#GDPR – the story so far and 5 fast website fixes
If data protection doesn’t float your personal or professional boat, May 25th, 2018 probably passed unnoticed.
But if you’re concerned with compliance, you’ll probably remember it as the date when GDPR (General Data Protection Regulation) aligned and updated data rules across Europe for the digital age.
A year on, if you’re not sure how this legislation has changed the way we do business, want to know how it’s been enforced and would like five compliance fixes for your website, pop the kettle on and peruse this blog.
GDPR – the story so far
We won’t rehearse the intricacies of GDPR here — but if you need a refresher on its purpose and provisions, revisit this awesome archive blog.
What’s more relevant at this point is reviewing the ways it’s changed the business landscape, considering some stats on enforcement and working out which areas of compliance are proving problematic. Here are some broad developments:
- A February 2019 EDPB (European Data Protection Board) report revealed that relevant agencies across Europe have issue a total of 56 million Euros in fines from over 200,000 GDPR cases reported since its introduction, with around 52% of cases closed so far.
- 95,000 of these were complaints, while 65,000 were triggered by data breach reports by data controllers. 56 million is not to be sniffed at, but it’s worth bearing in mind that a whopping 55 million Euros of this grand total is accounted for by French compliance watchdog CNIL’s Google fine for the web giant’s lack of transparency and lack of valid consent relating to using data for personalising ads.
GDPR enforcement themes
A deeper dig into GDPR enforcement reveals a few emerging themes and, although taking a full legislative temperature check is tricky after only 12 months, there’s enough evidence to suggest that this rule is no paper tiger – it’s got teeth and regulators aren’t afraid to clamp down on companies with poor practice.
Law firm DLA Piper’s data breach survey report reveals that GDPR’s mandatory requirement to report breaches to regulators within 72 hours resulted in 59,000 such notifications across Europe in the 8 months from the introduction of the legislation to the end of January 2019. 10,600 of these were made by Britain, making it the third-biggest contributor after The Netherlands and Germany – and suggesting that the maximum fine of up to 20 million Euros or 4% of annual turnover is making people sit up and take notice of their responsibilities.
So thus far, the surge in reported data protection breaches is a notable trend, but significant others include transparency, consent and Data Subject Access Requests (DSARS):
- In September 2018, internet browser Brave launched a GDPR complaint with regulators in Ireland and the UK asking for an investigation across the EU into the behavioural advertising industry – specifically the alleged lack of transparency operators like Google and other ad tech firms provide to web users when collecting their data in order to build profiles and subsequently serve them with ads.
- Privacy International filed two GDPR complaints with authorities in the UK, France and Ireland against two credit reference agencies, two data brokers and three ad tech firms, alleging that they didn’t have a valid legal basis for processing data and had not provided the requisite level of transparency.
- The expected rise in DSAR requests has also manifested itself. Taking the medical industry alone as a prime example, December 2018 BMA stats revealed that patient data requests to GPs increased by a third since the legislation’s introduction.
Two potential attendant offshoots from these trends are noteworthy:
- Legal commentators are already warning that an increase in the general public and solicitor’s awareness of the legislation could result in an increase in class action-style lawsuits.
- HR departments should ensure that their data protection and retention systems are robust enough to cope with the significant admin burden associated with responding to a DSAR request.
The 50 million Euros CNIL/Google fine eclipses all others, but the German data protection authority levied an 80,000 Euro fine in January 2019 for publishing sensitive health data on the internet and the same regulator had previously fined a company 20,000 Euros for failing to encrypt employee passwords.
Other cases across Europe are still under investigation and, while it’s likely that the vast majority of these won’t result in the imposition of financial penalties, regulators haven’t been slow to embrace the opportunity to exercise the full extent of their powers when deemed necessary.
General GDPR compliance
General steps to GDPR compliance remain the same as ever and include:
- Checking your data protection policies and procedures are GDPR-compliant and ensuring all members of staff are aware of their responsibilities and receive appropriate training.
- Ensuring contractual relationships with customers and suppliers comply with GDPR, especially if they involve transfer of electronic data outside the EU.
- Knowing when it’s necessary to conduct a data protection impact assessment so that your regime aligns with the spirit of GDPR’s privacy by design.
- Making sure all staff know what to do to prevent data protection breaches and the appropriate action to take when a breach is identified.
5 fast website fixes for GDPR
Meanwhile, if you want to feel confident that your website’s compliant with GDPR, follow these five steps:
It’s probably best to specify that you don’t sell data, don’t share it unless legally compelled to do so and only request personal info in order to provide a service.
If you’re still unsure, reading this ICO guidance on privacy is a good start – and please remember to write your notice in Plain English so that it’s accessible and jargon-free.
GDPR rules requiring cookie consent are clear and you should probably use a mechanism like a pop-up to request users’ permission for their use.
The question should be worded in a way that it ensures users must make a proactive choice between clear options before moving forward and accessing the rest of your site and pre-ticked boxes are not permissible.
3.Make sure plugins are GDPR compliant
You’ll have to be sure that any plugins you use can export and delete use data and that they don’t disseminate it to other databases without the user’s clear consent. If you’re not confident that your plugins are GDPR compliant, you may have to find alternatives.
There are several GDPR WordPress plugins on the market at present which can help secure your site, and you can also source similar products for other platforms online.
4. Strictly limit data collected from form submissions
You should design forms so that they only collect data that’s absolutely necessary for legitimate processing purposes and store it for no longer than necessary. Although plugins can store forms in your database, new GDPR-proof versions include a ‘do not store form’ option.
5. Audit and clear your mailing list
If you’ve got an existing mailing list, obtaining user emails through a double opt-in method will ensure that you’ve got the right level of consent – this process isn’t required under GDPR, but will make sure your consent process is more robust than required, which is no bad thing in the current climate.
Don’t purchase email lists from third parties, because you’ve no way of knowing for sure whether user details were obtained legitimately and finally, if you’ve signed up subscribers in a way that doesn’t observe GDPR, this data is a liability and you should start a late spring clean without delay.
Despite the doomsayers’ warnings, GDPR hasn’t resulted in a slew of cases where companies have been fined severely and/or shut down for good.
However, there are enough concluded and upcoming prosecutions to prove that regulators across Europe are using all of the powers GDPR provides to punish non-compliant companies of all sizes and scopes.
Provided that you’ve taken the steps suggested above, your approach to data protection won’t perk the interest of authorities and business operations will continue unimpeded.
However, if you’ve stuck your head in the sands of GDPR to ignore compliance, be sure that regulators will bite your behind before too long.
Call 01484 44 33 22 for any help with website compliance