The General Data Protection Regulation (GDPR)
How to Make Your Website GDPR Compliant (Part 1 of 2)
In May, the EU General Data Protection Regulation (GDPR) comes into effect. It introduces new regulations for almost all website operators. Only websites that are solely for family or personal purposes are excluded from the new rules.
The GDPR sets precise standards regarding what is to be considered personal dates and what form of consent must be given by the user in order to use his data (for marketing purposes).
What is the General Data Protection Regulation (GDPR)?
The GDPR is a European law with the aim of establishing a uniform legal framework for the processing of personal data by private companies and public authorities within the EU. The GDPR will become applicable when it comes to the processing of personal data. Personal data are all information relating to an identified or identifiable person. An identifiable person is a person “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
According to the GDPR, personal data is involved even if the data processor cannot identify the data but a third party can do so. Thus, pseudonymized data such as IP addresses and cookies will also be considered as personal data. In practice, this wide definition means that in case of any doubt you should always expect personal data within the meaning of the GDPR, as almost all information could be interpreted as a personal date.
The regulation will come into force on 25 May 2018, from then on, your business is facing a potential fine of £20M or 4% of your annual turnover, in the event of a breach of duty.
With the approaching due date, uncertainty is spreading among many website operators. So what must be taken into account in order to avoid fines? The following article will give you an idea of the most important GDPR measures on your website.
- Newsletter Consent According to GDPR
- Alternatives for Social Plugins in the context of the GDPR
- Cookie Pop Up – yes or no?
- GDPR compliant use of Google Analytics
- GDPR compliant integration of Google Fonts
Webhosting – Subcontracting Data Processing
As a website operator, you are not permitted to store personal data on a web space provided by a third party without an existing legal basis. To avoid asking every single visitor for consent, a subcontractor agreement according to Article 28 GDPR is the most efficient solution.
Such a subcontract regulates that the data processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. Above all, however, the service provider is obliged to protect the data accordingly. In order to guarantee this, the website operator is granted control rights. One exception is the so-called housing: If you only rent servers in a data center without data processing by a third party, you do not need a contract for data processing. The leading web hosting providers mostly offer templates for subcontracting on their websites. You should make sure that these templates meet the requirements of the GDPR.
If your website is hosted outside the EU, for example in the USA, you should make sure that your web hosting provider has submitted to the so-called Privacy Shield. With this agreement between the EU and the USA, the hosting provider obligates to comply with European data protection standards.
A big part of GDPR is communicating to your users about how and why you’re collecting and using their data, especially all processes in which their personal data is processed. Article 13 of GDPR considerably extends the obligation to inform compared to the former German Telemedia Act:
GDPR Compliant Contact Forms