TheGDPR(General Data Protection Regulation) is the name of the 2016/679 European Regulation concerning thepersonal data protection.
It replaced, in Italy, the previous Legislative Decree 196/2003, that is the “Code regarding the protection of personal data”.
The main difference with the previous legislation consists in providing more precise information onhow personal data will be processedand onexplicit consent to the processingof such data.
Content index
Frequently asked questions about the GDPR for website owners
What are the personal data regulated by the GDPR?
Who is the data controller?
What to do to be in compliance with the GDPR
View more
But that’s not all: thetransfer of data outside the European Union, the owner is obliged to communicate to the user anyviolationsand introduces theright to be forgotten, i.e. the right to have all personal data deleted.
But why should SOS WP care about GDPR and legal issues?
Becauseeven if you have a small blog, you have to comply with the law, otherwise you risk fines which can be very high. The GDPR now affects practically everyone, so start informing yourself on the subject by watching this interview with Attorney Alberto Leoncini and reading this guide.
If you want more peace of mind and make sure your site respects the rules, check out oursGDPR adjustment and compliance service, highly rated by our customers ( see Trustpilot reviews here ).
Get your site up and running now!
Before we begin, let’s clarify the meaning of some terms that we need to know to get into the subject.
Frequently asked questions about the GDPR for website owners
What are the personal data regulated by the GDPR?
Personal data is all information that allows the identity of a person to be traced.
These are therefore names, email addresses, IP addresses but also biometric data, encrypted information, pseudonyms …
Who is the data controller?
The data controller is the person who determines how the collected data are used and what the purposes are.
Who is the data controller?
The data controller is the person who deals with processing the data to achieve the purposes expressed by the owner.
Example:
If you use a newsletter service such as Mailchimp, ipersonal datathat are collected are the name and email address of the users.
You are thedata controller, and collect this data for the purpose of sending promotional offers to users.
Theresponsible for the treatmentis Mailchimp, which physically collects data on its servers.
Whether you send the newsletter to sell products or simply to send your blog updates for free makes no difference, in both cases you are required to comply with the GDPR.
What to do to be in compliance with the GDPR
What to do to be in compliance with the GDPR
First of all we recommend that you seek legal advice and consult an expert formake sure your website complies with the GDPR as soon as possible.
If you want to find out personally on the subject, consult only official sources, such as the information page of the Privacy Guarantor .
In this article, we only give you some pointers to get an idea ofhow to adapt your site to the GDPR, but we still suggest that you contact the experts to correctly apply all the rules.
Let’s see what needs to be done to comply with the GDPR.
For adapt your website to the GDPR, you will first need to collect theexplicit consentuser forpurposeyou declare.
This means that you explain why you need their data, and the user explicitly accepts that you use them for these purposes.
Pre-selected check boxes are not allowed!The user must activate the box himself to give consent.
Here is an example of a non-compliant contact form. Even if the acceptance box is present, this is active when the page is opened, and therefore does not comply with the GDPR.
Contact form with activated box
You will also need to inform the user about all the details of how their data will be processed, and for this you have to writea privacy policy.
The information must be very clear, so do not use ambiguous terms or too complicated language.
Include within it:
what kind of data is collected,
what data is stored,
who are the owner and manager of the treatment,
how long the data will be stored.
Furthermore, thewithdrawal of consentit must be as simple as accepting it, for example by clicking on a simple link such as “Unsubscribe” or “Delete all my data”.
Once the consents have been collected, you will need to file them in a dedicatedpersonal data register, where you will collect information on:
who gave consent,
when it was provided,
what are the conditions that the user has explicitly accepted,
who has access to the data,
the possible transfer of data to a non-EU country,
how the data is deleted,
what security measures are adopted for data protection.
The register can be in paper or electronic format, but the electronic form is certainly more convenient to be able to update it easily.
GDPR and Cookies
GDPR and Cookies
The GDPR does not only concern the data that the user provides by filling out a form or subscribing to the newsletter.
There are other technologies that can collect personal data even without the user being fully aware of it, and we are talking aboutcookies.
Cookies can be used, for example, to track down a user who has already visited your site, and therefore show him an advertisement other than that seen by a new visitor.
They can also track this user on Facebook, thanks to the use of his pixel, and show personalized ads.
But they are also necessary to simply make Google Analytics work, which collects data such as the IP address.
In short, nowpractically all websites need cookies to function properly, and therefore the GDPR must also be respected with this technology.
This is why all European websites are obliged to display abanner with Accept and Reject buttons, as soon as the page loads.
This you see below is a banner correctly configured according to the GDPR:
GDPR cookie banner
If a user refuses to accept cookies, the website must still allow navigation.
Also, users must be able to be able towithdraw consentat any time and the site owner must keep a record proving the status of consent for each user.
Read more information on the cookie legislation in this guide.
