- An EU Data Subject’s ownership rights over his/her/its data, and
- The responsibilities and obligations of any Data Collector, Data Processor and/or Data Controller to care for and to respect both
- Any Personally Identifiable Information (PII) data collected, processed or stored about an EU Data Subject, and
- The EU Data Subject’s ownership rights to his/her/its PII data.
- Defines the meaning of EU Data Subject, Data Controller and Data Processor.
Those ownership rights in 2.2 include:
- The right to view and export PII data
- The right to transport data to other Data Controllers
- The right to request amendment and deletion of PII data
- The right to control use of PII data
- The right to self manage PII data
Those obligations in 2.1 include:
- Specifying the basis for PII data collection
- Notifying the EU Data Subject of any change in basis
- Seeking permission from the EU Data Subject to change usage basis
- Notifying the EU Data Subject of any data breach
- Notifying the EU Data Subject of any 3rd party data sharing
- Seeking permission from the EU Data Subject before any data is shared with 3rd parties
- Ensuring all 3rd parties with access to an EU Data Subject’s PII data observes GDPR
Website and business owners are worried GDPR — the General Data Protection Regulation — will ruin their business or prevent them doing business with EU Data Subjects.
There is not much point running around like a headless chicken just yet because full GDPR compliance is impossible for most website owners and when GDPR enters life on the 25th May 2018 it will not immediately be enforced fully against regular sized website owners or businesses.If you think you are GDPR compliant then you need to think again.Click To Tweet
Halfway through last year when I first spoke in forums about GDPR and said how far reaching this new privacy regulation is I was laughed at and shouted at by people who confidently said “Won’t affect me. I’m already GDPR compliant. GDPR is no different to any other data protection act.”
And when I said “Non EU businesses will begin geoblocking EU citizens.” I was shouted down and called an idiot.
Well, here we are. Already there are new ‘GDPR’ services built to help website owners and businesses block EU traffic and everybody is panicking about their unpreparedness.
Regardless what you might have been told by friends and consultants, GDPR affects non EU businesses and non EU website owners as much as it impacts the practices of EU residents who collect or process data about EU Data Subjects or who otherwise track EU Data Subjects.
I was reluctant to post publicly on JournalXtra about GDPR because there is a lot we cannot yet do to make websites 100% GDPR compliant and there is little to worry about yet. But, as people are panicking about GDPR compliance as much as they would were it a big flaming asteroid about to hit Earth, and as I am getting lots of questions about GDPR, I thought I would put out a little information to explain what GDPR is, why it is impossible to be 100% compliant, how GDPR affects website owners and why there is no need to panic just yet.
If you are lucky enough to use WordPress you have less reason to worry about GDPR than your non WordPress using friends. This will become clear as you read the rest of this post.
What is GDPR?
GDPR is the EU’s new General Data Protection Regulation. This regulation goes into force near the end of this month on 25th May 2018. GDPR has worldwide reach.
In regular speak, GDPR defines
- The ownership rights an EU citizen (EU Data Subject) has to any of his/her Personally Identifiable Information, and
- The obligations to EU data subjects that any data collector, data controller or data processor has with respect to an EU citizen (EU Data Subject) and his/her Personally Identifiable Information.
Note that I used EU Data Subject and EU Citizen interchangeably above. This is purposefully done to accustomise you to the meaning of EU Data Subject, which is explained next.
The key terms used within the GDPR conversation are
- The Data Subject. This is the EU citizen whose data has been collected.
- The Data Collector. This is the person/company that collects the data.
- The Data Processor. This is the person/company that analyses the data.
- The Data Controller. This is any person or company that has control of any collected data. Usually the Data Collector and Data Processor.
- Personally Identifiable Information (PII). This is any data obtained from or about an individual Data Subject that either identifies an EU Data Subject or that can be used to identify an EU Data Subject. For example: email address, IP address, geographic location (address), name, race, gender and date of birth or any data which by itself might not identify the EU Data Subject but which can be combined with other data to enable identification and tracking of an EU Data Subject.
