GDPR - what do you need to know

The General Data Protection Regulation (GDPR) is a new EU Law coming into force that will almost certainly have a large impact upon your business, especially if you, like most businesses store or collect personal information such as names, email addresses or phone numbers.
Article by Simon Steed
Eyes At Computer Simplepage

Table of contents

GDPR - what do you need to know?

GDPR goes live on 25th May 2018 and if you have a website, maintain customers details and don’t know what GDPR is, you really should read this article.
Disclaimer: The information in this post is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new EU Law coming into force that will almost certainly have a large impact upon your business, especially if you, like most businesses store or collect personal information such as names, email addresses or phone numbers. It’s aim is to give EU citizens more control over their personal data and to ensure that organisations change their approach to data privacy.
It’s all about consent - you now have to prove that a user (or customer) gave permission to use their data and they must be absolutely certain they know what they are signing up for!

But don’t we have the EU Cookie and Data Protection Laws?

The GDPR provides much stronger rules than existing laws and is much more restrictive than the “EU cookie law.” These old laws are now being replaced by GDPR, many organisations simply ignored them and were badly thought out in the first place.

Why now?

It’s all come about because of the various data breaches, especially the more recent ones - Yahoo was hacked of their entire 3 billion user details, including hashed passwords!!!! Think about it, that is a serious amount of data to lose and all of it can be traced back to individuals.
The onus is now upon businesses to ensure that their own data is secured, protected and also ensuring that any suppliers they use also have processes in place to restrict the availability of any data to authorised people only. This includes website hosts, database providers, CRM providers and more.
As an example, users must confirm that they are happy for their data can be collected and stored, there must a clear privacy policy showing what data is going to be stored, how it is going to be used, and provide the user a right to withdraw the consent to the use of personal data (consequently deleting the data), if required at any time.
It is essential to encrypt and protect your customers’ data. Failure to do so could be in contravention of the new regulations. And that could be very expensive.

Thats ok, i’ll just relocate my hosting / data to the US :)

Actually no this is not an option. The GDPR law applies to data collected about EU citizens from anywhere in the world. As a result, any website with any EU visitors or customers must comply with GDPR, which means that virtually all websites and businesses must comply.

Should GDPR be taken seriously?

Absolutely! Businesses have until May 2018 to comply with the regulations set by the GDPR. The penalty for non compliance can be 4% of annual global turnover, up to a maximum of €20 million (per instance!).

Give me more detail, what should be protected?

There are two main aspects of the GDPR: “personal data” and “processing of personal data.” Here’s how it relates to running a CMS powered website (such as Umbraco or Wordpress):
  • personal data pertains to “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address,
  • whereas processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user if that IP Address could be tied back to a specific user.
Effectively it’s all about what happens if a hacker gets hold of my data, what can they do with it? Obviously security is a priority here as well and having a layered security process to stop breaches occurring in the first place is a good start. Regular penetration tests, security audits, scans etc are essential. even looking at implementing Intrusion Detection Systems (IDS) to spot and block attacks as they are happening.
This is where it gets quite difficult to start to comply. There are really two aspects to this to take into consideration and we shall use the following scope to break each area down individually so you can see how it may affect you and your business:
Scope: We have a business website selling consultancy services and a few products.. We have a few pages, we sell services and have a contact form which stores data in our website then forwards a copy to an email address or third party service. We also have a newsletter signup form plus Google Analytics tracking and more recently, just introduced personalisation so we can target specific personas. In addition to this, we also have integrated our CRM system to track clicks and update the contact details for a client. 