GDPR: what to do to guarantee the right to be forgotten
The GDPR introduces a new right that had not yet been regulated before 2016. With theright to be forgottenyou can also obtain the cancellation of your personal data online.
If a user makes this request, the data controllers are required to ask for deletion to anyone who is processing them, even if they are third parties.
This right can only be limited in very particular cases, for example to guarantee the right to defense in judicial matters.
GDPR: what to do in case of personal data breach (data breach)
What to do in the event of a personal data breach
The person responsible for personal data is obliged toreport a data breach within 72 hoursfrom the moment it becomes aware of it.
This means that if your site has been the victim of a cyber attack that resulted in a user data breach, you will need to report it to the relevant authorities.
If it constitutes a high risk for rights and freedoms (example: loss of access data, payment data, etc.), the users concerned must also be informed.
More information by consulting articles 32-34 of the GDPR .
In this regard, it is very important that the hosting promptly inform the customer of the occurrence of a violation.
If a breach occurs on its servers, the hosting is obliged to notify customers within 72 hours.
From the moment this communication is sent, a site manager will have another 72 hours to communicate it to their customers and authorities.
Did you not comply with the GDPR? Very hefty penalties
In the event that the various activities do not comply with the new legislation, there is a risk of very high penalties: up to 20 million euros or 4% of the global annual turnover.
If you want more information and clarifications on the penalties, just read article 83 EU RGPD ” General conditions for imposing administrative pecuniary penalties ”
Here, therefore, that it is essential to be sure that your site complies with the rules.
Ask our experts for help to get your site up and running and avoid penalties!
Get your site up and running now!
What to do to check if your site complies with the GDPR
What to do to check if your site complies with the GDPR
This is a very delicate subject and the checks to be done may vary depending on the sites and the type of users.
We repeat the invitation to consult a legal and data protection expert, especially if you run a site that has a large amount of traffic.
An excellent source of information is represented by the Guide to the application of the European Regulation on the protection of personal data issued by the Privacy Guarantor.
One way to approach these controls is to create a document, a list that defines the type of users who visit your site and what type of data you collect directly or indirectly (third parties, Google Analytics, plugins etc.) from these groups.
Once you have well defined user groups move on to controls organized in a hierarchical manner:
Hosting service and managers:
Check with your hosting service and your administrators how they handle data.
Backup:
Where and how are your site backups saved?
Plugin:
This step can take some time. You will need to understand what data the plugins you use collect.
The services that collect or can collect data are so many, for example: contact forms, user profiles, e-commerce, e-mail marketing, link services, spam filters, security, tools for automated backups, various statistics and monitoring. login etc.
Services outside the European Union:
If you use services outside the European Union, you will need to check that they comply with the GDPR.
Data retention duration:
How long do you keep user data? Is the duration justifiable?
Safety:
Do you offer sufficient protection for your users’ data? What kind of users visit your site?
Marketing:
Do you use automated marketing tools? Do you do A / B testing?
After doing these checks, you will have to ask yourself if you can easily justify the reasons why you collect and manage the various data in each of the steps.
The European guidelines on the GDPR can be very useful to you.
You will need to have theuser consentto process the data, you will have toregister itand must be obtained for each element (events, newsletters, etc.).
As mentioned before, you will also need to allow users towithdraw consent.
If you identify personal data that you shouldn’t have access to, remove it.
Disable plugins and services that do not comply with the regulation; look for alternatives if possible.
Create somedocumentation and proceduresto be used for data storage and for when users ask you to modify or delete their data.
In shapeyour users clearly on how you process their personal data and obtain their consent.
Too much information? Here is a summary
In summary, the GDPR regulation says that if a site collects, stores or uses any data of an EU citizen you will have to respect the following points:
Inform users: who you are, how you collect the data, for how long and where the data ends up.
Get consent: receive user consent to data processing.
Allow access to data: users must be able to access their data, check them and if they want to delete them (right to be forgotten).
Data breach: informs users if their data breaches occur.
To clarify your ideas even better, the Privacy Guarantor has also released a synthetic guide that explains how to apply the GDPR , it will be of great help.
We also recommend that you look at this infographic created by the European Commission , if you still have doubts about what to do, it will blow them away.
Conclusion
Adapt your site to the GDPR now
In this guide we talked about the new privacy law: the EU Regulation 2016/679 RGDP “General Data Protection Regulation” or as it is called in English GDPR (General Data Protection Regulation).
We’ve also highlighted major changes, provided lots of material for further analysis, and provided a starting point for making sure your site complies with this new policy.
The interview with the lawyer Leoncini allowed us to focus on the most important points and clarify further doubts.
If you reflect for a moment on how much of your personal life now ends up on the web, consciously or not, you will realize that such regulations are inevitable.
How many cases of cyber attacks were reported too late, causing enormous damage to unsuspecting citizens?
How many times has personal data been used illegally to clone identities, make scams or invasive marketing?