The definition of EU Data Subject is broad in the context of GDPR. In this context, EU Data Subject means both any person who is a natural resident of the EU and any person who just so happens to be travelling through the EU at the time their PII data is collected. Data Controllers and Data Processors must abide by GDPR when data is collected about an EU Data Subject or from an EU Data Subject.
So, Margot who lives in France, and who was born in France, is perpetually protected by GDPR because she is a natural EU Citizen, and John from the US who is on holiday in France when his data is collected is classed as an EU Data Subject who is protected by GDPR with regards to any PII data collected while John is/was in France which is an EU member nation. Margot is always covered by GDPR. John is only covered for the data collected during his time in an EU state (or any location that has ratified GDPR into its legal code).
Any Data Collector who obtains Personally Identifiable Information about an EU Data Subject is deemed to be the Data Controller of that collected data.
The Data Controller is
- Responsible for advising the Data Subject that data is being collected about him/her, what data is being collected, the purpose for that data collection (i.e. any of the 6 basis defined within GDPR), of any change of basis for collection (i.e. usage change), of any data breach, and of any data shared to 3rd parties (i.e. to Data Processors or subsidiary companies).
- Must provide a means for the Data Subject to view their data, amend their data, remove their data, transport their data and the means to be totally forgotten by the Data Collector and by any 3rd parties their data may have been passed to.
- Must ensure any 3rd party processor(s) of the data is also GDPR compliant.
- Must advise a Data Subject of any breach of their data within 72 hours of the discovery of any such breach.
If a Data Collector obtains data on an EU Data Subject then the EU Data Collector (being also the Data Controller) must maintain control of that data. This means that when that data is shared to 3rd parties then that Data Collector
- Must know how that data is to be (or is being) used.
- Must be informed of any breach of data known to that 3rd party.
- Must inform the 3rd party when a Data Subject has requested data amendment or data removal, and must confirm any such alterations are processed.
- Must ensure any other parties whom data has been shared with also observe GDPR.
- Must ensure the data is used only as permitted by the Data Subject when initial permission was granted for that data’s collection.
Data Processors are considered to be Data Controllers too and, as such, are bound by the above obligations and responsibilities.
The Data Collector and Data Processor — collectively the Data Controllers — must maintain oversight of any Personally Identifiable Information (i.e. data) they store, have access to or have shared with others.
Both Collector and Processor are liable to be fined if either (or any party) is in breach of GDPR.
So what does all this mean?
GDPR affects website owners, site admins, data storage service providers, web server admins, web server owners, content delivery networks and any other person or entity that collects, stores, controls or processes PII data.
When someone visits a website a huge array of data is logged. Most website admins and business owners are totally unaware of the data collected.
Example points at which data is collected when a website is visited are,
- When the web server detects a request for a resource (e.g. page or image) the server logs the request. This data includes the request made, the time of request, the device used, the software used, and the IP address of the visitor.
- Stats/Analytics programs collect data such as visitor time and visitor location. Some scripts collect IP addresses too though WordPress Stats and Google Analytics claim not to collect IP addresses under typical circumstances.
- Email lists contain personally identifiable information such as email addresses and subscriber names.
- Comment forms and forums collect user data. Sometimes this is limited to name, email address and website, and the comment(s). All of this is regarded as personally identifiable information or data that belongs to the Data Subject.
- Web server data backups contain data.
- Off-site website backups contain data.
- Website scrapes in archive.org (for example) or scrapes performed by bots are data that might belong to a Data Subject.
- Web server error logs contain data about Data Subjects and resources accessed when errors occurred.
- Social networks such as Facebook and Twitter track visitors through social sharing buttons.
- Ad networks collect data on site visitors then reuse this data to show targeted ads to Data Subjects as they browse the web.
- Websites place one or more cookies into a visitor’s web browser. These can be abused for profiling and tracking purposes.
- HELP!!!! THE INTERNET IS SCREWED!!!!
GDPR stipulates that neither data collection consent nor permission to set cookies must be required before access to a digital resource is permitted. We cannot say “We add cookies to your web browser and collect stats about your visit. You cannot browse this site until you give us permission to do both.” Nope, we are not allowed to say that.
Website admins must alert any visitor who is an EU Data Subject about any data collection or visitor tracking that might take place while they are on their websites and must ask permission before any data is collected and before any tracking is done. If you understood this correctly you will be thinking ‘Good grief, how will the Internet work now? We are screwed!’
