A website is like the cover of a book. The first thing a customer searches for is a company homepage and, like a book, if it is eye-catching, it warrants further investigation. For this reason, many companies invest heavily in website development, seeking to make their site clean, easily navigable, and, above all, able to capture and retain the attention of potential customers.
However, in the process of developing a stellar website, security can sometimes be overlooked, particularly when it comes to complying with new privacy, consent, and transparency standards.
What is the GDPR
On April 14, 2016, the EU Parliament approved the General Data Protection Regulation (GDPR) standards. The law officially went into effect on May 25, 2018. The GDPR replaced the outdated and less comprehensive 1995 Data Protection Directive 95/46/EC. The new standards represent a significant shift in how data collection is approached. Under the GDPR companies must clearly stipulate how customer information is used and respond in a timely manner to customer requests about data collection. Overall, the GDPR centralizes the existing, fragmented privacy legislation in order to standardize privacy laws across EU borders.
The GDPR enforces three key rules when it comes to privacy:
- Companies must obtain permission of visitors/customers to use their private information.
- People possess the right to terminate access to their information.
- People have the right to opt-out of making personal information public.
Compliance and Noncompliance
GDPR compliance affects all EU countries but not in the typical sense. Instead of impacting companies located in EU countries, the GDPR applies to the physical location of EU individuals whose information is being collected. Consequently, any EU citizen falls under GDPR protection. EU citizens include those located in an EU member state, the United Kingdom, or a European Economic Area country (e.g., Iceland). Non-compliance can lead to hefty fines. Depending on the severity of the infraction, companies may face fines of up to 20,000,000 euros or four percent of company profits from the prior year. The differentiation depends on whichever penalty is higher.
The Seven GDPR Principles
In addition to the three broad rules noted above, article five of the GDPR outlines seven principles designed to improve the modern technology environment when it comes to privacy and transparency.
- Consent – First and foremost, the GDPR seeks to maintain “lawfulness, fairness, and transparency.” This means that prior to collecting or processing personal data, companies must obtain customer consent. Moreover, the information collected must be relevant to a company’s purpose. For example, if a user is subscribing to a newsletter, the only personal information needed would be an email.
- Right-to-Access – Giving control of personal data back to the public means knowing who has the data and how it is being used. Principle two focuses on “purpose limitation” or using data for only necessary services. Companies hold the responsibility for knowing when, how, and why data is used and must be able to provide an electronic copy of this information upon request at any time.
- Right-to-Erasure – Data minimization means keeping information for only as long as it is necessary. Under GDPR regulations, consumers possess the right to request the deletion of their information at any time.
- Data Portability – Individuals possess the right to transfer of data from one company to another via a request. This includes even if the other company is a direct competitor.
- Breach Notification – If a breach occurs, GDPR compliant companies have 72 hours to notify affected individuals and the Supervisory Authority.
- Integrating Privacy – In addition to data minimization precautions, the GDPR goes beyond data collection and requires companies to proactively build systems with privacy in mind. For example, a system could immediately delete information once it used for the required purpose.
- Data Protection Officers – For companies that process a large amount of data, the GDPR requires them to hire an independent data protection officer. The officer’s job centers solely on assessing regulatory compliance.
GDPR Website Checklist
In an effort to improve transparency, the GDPR mandates that companies implement certain changes to their websites. Below are five steps toward achieving GDPR website compliance.
Step 3: Implement encryption methods. Since storing some data is inevitable, GDPR experts recommend encrypting transactions and stored data.
Step 4: Make sure analytic software is compliant. Most companies now use analytic programs (e.g., Google Analytics) to better understand website metrics, but since those analytics typically involve personal information, consent (by the consumer) must be given first.
Step 5: List accurate contact information. With the right to request information at any time, consumers must be able to quickly and easily contact companies. This means listing at least a phone number on a website. Email or information request forms are also beneficial.
GDPR and the Privacy Shield
The economic ties between EU countries and the US remain integral to the global economy. To make sure the new privacy regulations didn’t inhibit that relationship, the EU and US created the Privacy Shield agreement. Part of the GDPR’s safeguards is a clause that allows data transfers to countries only with adequate security laws. Since the US is so large and the number of companies numerous, it’s not surprising that the US does not qualify as a “safe” country for data transfers by GDPR standards. To circumvent this issue, the privacy shield is designed to create a program whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of information. The increased commercial oversight means individual companies must meet the GDPR standards versus the entire country.
