What is GDPR?
GDPR means General Data Protection Regulation - a new regulation that will replace the current Data Protection Directive from 1995. The primary objective of the GDPR is to harmonize the data protection regulation for all EU citizens. It will take effect shortly, after a month, on 25 May 2018.
Why a new regulation like GDPR is adopted?
Currently each of the 28 EU Member States operates its own interpretation of the Data Protection Directive, resulting in quite diverse laws and interpretations, methodologies and, hence, practices in data protection.
By aligning all of them, GDPR aims to improve citizens' control over their data, in terms of how their personal data is acquired, stored, protected, and processed. Through GDPR, citizens will have the right to access, challenge, and change personal data.
What is meant by "personal data"?
"Personal data" means any information relating to an identified or identifiable live individual. Separate data, which, when assembled together, may lead to the identification of a particular person, also constitute personal data.Examples of personal data include:
- the first and last names
- home address
- an email address, such as your-name@gmail.com or your-name @company.com
- ID card number
- location data (e.g., mobile phone location data feature)
- IP address
- data stored by a hospital or doctor, which could be a symbol that uniquely identifies a person
and others
Examples of data that are not considered personal data include:
- company registration number
- an email address, such as info@company.com
- anonymous data.
Are there any cases in which the rules don't apply?
The rules do not apply to data processed by a natural person for purely personal reasons or for activities carried out at home provided that there is no connection with any professional or commercial activity. But when a person uses the personal data for example for socio-cultural or financial activities, then the data protection law / the regulation should be respected.
Who does the regulation cover?
GDPR is primarily targeted at:
- any organization collecting or controlling personal data from EU citizens
- any organization processing data on behalf of another organization (for example, providers of "cloud" services and others)
If you have an organization that is registered outside the EU, but it collects and processes data of EU citizens, then its activity falls again under the regulation. Although for example Britain leaves the EU, the British government has confirmed that the GDPR regulation will be applied with full force to all organizations based on British territory.
What you need to inform the persons whose data is treated?
The administrator has the obligation to notify the persons whose data is treated for:
- the purpose for which the data is collected or processed
- the exact type of personal data that will be collected
- possibility withdraw consent to data processing, the right to request a correction, update, or limitation of processing, and the right to request the deletion of thedata
- if the data will be used for automated processing / profiling.
- entitlement to judicial or administrative redress if the rights of the data subject have been violated.
How to certify the users' consent for processing their data?
The person himself must express his or her consent actively and explicitly. This expressiveness should be given by the person in a form of a written statement of will, which he declares. When this is required to be done in the digital world, this consent may be given by a completed electronic form, sent by e-mail or signed by electronic signature.
The Regulation does not specify the precise and specific methods that the data administrators should use to prove that the data subject has obtained consent. The Regulation gives the administrators freedom in the means and methodologies they use. It is important however for the administrator to be able to prove that he has received valid and explicit consent for which the person has been informed in advance and has had the opportunity to agree or refuse.
What happens if an organization fails to comply with GDPR?
Any violation of GDPR's rules will be penalized with extremely heavy fines - 20 million or 4% of the company's global turnover.
What are the obligations for the administrators and processors of personal data?
The General Regulation on the Protection of Personal Data introduces a number of obligations for data administrators and processors, some of which are entirely new and unknown in the legislation currently in force.
They are:
- processing the data in accordance with the data protection principles set out in the Regulation and being able to prove this
- provide reliable data protection of the collected users data
- designation of an official in the organization responsible for the data protection and handling and also keeping a register of the data processing activities
- notification to authorities / supervisor and personal whose data is concerned in case of breach of personal data security, as well as documenting any breaches of personal data security, incl. the facts relating to the infringement, the consequences thereof, the actions taken to deal with the infringement
- performing an impact assessment on data protection
- apply appropriate technical and organizational measures to ensure data security. While the regulation doesn't set any strict rules, it lists some security measures, such as pseudonymization, encryption, ensuring continued confidentiality, integrity, availability and sustainability of processing systems and services, timely restoration of availability and access to personal data in the event of a physical or technical incident, regular testing, assessment and evaluation of the effectiveness of technical and organizational measures, cooperation with the data protection supervisor to ensure obligations arising from the regulation and others
Updates planned to help customers using our products to comply with the GDPR (which will be available on request or added as default functionality, depending on the product)
1. GDPR Consent
We are adding in the admin panel and the Configuration Options page the possibility to activate a GDRP consent and edit its text - depending on the type of website and business, you'll be able to provide there details about what kind of information you collect from the users (like first and last name, phone number, emails and others), how you process it (if you plan to share it with other websites or services) or any other information you prefer.
We'll have also a service allowing to detect if the user is located within the EU (based on his IP address) and the GDPR consent to show just then (and not show for example to users from the USA), but since getting the user's location from his IP address isn't always reliable, if the website targets mostly EU customers, we advice to keep the GDPR consent active for all users.
2. Buttons for the users to delete their accounts and information associated with them (to comply with the famous "Right to Be Forgotten" rule)
For those products don't having it by default, we are adding a Delete My Account button either on the Profile Edit page or another clearly visible position (like top right corner in the admin panel), allowing the user to click on it anytime and delete his account and personal data associated with it
3. User data encryption
This update allows to encrypt all personal data in the user tables in the MySQL databases and keep it encrypted (and it's decrypted back if the information has to be shown later in some fields on the site).
We use 2 way encryption with the PHP openssl_encrypt and openssl_decrypt functions with private keys generated and specific for every specific site.
We are also ready to work on custom updates according to your requirements and specific business needs, so please don't hesitate to contact us for details or further questions.