Think you can just block EU Data Subjects?
Think again. There is no reliable way to block EU traffic. People use VPNs and Tor browsers to hide their true location. That the EU Data Subject tricked you is not a defence against GDPR.
And, GDPR is retroactive. All the obligations of GDPR apply to data already collected prior to GDPR going into force.
Plus, when someone requests a data amendment or requests data removal then that data change request must be reflected in data backups as well as reflected in data passed to 3rd party processors. The original Data Controller must take reasonable steps to ensure 3rd party handlers comply with data amendment requests.
GDPR affects anyone who collects, holds or stores data about EU Data Subjects. Whether the Data Controller is in the EU or not is irrelevant. The only question is whether the Data Subject is classed as an EU Data Subject at the time their data was or is collected.
There is a limitation to GDPR. Data collected for domestic (home) purposes are excepted from GDPR. For example, you can obtain a friend’s phone number so you can call to arrange a dinner date and not be worried about that number falling into the wrong hands due to your phone being stolen. However, be careful with CCTV cameras because the data collected might bring you into GDPR’s territory.
In my opinion GDPR is too well written and the implications of GDPR were not fully realised by its authors when it was written. I expect the regulation will be adjusted as the realities of GDPR show themselves.
What are the fines for non compliance?
The terminology used in the regulation’s text has lead to widespread confusion about the fines that can be awarded for non compliance. The gist is that,
- Any company found guilty of non compliance will be fined up to 2% (tier 1 companies) or 4% (tier 2 companies) of their global turnover (not profit but turnover)
- Any non company found guilty of non compliance will be fined up to €10,000,000 (tier 1) or €20,000,000 (tier 2).
- If 2% or 4% (tier 1 or 2, respectively) of a company’s global turnover is under €10 million (tier 1) or under €20 million (tier 2) then the maximum fine will be set at €10 million or €20 million.
3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
(b) the obligations of the certification body pursuant to Articles 42 and 43;
(c) the obligations of the monitoring body pursuant to Article 41(4).
5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects’ rights pursuant to Articles 12 to 22;
(c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
(d) any obligations pursuant to Member State law adopted under Chapter IX;
(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Regulators are supposed to assist non compliant parties to attain GDPR compliance before fines are issued. The current intention is that fines must be used as a last resort.
This is lay advice, not legal advice. Keep that in mind.
Unless you are a major company already in the EU’s crosshairs do not worry too much about GDPR compliance just yet with regard to your website’s regular functioning.
The main concerns for bloggers and small business website owners are email lists, data analytics and any shopping carts they might have.
Provided the purpose for which people added themselves to your email lists remain the same then you are ok to continue to email those subscribers for those previously stated purposes.
Email addresses collected by a shopping cart must not used to email old and existing customers about exciting new offers if the email address owners did not knowingly agree to be contacted for this purpose. Only use data for the purposes that EU Data Subjects agreed when they provided it.
Though Google is trying to push its obligations onto publishers (there is commentary about this in various technical forums) it has taken steps to make Google Analytics, AdSense and its other services GDPR compliant. Other service providers are working on their GDPR compliance.
Web hosts will need to make their server environments GDPR compliant. I am not aware of any web host that has taken steps to become properly GDPR compliant. Such steps would take into account error log purges, stats log purges and backup data amendment.
WordPress will be somewhat GDPR compliant before 25th May 2018. WordPress 4.9.6 is due around 17th May 2018. This release introduces new Privacy / GDPR compliance features. Details can be found here https://wptavern.com/wordpress-4-9-6-beta-1-adds-tools-for-gdpr-compliance.
Highlights of these new privacy features of WP 4.9.6 are,
- New user content management panel. Anyone who comments on a post or otherwise interacts with the site while logged in will be able to see, edit, delete and export their personal data.
- New Privacy Page generator. This will publish a privacy page tailored to the site’s functionality. Plugin and theme developers will be able to add notices to the page that apply to their software.
Both features will arrive in beta form due to the time constraint imposed by the approaching enactment of GDPR on the 25th May 2018.