I am a business that has a website or crm system 

You will need to ensure the following:
  1. The contact form data is stored in such a way on the website that it cannot easily be tied back to a specific user. One easy way to achieve this in our example is not to store those details upon the website or the database at all and fire them straight to your email inbox. However content management systems such as Umbraco utilising Contour or Umbraco Forms will not easily be able to achieve this - the data is stored by default in the websites database and could be at risk should the site be compromised.
  2. If the data is submitted to a third party service (such as Salesforce), you need to have an agreement in place with them regarding their GDPR policies and procedures and build these into your own policies and procedures.
  3. Newsletter signup, one of the biggies now. You cannot automatically tick any boxes to force a user to be on your mailing list. You must give them the option to opt out at source, tell them what you will use the data for, you cannot also sign them up for a launch promotion then decide a few months later to reuse that launch list for more general mailer - they must explicitly request to receive that information.
  4. For tracking purposes, you must give the user the option to not track them upon the site for analytics purposes. Potentially this will mean you lose valuable visitor stats!
  5. Personalisation is another big one now, especially as businesses want to target their website content based upon personas and drive relevant content to their users. Basically you must tell the user that you intend to track them against personas and give them the option to opt out completely.
  6. CRM integration - Again, you need to know that the provider you are dealing with has a GDPR policy in place and get an agreement in place regarding your data stored within their platform. Also you need to be transparent with your end users and tell them you are collating this data to add to their CRM profile, if they don’t want you to do this, they need to be able to say so. Remember by default you cannot opt everyone in!

I’m a hosting, development or data services company providing a platform for my clients to use (i.e. website host, crm provider etc)        

You will need to ensure the following:
  1. Access to servers is restricted to authorise staff only and you have a way to audit and restrict access as required
  2. Any data stored should ideally be encrypted so that should the server be compromised, the user cannot identify any users from the data stored upon it.
  3. Logfiles should not identify users based upon email addresses, ip addresses etc
  4. If the data is submitted to a third party service (such as Salesforce), you need to have an agreement in place with them regarding their GDPR policies and procedures and build these into your own policies and procedures.
  5. Should a client wish for a users data to be removed, they will ensure this is done - however any backups upon the server need to be handled very carefully, particularly where a db may need to be restored prior to when the user requested removal from the system.
  6. Any development databases should not contain any personally identifiable information - you should no longer restore a backup of a live database for development purposes unless you munge the data before using it.
  7. Any third party code or services you use should also be checked for compliance. Ideally you should have an agreement in place with the third party developers in order to use their code and cover GDPR compliance.

Wow, i’m screwed - what do I do now?

It’s easy to think this, how can I run my business without some of the key information my website or third party systems provide when I now have to tell my clients they can decline to give me this information? It’s a tough call but necessary in todays digital age. For too long, a minority of companies have abused the data, this new act will hopefully go along the way to stopping this.
What do you do now? Here are a few tips:
  • You need to speak to your development and hosting providers to see how they are dealing with this. Unfortunately this is going to cost you consultation time and of course, money. 
  • Many of todays websites will need modification to ensure they comply and are protected so it’s highly possible an Audit will need to be performed with some gap analysis as to what is good, what is bad and then a roadmap to implement changes. 
  • Passwords and user accounts will need to be strengthened in order to protect access to critical systems.
  • Restrictions to admin areas via the use of firewalls will need to be improved
  • Websites should be running SSL Certificates to protect data in transit.
  • You may need to upgrade your CMS
  • Processes will need to be developed and maintained.
  • All your staff will need training and buy in with regards to the new policies.
  • You will need to run regular audits to ensure you are compliant and document these
  • You should create a data map showing all the points of data flow through your business, including third party suppliers. After all, you cannot ensure you are compliant unless you know where your data is can you?
  • New opt-in forms will need to be developed and implemented, this will involve technical development work as well to include/exclude specific cookies and tracking beacons.

Summary

Here at Simon Antony Limited, being website hosts as well as website developers, we are dealing with more of this each week and are actively developing solutions to help businesses comply. It may only come into effect on 25th May 2018, however you need to act now, especially where you have any development work that needs to be implemented - this needs to be developed, tested and rolled out way before the 25th May deadline.
Get in touch with Simon today to find out how we can help. 0161 300 8150 or [email protected]