The European General Data Protection Regulation
April 28, 2018
We started hearing more and more about the GDPR in 2017. The process actually started in 2012. The talks still hasn't stopped mid-2018 and will probably continue two or three more years. Ah. What a statement?! Well... One European state, Austria, voted against the GDPR on Apr 8, 2016 because the new rules are actually less stringent than the directive of 1995.
The concept is very simple. People want to have the right to visit the websites without leaving a big trail behind unless they want to.
The GDPR is actually similar to many other Internet laws that exist around the world. You should treat your website visitors, customers, and potential prospects as you would like to be treated in the same or a similar situation. (Of course, this statement assumes you have some level of empathy.)
Like most laws, you don't have a choice, you have to comply. That being said, if you are not in Europe, you can ignore that entirely since it doesn't apply to you. However, if you want to get customers from Europe, you may want to have some level of compliance.
More or less, to be compliant you must disclose everything about the data that you collect.
One important aspect about that data is to give your visitors a way to have it removed either through an automatic form or by contacting you in some way (email, contact form, etc.)
Of course, there are technical aspects to that. It can make things quite difficult to follow up. Things that you do not have full control over, such as AdWord collecting the IP address of your visitors, may be difficult to control. So before using third party systems like AdWord, make sure to think it through.
The other point, which can complicate things, are cookies. You may collect data such as a name, an address, a phone number. This is still simple matter. With cookies, Internet servers are capable of tracking people visiting many different websites. This is how Google AdWord is capable of showing you the an ads from a specific business many times. That's how these ads follow you around. Personally, I don't have a problem with that, but apparently some people do.
Along the list of possible data you might ask your customers to give you (name, address, etc.), you want to list all the cookies that get used. This should be a very detailed and complete list with at least a small explanation of how each cookie gets isused.
Of course, if you're not technical, you may have a problem with that. Finding the list of cookies is not hard, but how do you determine how each one gets used, really? I'm a website designer and programmer so I know. But for most website owners, this is most certainly totally impossible to do without hiring someone knowledgeable.
I've actually seen some website that go as far as explaining how you can go by deleting these cookies in your browser.
Note that just deleting a cookie is not always a full solution to prevent being tracked, although other methods are not as reliable, they often work too. However, whatever technology you use to track your visitors, it has to be disclosed and you must offer a want for your visitors to get out of it.
Although most website owners can't do anything with an IP address, many people still view such as a way to identify who used your website. For that reason, this information has to also be disclosed. How do you handle your logs? How long do you keep them for? Do you anonymize the data?
The first time I've seen that, I was really surprised that you'd have to tell your users about the fact that you're going to ask them about a password. Then I learned that most people have limited brain power (even with a computer) and are not unlikely to use the same password on all websites. In that respect, it becomes a quite important knowledge of your registered users! If you're not a bad guy, it probably won't matter. But if you think about it, and even though we have posts everywhere about not using the same password on all websites, people still do it. This is why it is important to remind them that we'll be using their password to authenticate them (more about passwords.)
The GDPR includes another term: Pseudonymization. This is, for example, when you save part of the IP address instead of the full IP address. So it's not fully anonymized, but it's unlikely that we could determine who accessed the website.
Note that one reason for not anonymizing the IP address of people accessing your website is in case you are attacked. You may be able to help finding who attacked your website if you still have the logs. (Large companies send their logs to seperate servers allowing for tracking intruders without the chance for the intruder to erase the logs.
Demonstrate You Are In Compliance
Right of Access
Any data you record from your visitors should be accessible by your users. This is a very difficult one if your users don't register for an account. I'd say even completely impossible for all sorts of security reasons.
Particularly, I don't foresee any website ever showing users a set of logs corresponding to their IP address. Why? Because the IP address may be one that's shared (if your Internet provider gives you an IP using DHCP, then it is shared.)
One important point of the GDPR is the handling of breaches. The website owner (more specifcally the data controller, but that's for larger companies who can afford having a specific employee just working on security) is expected to report any breach within 72 hours.
The report has to include what data may have been stolen and it should be reported to all the user who were potentially affected by the breach.
Note that sanctions can be imposed when a breach happens. If you're just an individual outside of Europe, you probably can't be sanctioned. Also those sanctions only apply if the users who were affected by the breach are europeans living in Europe and generally using your website from there.
There are also differences between the concerned type of user. If a user creates an account representing a business, it will not work the same way as a consumer at home. Business rules are most often quite different.
If you already registered with your email address and needed to re-validate (i.e. the first validation somehow failed) then go to the Validate Page where you can request for a new validation code to be emailed to you.
Get My Free Book About SMS Marketing
Hey! Before you leave, make sure to get my freeBook About SMS Marketing. All you have to do is enter your email address and I'll send you a link to this website where you can retrieve your own copy of my free book.