EU General Data Protection Regulation and your website.

Disclaimer: This is not legal advice. GDPR, Data and law is super complicated. You should consult a lawyer.

What is it?

The General Data Protection Regulation (GDPR) is an EU regulation governing data protection and privacy. It covers all individuals in the EU. It is aimed at giving control of data to individuals. It covers export of data outside the EU and aims to simplify the rules for international businesses.

GDPR focuses on Personally Identifiable Information (PII). PII is information which allows identification of a user directly or indirectly. That obviously includes email addresses, names, dob etc but one item you might not expect is it includes IP addresses. Most web servers, applications, web statistics packages etc will use IP addresses to track users. So data to consider includes:

IP addresses stored in application logs
IP addresses collected by Google Analytics
email addresses of my mailing list subscribers
email addresses of users registered for an app / service
user names,
postal addresses

Do I need to worry about it?

Fines for GDPR breaches can be up to 4% of global turnover or 20million Euros. Whichever is greater.

I bet that got your attention didn't it.

If you have users based in the EU, or hold anybodies data who lives in the EU, you need to consider the GDPR requirements. Both the controller and processor of the data need to adhere to GDPR standards. This means you need to consider what your 3rd party providers do and your clients.

What should I do?

Review your processes and providers. What data do you hold. Why?

Redesign or refine your processes. Don't gather what you don't need.

Review your privacy statement. It should be easily understood and outline what data you keep and why. Users need to give explicit consent to this.

You need a legally valid reason to keep data and can't use it for a different reason than stated in your consent forms and privacy statement.

The regulations stipulate that in the case of a data protection breach the effected users should be notified "without undue delay" and the authorities within 72 hours, so make sure you have procedures in place. If something happened Friday night, would you be able to comply?

Users can ask for what personal data companies are keeping and how is it used. It should be provided quickly and without charge and in some circumstances ask for personal data to be erased. What procedures do you need to comply with that? It depends on what data you are keeping and where.

Google Analytics default settings include users IP address. You can increase the privacy of Google Analytics tracking by adding the following line of code:

ga('set', 'anonymizeIp', true);

It anonymises the requested IPs, so that they no longer allow you to identify the users. Keep in mind that adding this setting reduces the geographic accuracy of your analytics data. How much does that really matter to you? Do you paw over your analytics and interrogate where users are? Consider deactivating GA on static pages. Is it really that useful? You can schedule data deletion in the GA admin panel so that the historic data is gone.

Your web application and webserver logs will contain IP addresses. That should be covered in your privacy statement. Ideally you could delete these after a useful period or filter IP out from them altogether. eg, for rails:

config/initializers/filter_parameter_logging.rb
Rails.application.config.filter_parameters += %i(
 password text
 user_name user_id
 token payload)

GDPR requires explicit consent. It's not enough just to have a privacy policy, they must click to agree to them. A checkbox to agree before logging in for example ensures they are giving consent. Stating "By using this website you consent" - does not. Pre checked consent forms are not allowed for consent forms or signups.

If you use a 3rd party checkout eg Paypal or Stripe - you should check they are compliant.

If you have a mailing list opt-in form on your site (who doesn't?) you will need to ensure the EU people on it have explicitly given consent. Broadly, the procedure is to prepare a clear privacy statement, segment your EU users, prepare a consent form and send it out to the segment. Going forward, ensure your opt-ins include explicit consent - so probably include double opt-in with appropriate wording and privacy statements. Mailchimp have some excellent documentation on this.

Users have rights to be forgotten, to have their data deleted. They can ask for a copy of their data in a portable format. You should have a plan and procedure for all of these scenarios.

Large companies and organisations that engage in large scale monitoring and collection of personal data must appoint a data protection officer.

eCommerce

eCommerce by it's nature has to involve a lot of data gathering and capture. WooCommerce has put together a knowledge base on the subject. It's quite involved, but it is definitely possible to read through and ensure you are compliant. Remember, most of the actions you need to take are about procedures and privacy consent and policies. Woocommerce summarises the requirements as:

Tell the user who you are, why you collect the data, for how long, and who receives it.
Get a clear consent [when required] before collecting any data.
Let users access their data, and take it with them.
Let users delete their data.
Let users know if data breaches occur.

Depending on your platform, there will be some specific updates to the software worth getting and some platforms have specific plugins to help with GDPR, eg the woocommerce delete-me plugin.

Summary

GDPR is coming. It is a thoughtful bit of legislation that simplifies the rules for international business and protects individuals data. The authorities have power to impose significant fines. Measures taken to prepare for GDPR are achievable and worth doing anyway. If you aren't sure on anything, you should consult a specialist. If you need help implementing a measure, get in touch.

Blog

HAVE A READ.