Why and How to adapt Your Website to the GDPR regulations by May 2018 if you do not want to receive a Fine Salary!

Talk about privacy, everything is going to change and if you do not want to get a fine, you will have to adapt your site or eCommerce to the legislation that will take effect on May 25, 2018. But let’s find out what it is and how to get it right. The GDPR, the European Privacy Regulation, comes into force. Most Italian companies are still unprepared for changes imposed by the Regulation or believe that it does not concern them. GDPR affects all those who collect and use contact lists for professional purposes and beyond. Basically any personal data can be used by your company only if acquired and managed according to the principles of the new European regulation. The GDPR entered into force on 25 May 2016 but will not be applicable until 25 May 2018. Until that date, in Italy, the legislation on personal data protection outlined by Legislative Decree 196/2003 still applies. The purpose of this law is twofold: on the one hand, it protects European citizens who give their consent to the processing of personal data and, on the other, regulates more uniformly the aspect of privacy in the various European cities. Who owns a site or eCommerce will have to roll their sleeves up to comply with the new web security legislation. But let’s go into the details of the new regulation, let’s see what the obligations are and what to do. With this new legislation, the consent given by users of your website must be essentially informed and explicit. This means that all visitors to your website must confirm that they want to give their consent to the processing of their personal data and, at the same time, all websites must show a clear Privacy Policy indicating exactly which data will be collected and stored, from who and for how long. As the “owner of the website”, you must give your visitors the opportunity to deny or change consent to the processing of personal data at any time (data subjects must be able to delete their data every time that they want). This new law on personal data of users, affects all websites located in the European Union, and in any case websites that expect to have interactions from EU countries users. (In practice, it affects all the websites of the world!)

What are the obligations for site owners or eCommerce?

First you need an analysis of how your site collects and manages personal data. If your site contains only a contact form, you should also consider where you keep that data and how you use it. This means that companies and joint bodies must identify a Data Protection Officer, a data controller specifically established in the company hierarchy to respond to numerous critical information, management and reporting. The minimum analysis you can start with includes these aspects:
  • which areas of your site collect data where are they stored (on your site? In an external system? Which one?)
  • the use you make of them (newsletter? Contractual requirements? Advertising profiling?)
  • how long you keep them
  • what consent have you obtained
  • data security and risks in the event of theft
If your site is simple, the analysis will be very fast; but for a more structured site or for an ecommerce will be slower. On the technical front, you have to make sure that all the components of your site are conformed to the GDPR. For a simple site or a blog, the biggest problem can be the plugins that install profiling cookies. Cookies must be blocked until the user consents to their use.

How to adapt your site or eCommerce?

Here is a checklist of things to do:
  • monitor the services on the site that store users’ personal data
  • compare the information stored with the new regulation ones
  • trace and preserve the consent offered by users who visit the site
To get in line with the new legislation we must carry out a careful analysis to understand what impact there can be in terms of data processing and understand the infrastructure and functionality of the site. The things that, in your website, you absolutely have to review are:
  • the way to mange and store sensitive data;
  • cookies and the banner for consent on cookies. The consent must comply with the new requirements of the new policy privacy;
  • Privacy Policy  must be updated with the new European regulation.
To solve the problem of the Privacy Policy and be in compliance with the new European regulation, the support of a consultant is perhaps the best alternative especially if you have a specific case to be regulated.

GDPR and Website: right to delete personal data

Among the principles underlying data processing activities, there is evidence of adherence to the law: websites must prove that they have the legal basis for processing sensitive data. All the procedures must be modified in order to protect the user’s rights, starting from the request for cancellation of personal data, which can be done at any time. To facilitate the procedure for requesting the deletion of personal data, it is necessary that a separate database is created for users’ consent.

GDPR and Website: registration of Logs

GDPR compliance for new sites also requires the implementation of a visitor data verification system, with the possibility of immediate notification in case of risk of violation of personal data. A data-logging platform (log recorder) able to collect data, track the activities of the system administrator and the webmaster, associated with a software (or in the case of CMS plug-ins / modules) for access control and protection of data, can be the solution to this requirement.

GDPR and Website: right to be informed

The GDPR also requires respect for different types of user rights, first of all the right to be informed. Website owners must inform visitors and customers who are about to obtain information on sensitive data. Notices in this regard must be displayed clearly and easily understandable, even for children or minors. Site administrators must also divide between two categories, to distinguish data obtained directly from users and secondary data collected on the basis of information.

GDPR and Website: the rights of the person concerned

Other fundamental rights of the user are the right of access, the right of rectification, the right to be forgotten, the right to limit the processing of private information, the right to data portability and the right of object to the processing of personal data . To ensure GDPR compliance, administrators can provide configuration mechanisms that lead to the recognition of these rights through automatically scheduled actions.

GDPR and Website: the newsletter

Newsletter subscription options and contact preferences must also be reorganized, in order to align with the new provisions, which no longer provide for the possibility of receiving the default consent. The modules will have to be readjusted, with a passage of sponsored messages and newsletters from opt-out (as it was before) to optional opt-in. The same applies to “Terms of Service – Conditions” and also to the Privacy Policy.

GDPR and Website: the management of personal data

Once the consent and acceptance of the privacy policy and the conditions of use have been provided, the user must have the possibility to manage and withdraw them in a simple and immediate manner. A recommended approach is to create a user profile page, where everyone can independently manage any consent on private data collection and any sending of communications and newsletters.

Add a short title here In short, it is possible to list the main steps to ensure a GDPR-compliant website, with the specific actions that administrators should follow:

GDPR and Website: checklist

  • Verify all personal data collected
  • Update the privacy police
  • Make cookie alerts successful
  • Create simple opt-in processes that are granular (depending on the treatment)
  • Review the data acquisition feature
  • Update the Privacy Policy for emails
  • Make the possibility of managing / deleting data immediately
  • Apply an encryption level to the data on the disk and for the information in the databases
  • Check that all modules are not “flagged” by default. The user must confirm the sending of the information
  • Enable a procedure to facilitate the deletion of data of a particular user
  • Enable a procedure that guarantees data portability
  • Register and monitor system logs for administrators and webmasters

Why to be in order?

This is a law that therefore provides for penalties. The new regulation provides for controls by the police and, in case of violation, it could cost you a lot(certainly more than it costs to put in order).

By the date of May 25, 2018, each Member State will also have to set up a particular company that will have the task of checking all the websites and their compliance with the new law. In case of violations, this company will indicate the corrective measures which the interested parties will have to adapt.

How to solve the problem!

What do you need? You needs 2 figures, the lawyer for the legislative part and the web agency for the technical part. Do not wait more, May is near and the sanctions are around the corner.