On 25 May, the European General Data Protection Regulation comes into force.
If you are a web developer/designer or an entrepreneur whose business involves collecting data from individuals in the European Union, you must be already aware of the GDPR and its main provisions. If not, please read our post that explains the GDPR to web designers and developers.
In this article, I want to go further than just describing the GDPR requirements. I believe that this European regulation hallmarks the dawn of a new era of comprehensive data protection. I want to explore the meaning of these changes for all of us, paying particular attention to small businesses and web developers.
I invited web development and business templates experts to speak about post-GDPR markets and the pitfalls the new policy may have.
Please feel free to participate in the discussion! We will be glad to read your comments and respond to them!
But before we delve into making long-term prognoses, let’s get clear about the basic tenets of GDPR.
What are the main principles of the new General Data Protection Regulation?
In a nutshell:
- Companies will have to be very explicit about what data they collect, how it’s done, and for what purposes you are using this information.
- Private customer data should be processed in all transparency and stored no longer than it’s necessary for the specific legitimate purposes.
- Users will have to give separate and informed consents for collecting different types of their private data.
- Consent should be asked for through positive opt-ins and be easy to withdraw. Every user will have the right to be forgotten and have their private data removed.
- Data-collection for children under 16 can be made only after obtaining consent from a holder of parental authority.
- In case of a data breach, companies will have to notify data protection authorities within 72 hours and inform customers about the breach “without undue delay”.
Read the full “Principles” chapter of the GDPR.
Who will have to comply?
- The EU GDPR applies to any company that is based inside or outside of the EU and collects, stores, or transmits data belonging to EU residents (any information related to an identifiable person, including IP address).
- The regulation does not apply to situations when data processing is done for personal and household use, only for commercial purposes.
- Companies with less than 250 employees will have to comply but with some exceptions (like not having to maintain a record of processing activities, having to appoint data protection officer, etc)
What are European Customers Entitled to Under GDPR?
- They have the right to be informed, meaning that they will know what types of data they are sharing when entering a website or filling out a form. This information should be free and easily accessible.
- They will be able to access freely any data that a particular resource collects about us. This information will be given after a login or within one month upon request (2-3 months in some cases). If a website refuses to satisfy the request, they will need to give good enough reasons and indicate the authority to whom the user can complain. No admin fees can be charged for making such requests.
- If they want to make changes in the data that are being collected by a particular entity, they will be able to do it across all its platforms.
- Users now have the right to be forgotten, so that all sensitive data about them would be deleted (with a possible exception for the information that can serve the good of all humanity).
- They can continue using a resource without giving the permission to process personal information. The resource will be collecting the bare minimum of data but no profiling will be allowed.
- Users will have their personal data transferred from one resource to another upon request.
- Users should find leaving any platform and deactivating their personal accounts much easier than it was to register and share their data. They will have the right to object the use of their personal data for marketing purposes.
- If users are making some major decisions or initiating actions based on their interaction with a website, they will have the right to talk to a real person at some point if they need to.
What consequences will the GDPR have for web developers and web designers?
GDPR affects all aspects of web development, especially if you weren’t already practicing privacy by design and privacy by default. From the design to implementation- now web developers have to consider how they are handling user data, how they get and record consent, and what kind of controls they give back to users so they can change their minds and control their own data.
If you have logged-in users, the issues are more obvious. But even if you have web app or web site visitors and pop cookies in their browsers, or serve up content from a third party site like YouTube, you still have to think about it.
I think it will affect decision making around web development tools and SaaS services. People will look for “GDPR-enabled” services and software. And they will be wondering how they can wrest control from third party services or get commitments and assurances.
Decision makers will be asking now – is this service or CMS already GDPR compliant? Is TYPO3 GDPR compliant? Is WordPress GDPR compliant? They need to know it “just works” out of the box.
It’s been a short timeline and open source communities are moving fast. Companies maintaining their own content management software in-house will have a hard time keeping up.
For that reason, I think GDPR shows the power of open source.
1. That open source CMSs are already releasing GDPR compliance tools.
2. That you can have complete control over user data and reduce exposure in third-party services by using open source.
TYPO3 CMS just announced a GDPR specific release, led by contributors in the community.
And they have a TYPO3 GDPR extension to take care of anything the release doesn’t cover. See:
Likewise, the WordPress community only started talking about making WordPress GDPR compliant recently:.
And they just released a GDPR release – Which is a pretty great turnaround!.
I think open source CMSs are coming off looking good for web development now with GDPR on the horizon.
As web designers and developers working in the new GDPR landscape, it will be important for us to learn the available tools for assisting in GDPR compliance and reassuring clients. This means the advice and common practices that people have been giving out for years are now going to be misleading and downright dangerous.
We are already seeing GDPR compliant forms and checkboxes but expect to see more tools to make it easier to geo-detect users and prevent cookies from being fired until consent is given.
So far, some of the solutions are thin on the ground, but in the coming weeks and months, it’s going to up to web developers to be vigilant as tools are developed to make these tasks easier.
While the GDPR regulations are black and white, their interpretation and use in various systems still seems to be open to interpretation as many are still sharing conflicting opinions and advice.
Digital Marketer, Mazepress
Source: What Web and Business Experts Say About Implications of GDPR Regulation