Last Updated on March 16, 2021
The new General Regulation for the Protection of Personal Data entered into force throughout the EU on 25 May, 2018.
But what is GDPR?
The General Data Protection Regulation is a half revolution regarding the processing of personal data obtained on the web.
After the scandals that have involved Facebook on the use and abuse of data of its users it seems that the new regulation can improve things, putting at the center of the speech the user and the importance of his data.
For the GDPR it is fundamental that the personal data of the users:
- They are treated in a lawful manner, with correctness and transparency
- Be protected and limited
To ensure that these points are respected, the GDPR establishes guidelines to be followed under penalty of heavy pecuniary sanctions.
If you are not yet in good standing and do not know what you need to do to comply with the new regulation, do not panic.
In this article we see how to implement an action strategy that leads to a valid solution applicable in the short term and refined in the medium/long term.
But first here is a brief guide to the technical terms that will have to become familiar if you deal with the management of large amounts of sensitive data on the web.
- Privacy by Design principle: already in the design phase of the service you must identify the measures to protect the user’s privacy. Privacy by Design is concerned with preventing and not correcting.
- Principle of Privacy by Default: the data of the user who goes to collect must be commensurate with the purpose for which you requested them and protected by default.
- Data Protection Officer: the DPO is a figure inside or outside the company that organizes and manages the protection of personal data.
- Accountability: the process of empowerment of the Data Controller and the Data Processor. Who manages data has a proactive role in their protection and in ensuring that they are used correctly and transparently.
- Data processing: we report a precise definition from Wikipedia: “Indicates any operation or complex of operations […] concerning the collection, registration, organization, storage, consultation, processing, modification, selection , extraction, comparison, use, interconnection, blocking, communication, dissemination, deletion and destruction of data”
- Data Breach: indicates a possible violation of user data. The GDPR regulates the procedure to follow in these cases, which we will see better in the rest of the article
Now let’s see what you need to do to follow the guidelines of the GDPR and begin to think proactively about the processing of sensitive user data:
These are the steps to put into practice:
1. To raise awareness and inform your organization’s team in relation to the next changes to determine together the potential effects of the application of the new Regulation;
2. Examine and investigate what type of data is being processed and develop an updated map.
3. Create an inventory of your information and evaluate what may and should be changes based on the new Regulation. To analyze in concrete what steps are used to clearly highlight the source of the data and the timing of their conservation. In the meantime, testing more types of information based on images (for example the use of infographics).
4. Reflect well on how to coordinate the function of Responsible for the protection of personal data within the company.
5. Specify the directives for the management of the rights of the interested party and establish and understand how to implement the right to be forgotten.
6. Use sentinel software to administer the new notification of violations in the use of personal data
7. Examine the consequences of the right to data portability and carefully organize the various steps to avoid problems in the company databases.
8. Develop the new directives on acquisition and information of consent. Make sure with the data providers. In the presence of data of minors, remember the consent of the parents in addition to the consent of the under 16 year old.
9. Testing the Privacy starting from the design of a corporate process (Privacy By Design) and drawing up the impact assessment on the protection of personal data (PIA, Privacy Impact Assessment).
10. Examine the various steps for managing the requests of the interested parties and determine how they can be managed through easy-to-use platforms even for those who are not very familiar with IT.
Yes, but in practice, how can you adapt your site (e.g. taking WordPress)?
On your website, you must pay special attention to these points:
- What kind of plugins are installed and used
- If user comments are managed
- Possibility of registration of users
- Contact form or information request
- Analysis of the generated traffic
- Any tools to manage email marketing
It will be fundamental and necessary:
- Verify and expand the way in which any sensitive data is administered and saved
- Develop and/or use a new banner for managing cookies. The consent must obviously respect the rules of the new Regulation
In the case of special cases, it is highly recommended to take advantage of the advice of specialized law firms.
Banner for the consent of cookies
If your site installs one or more cookies in the user’s browser that gives the possibility of identification, there are two ways: delete them or adapt them to the new Rules in the GDPR.
Unlike current legislation, the banner for the consent of cookies, to properly comply with the rules of the GDPR must ensure that the consent is:
- Informed and preventive: the user must receive all the information before accessing the site and must be able to select or not the different types of cookies;
- Explicit: user acceptance must be affirmative and positive;
- Registered: there must be a trace of the consent received;
- Editable: visitors must have the possibility to change their choice regarding consent, possibly
refusing certain cookies having the same ability to browse the site.
A plugin that gives these possibilities is Cookiebot (also listed by Google as a reliable solution: https://www.cookiechoices.org/) It offers these services:
- Information on cookies and automatic scanning
- Cookie Control API
- Cookie repository
- Mass consent for multiple domains
- It supports and automatically detects every language
- Geo targeting in real time
- White list of strictly necessary cookies
- Cross-browser support
- Respect the ‘Do not follow’ setting
- Equipped with an independent platform that can be used with any website
Through this plugin you will have already satisfied some of the requirements of the GDPR, that is:
- To allow visitors to revoke the consent of cookies
- Grant the possibility to refuse some cookies and at the same time have the opportunity to visit the site
- Complete information of all the consents provided;
- detailed information on the type of data and the purpose of cookies
But it is not enough, we must continue with the work of adjustment.
Let’s see how:
It is essential to notify any violations
If the site suffers any attack and/or data breach we must notify the Guarantor and users within 72 hours.
This is possible by choosing professional hosting services that offer SSL security certificates, monitoring of any malware present on the site, the backup service.
It will be essential to enter and specify the security rules of the host in the Privacy Notice.
Data collection, processing and storage
It is essential to respect the following points:
- Data portability, ie the opportunity to transfer user data from one system to another (possibly downloading them). This can be managed via the WordPress WPGDPR plugin: https://wp-gdpr.eu/
- Right to be forgotten, that is the possibility of cancellation of their data. You can independently delete your account using the free Delete Me plugin: https://wordpress.org/plugins/delete-me/ (solution applicable in the platforms that include the registration of users)
- Right of access, therefore being able to access their data. It is essential to inform about the reasons for which data are collected. Need to have a precise idea of what data you want to collect, process and store
The WordPress Plugins used, respect the GDPR?
It will be essential to ensure that the plugins that save user data comply with the regulations of the GDPR.
Some tips on:
- Treat data only if strictly necessary;
- Use plugins that do not save data in the database;
- If user data is stored, use a database external to WordPress, perhaps encrypting it.
Email marketing platforms
It is essential that such services can give users the possibility to modify their data and possibly delete the previously registered profile.
Unlike in the past, different checkboxes relating to different treatments must now be present. It will also be possible to highlight the presence of consent, easily attributable to the user in question.
To adapt the site developed in WordPress to the new regulations of the GDPR it is necessary:
- Review the Privacy Statement;
- Receive the user’s consent before storing the data;
- Check the different ways of collecting data;
- Develop the various possibilities for managing user data, thus giving the possibility to insert, modify, delete or download information;
- Keep only strictly necessary data;
- Use only plugins that comply with the new GDPR regulations.