GDPR information and updates planned in our products

The European Union GDPR will take effect in a month-you may please find below some more details, frequently asked questions and information about planned updates in our products to help our customers comply with the new GDPR regulations

What is GDPR?

GDPR means General Data Protection Regulation-a new regulation that will replace the current Data Protection Directive from 1995. The primary objective of the GDPR is to harmonize the data protection regulation for all EU citizens. It will take effect shortly, after a month, on 25 May 2018.

Why a new regulation like GDPR is adopted?

Currently each of the 28 EU Member States operates its own interpretation of the Data Protection Directive, resulting in quite diverse laws and interpretations, methodologies and, hence, practices in data protection. By aligning all of them, GDPR aims to improve citizens' control over their data, in terms of how their personal data is acquired, stored, protected, and processed. Through GDPR, citizens will have the right to access, challenge, and change personal data.

What is meant by "personal data"?

"Personal data" means any information relating to an identified or identifiable live individual. Separate data, which, when assembled together, may lead to the identification of a particular person, also constitute personal data.Examples of personal data include:

- the first and last names
- home address
- an email address, such as your-name@gmail.com or your-name @company.com
- ID card number
- location data (e.g., mobile phone location data feature)
- IP address
- data stored by a hospital or doctor, which could be a symbol that uniquely identifies a person and others

Examples of data that are not considered personal data include:
- company registration number
- an email address, such as info@company.com
- anonymous data

Who does the regulation cover?

GDPR is primarily targeted at:
- any organization collecting or controlling personal data from EU citizens
- any organization processing data on behalf of another organization (for example, providers of "cloud" services and others)

If you have an organization that is registered outside the EU, but it collects and processes data of EU citizens, then its activity falls again under the regulation. Although for example Britain leaves the EU, the British government has confirmed that the GDPR regulation will be applied with full force to all organizations based on British territory.

What you need to inform the persons whose data is treated?

The administrator has the obligation to notify the persons whose data is treated for:

- the purpose for which the data is collected or processed
- the exact type of personal data that will be collected
- possibility withdraw consent to data processing, the right to request a correction, update, or limitation of processing, and the right to request the deletion of the data
- if the data will be used for automated processing / profiling.
- entitlement to judicial or administrative redress if the rights of the data subject have been violated.

How to certify the users' consent for processing their data?

The person himself must express his or her consent actively and explicitly. This expressiveness should be given by the person in a form of a written statement of will, which he declares. When this is required to be done in the digital world, this consent may be given by a completed electronic form, sent by e-mail or signed by electronic signature. The Regulation does not specify the precise and specific methods that the data administrators should use to prove that the data subject has obtained consent. The Regulation gives the administrators freedom in the means and methodologies they use. It is important however for the administrator to be able to prove that he has received valid and explicit consent for which the person has been informed in advance and has had the opportunity to agree or refuse.

What happens if an organization fails to comply with GDPR?

Any violation of GDPR's rules will be penalized with extremely heavy fines - from 20 million to 4% of global turnover.

Updates planned to help customers using our products to comply with the GDPR (which will be available on request or added as default functionality, depending on the product)

1. GDPR Consent

We are adding in the admin panel and the Configuration Options page the possibility to activate a GDRP consent and edit its text - depending on the type of website and business, you'll be able to provide there details about what kind of information you collect from the users (like first and last name, phone number, emails and others), how you process it (if you plan to share it with other websites or services) or any other information you prefer.

We'll have also a service allowing to detect if the user is located within the EU (based on his IP address) and the GDPR consent to show just then (and not show for example to users from the USA), but since getting the user's location from his IP address isn't always reliable, if the website targets mostly EU customers, we advice to keep the GDPR consent active for all users.

2. Buttons for the users to delete their accounts and information associated with them (to comply with the famous "Right to Be Forgotten" rule)

For those products don't having it by default, we are adding a Delete My Account button either on the Profile Edit page or another clearly visible position (like top right corner in the admin panel), allowing the user to click on it anytime and delete his account and personal data associated with it

3. User data encryption

This update allows to encrypt all personal data in the user tables in the MySQL databases and keep it encrypted (and it's decrypted back if the information has to be shown later in some fields on the site). We use 2 way encryption with the PHP openssl_encrypt and openssl_decrypt functions with private keys generated and specific for every specific site.

We are also ready to work on custom updates according to your requirements and specific business needs, so please don't hesitate to contact us for details or further questions.

Please click here to read the full article on our blog.