Key Points of the Privacy shield
- The Department of Commerce, FTC, and EU Data Protection Authorities (DPAs) meet annually to review the effectiveness of the shield agreement
- The shield is independently enforced by the Department of Commerce and EU DPAs
- EU individuals may choose alternative dispute resolution with no added cost
- The Department of Commerce will intervene in cases if necessary
- Companies will participate in arbitration hearings, if necessary
- Contractual privacy safeguards and transfer procedures are required
- The Privacy Shield establishes a channel for EU individuals to file complaints with regard to US signals intelligence activities if such activity is believed to violate privacy laws
GDPR Compliance Steps
Before implementing the website GDPR requirements, there are a few introductory steps every company should take.
- Access and analyze your data sources. In order to know what personal information your company has, you have to evaluate all data. This includes data at rest, data in transit, and data warehouses. Assumptions will not pass GDPR standards. The guidelines stipulate that companies must know where data is and be able to prove it if necessary.
- Identify what information resides in those data sources. Organizing information location is vital to GDPR compliance because it expedites the consumer request process. Personal data must be categorized and cataloged by type. For example, if an EU individual requests what personal information is kept on file, a company will have to list every piece of stored data from email to phone numbers to social security numbers.
- Choose the type of protection for data sets. After taking inventory and categorizing personal data, companies can use encryption, pseudonymization, or anonymization to protect the data. The type of data and how it is used will help determine which kind of protection to use. Another option, and arguably the best when possible, is to delete personal information once it is no longer needed.
GDPR impact on the United States
In the past, information given by an individual company was generally deemed company property after relinquished by the consumer. However, the GDPR flips this assumption and claims the data ownership resides with the individual and not the collector. Much of the current US cybersecurity legislation, like NIST’s framework, centers on breaches and notifications. Again, this contrasts the sole focus of the GDPR and presents a challenge for US companies. A Reuters report found that while larger US companies are making a real effort to follow GDPR regulations, smaller companies are at a significant risk of falling behind the standards.
Yet, regardless of company size, the penalties can be steep. In early 2019, Google faced a 50 million euro fine from the French Data Protection Authority (CNIL) on the grounds of minimal transparency. While the fine was hefty, Google has the money to pay such fines and still remain in operation; however, smaller companies would likely not survive such stringent fines. Becoming GDPR compliant also helps with the California Consumer Privacy Act (CCPA) compliance, which mirrors many of the GDPR’s points. Thus, it is worth taking the time to research GDPR standards and begin the compliance process as soon as possible.
GDPR Compliance Tools
Starting the GDPR compliance process seems daunting, particularly when it comes to cataloging every piece of personal information. It’s important to remember that this process shouldn’t be primarily manual; rather, it’s recommended to utilize the many available tools online to help parse and organize the data. The types of tools and programs vary from free to subscription-based to pay-as-you-go. Below are five tools to help your company start the GDPR compliance process.
- Microsoft offers a free GDPR assessment. After answering the 20 question assessment, companies receive a readiness report that scores them on a scale of 100. By addressing governance, risk mitigation, deletion and notification, and policy management, the assessment provides insight into systems and operational weaknesses.
- Knowing where data goes and who accesses it is a fundamental tenet of the GDPR. The Egnyte tool gives companies control over content. It has the capability to locate, sort, and encrypt personal information as well as provide real-time alerts when files are accessed without proper authorization.
- Snow GDPR gives companies the ability to monitor and note who accesses personal information. Snow focuses on asset visibility or the ability to track application usage on devices and in the cloud. In addition to tracking device location and the number of users, Snow accounts for what personal information is accessed on what devices.
- SAS for Personal Data Protection allows companies to manage data from a single platform. Since the GDPR requires companies to categorize all personal data, having one platform to manage those categories saves time.
- Nymity helps fulfill the GDPR evidence requirements. Nymity’s GDPR toolkit identifies the 39 articles in the GDPR that require evidence and then uses an accountability handbook, compliance framework, and readiness assessment questionnaire to help companies achieve compliance.
To many companies, particularly those in the US, the GDPR may seem like another hassle that complicates business operations. However, people care about their personal information, and just as a CEO would likely be upset if his/her personal information was disclosed or used without consent, ordinary people feel the same way. The more transparent and privacy-focused a company becomes, the more consumers will feel comfortable trusting those companies. To receive help becoming GDPR compliant or adjusting your website to GDPR specifications, schedule a consultation with RSI Security today.