After almost 2 years of vacatio legis, on May 25th of 2018, a new global data protection regulation entered into force, this is the General Data Protection Regulation or simply put the GDPR, a new regulation passed by the European Union (EU) which regulates how personal data of individuals located in the EU must be obtained, processed, and secured by companies and websites.

With its 99 articles and 173 explanatory and motivational recitals, the GDPR is revolutionizing the way personal data is processed, implementing new obligations and duties for business while simultaneously extending the rights of users on how their data is controlled.

In essence, it’s looking to implement a new transparent, lawful, fair, and effective system that truly gives the users the right to administer its information, but based on a carrot and a stick system, the fines and sanctions of the GDPR can rise up to 20 million Euros or 4 percent of annual global turnover for those non-compliant businesses. Quite something, right?

Even though the text and its numerous clauses have been already applicable for almost 6 months, based on a report by TrustArc, a global data privacy management company, still 26% of businesses (US, UK and EU located) will not be fully compliant by the end of this year, this number is expected to increase by the end of 2019, so if your business is just getting starting on the compliance process with GDPR, don’t worry! many businesses are still in the same position!

Who does the GDPR apply to?

The GDPR applies to individuals located in the European Union (EU) by granting them new and extended rights and liberties while simultaneously placing new rules and restrictions of any entities that process the personal data of these subjects.

Note we’re using “individuals located in the European Union (EU)” as the GDPR doesn’t refer to any specific legal status of residency or citizenship.

Whether these data-processing entities are located or not in the Union, truly doesn’t matter since the GDPR has extraterritorial applicability, making no difference if the data processing is carried inside or outside of the territory of the EU.

Therefore, if you have EU-located customers visiting your website, completing transactions and leaving any personal information in your servers, you need to make some internal and external adjustments.

How do I implement these regulations on my website?

Summarizing all of the articles of the GDPR in a “how to become fully regulation compliant” can be quite a task since the scope of applications of some of the articles vary depending on the size of the company and the role it has in the data management process.

Nevertheless, GDPR and Data Processing can be easily understood if we take a closer look on the six simple (but very largely described and explained) principles GDPR is based on lawfulness, fairness, transparency, data minimization, storage limitation, accuracy, and, integrity and confidentiality. Names, Emails, Physical addresses or IP addresses and many other personal details enter the list, any collecting, importing or processing of this information must be carried attaining to these principles, otherwise, you could be in trouble.

There are 6 conditions on how a data processing is considered to be treated lawfully, nonetheless, the most important one among the list is consent, and it’s a condition which requirements were specially strengthened in the drafting of the GDPR.

No more legalese, or ambiguous or confusing questions, consent must be asked in clear and plain language, and in an intelligible and concise way, and also, consent must be given voluntarily, clearly and informed.

Recital 32 of the GDPR states that “Silence, pre-ticked boxes or inactivity should therefore not constitute consent.” So, pre-ticked boxes are a big no-no.

When creating the typical “Do you agree to…?” Or “Would you like to…?” questions, you must inform on the type of information you’re collecting and the purposes for collecting this information while also providing a simple and easy-to-use system that allows the user to give his/her consent as well as removing it in case he or she decides to. This covers the fairness and transparency also required by the GDPR.

It’s always good to remember that different types of processing and purposes require separate and individual consents.

Most of the websites state this type of information, obligations, and rights on their Privacy Policies, having this agreement is one of the first steps for becoming GDPR-compliant.

Date minimization can be simply understood as “don’t use what you don’t need”, only collect the information you will be needing to perform your business activities, store what is actually necessary, keep it updated (accuracy) and for the rest of the information that becomes eventually unnecessary or no longer usable, delete it or anonymize it, this is the storage limitation principle.

As a webstore, you might not need to store every one of the physical addresses the user has ever shipped a product to, you might only need the last one and you must grant the user the right to update, modify or delete it as he or she pleases.

And last but not least, keep that information safe (integrity and confidentiality), you must use the most appropriate technical and organizational security measures in your website that prevent unauthorized, accidental loss, destruction and/or damage of personal data.

Is it actually necessary to go through all of this?

Yes, it is, but let’s not lose our heads.

It’s actually simpler than what it might sound like, the GDPR’s goal is to have conscious and transparent businesses that respect the privacy and rights of their users, creating lawful, transparent and fair practices between these two actors.

Understanding this essence will let you advance in the GDPR’s compliance process. Should users be aware of this or that situation? Are users able to add, modify their own personal information? Do I need really need to use this information? Is my website safe from data breaches that might compromise my business and my users?

These are not complicated questions, and in most cases, it gives you the answer if you’re complying with this new regulation or not.

Additionally, by now, there are several tools that make this adapting process even easier, from legal documentation kits to WordPress plugins, many resources are now found online (free and paid) that can easily adjust to the activities of your business and facilitate this process

And for last, remember this article is for informational purposes only and cannot be considered legal advice. It’s highly recommended to seek legal help in case you want to ensure being fully compliant with GDPR practices.

We can recommend the GDPR plugin that covers a wide variety of the necessary tasks, and Delete Me plugin that specifically allows users to delete their data from a particular website.

We strongly recommend you to get legal advice concerning the GDPR: many of the statements in the new regulation are quite ambiguous, and if you want to interpret them in the most favorable way for you, it’s necessary to discuss it with a professional lawyer.