The new single data protection act will make major changes to all of Europe's privacy laws and will replace the outdated Data Protection Directive from 1995.
GDPR compliance isn't just for European companies. GDPR applies to businesses of all sizes, regardless of whether you have 1 or 10,000 employees, and regardless of where you or your company is based. If you offer products and services to customers located in Europe, then GDPR will apply to you.
GDPR Doesn't apply to me
A simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user, for which you need to obtain permission. Some additional ways in which even a standard WordPress site might collect user data include (but not limited to):
- User registrations
- Contact form entries
- Analytics and traffic log solutions
- Any other logging tools and plugins
- Security tools and plugins
All of these will need to be reviewed for compliance.
How much will it cost?
The biggest change to the law is the increase in the amount of money regulators can fine companies who do not comply - up to 4% of their global turnover or 20 million Euros, whichever is greater.
This threat is certainly big enough to frighten companies into changing their data dealings.
What types of privacy data does the GDPR protect?
Basic identity information such as name, address, telephone and ID numbers
- Web data such as IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What Do I have to Do?
There are still no established guidelines of what a website would need to do to comply with these rules, including from the likes of Google and Facebook. With only a few months left to comply with the new rules, here is what I have been able to determine.
Disclaimer: I'm not a lawyer and I'm not providing you legal advice. Contact your legal counsel for help interpreting and implementing the GDPR. This article is provided for entertainment purposes only and amounts to nothing but my interpretation of the GDPR.
If you are not familiar with GDPR here are a few key points to consider. The full text can be viewed on the Information Commisioners website
Informed, Explicit Concent
Gaining valid consent is one of the crucial changes that GDPR is making to the collection and processing of personal data. A website must ask for a visitors express consent before storing any information about the user, including IP address. Implied Consent is no longer enough and messages such as "by using this site, you accept cookies" will not comply with the new regulations. Consent must be given via an affirmative action, such as clicking an opt-in box or setting preferences. Under GDPR if there's no valid consent option it does not count as consent.
Freely given consent
You are forbidden to withhold products, services or access to a site or page if a user does not give consent, except in such cases where such information is strictly necessary. For example, if a user does not consent to provide name, address and payment information then it is acceptable to prevent them placing an order. It is however forbidden to require users to accept tracking cookies in order to view a site or to provide an email address to download a free document.
Under the GDPR, consent requires a clear affirmative action and must be demonstrated by the controller
You cannot just ask a user to accept cookies anymore as there are various different types of cookie. You must ask separate consent for analytics cookies, session cookies, shopping cart cookies and so on.
This also applies to any personal data you ask for, you must be specific about what it is used for and you MUST not use it for any purpose outwith that. For example, an email address on a contact form cannot be subscribed to a mailing list, and when a user subscribes to a mailing list you cannot then subscribe them to further marketing unless you obtain separate consent.
Consent must be made by an affirmative action. Pre-ticked boxes or any other method of default consent are not allowed, so at least those pesky "Click here to not receive marketing emails" and "Tick this box to opt-out of data harvesting" checkboxes will be a thing of the past. Hopefully.
Withdrawl of Consent
It must be as easy to withdraw consent as it is to give it. Even after you have gained consent to process an individual's personal data it must be easy for them to change their preference. If you ask for consent via an opt-in-box, for example, and opt-out must be equally visible.
- Consent needs to be informed.
- Consent is an act: it needs to be given by a statement or by a clear act.
- Consent needs to be freely given.
- Consent needs to be specific, per purpose.
- Consent needs to be an unambiguous indication.
- Consent needs to be distinguishable from other matters.
- The request for consent needs to be in clear and plain language, intelligible and easily accessible
Consent must be sought before storing any cookies, so current implied, or "opt-out" consent it will be increasingly hard to prove as lawful consent under the strengthened requirements of GDPR. This means that the majority of sites who currently show banners with messages which do not ask for permission, merely ask the user to leave if they do not accept will fall foul of the new law.
Messages like this will not be compliant, so website owners will have to update their plugin settings and policies to be compliant.
The GDPR specifically state that you must be able to prove that you have received Consent from an individual.
"Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data."[GDPR Article 7, Paragraph (1)]
This means that when a user has consented to providing personal data, a record must be kept of this, which can be audited on request within 30 days.
The ICO also states we need to:
Keep records to evidence consent - who consented, when, how, and what they were told.
You should have procedures to list all the rights individuals have, including how to delete personal data or provide data electronically and in a commonly used format. These procedures should be planned and updated to show how requests are handled, within the new time scales, and provide any additional information.
Do Not Track
For many years now browsers have had a facility where they can send a Do Not Track header which should, in theory, prevent tracking cookies and disable any tracking or analytics. To be clear, Do Not Track means do not track me in any way shape or form. Another key point of GDPR is that this is now enforceable. If a user sends a Do Not Track header, and you track them, you are in breach of GDPR.
How do I comply
That is the million dollar question for which there is no clear-cut answer. As a general rule:
- Analyse every inch of your website and identify all the areas where personal data can be recorded. This includes server logs, Analytics, Adsense, comment forms, signups, registration pages.
- Websites need to be cookie and logging free from the very beginning. Storage of cookies and logging of data can only occur AFTER you have obtained valid consent.
- If a user consents to submit an email address for the purposes of leaving a comment, you CANNOT add that email address to a mailing list.
Before you think that somehow Google will look after the GDPR side of things for you - think again. Google is certainly taking steps to be GDPR complaint but remember that using Google doesn't erase your own GDPR responsibilities.
If you use Google Analytics, you use the analytical cookies to process personal data of your website visitors. To anonymize the IP address for all hits sent from a single tracker, add the following to your tracking code to set the anonymizeIp field to true on the tracker, this would make sure you are not collecting any identifiable IPs.
ga('set', 'anonymizeIp', true);
I've yet to obtain a clear definitive response to my queries that this is all that is required for analytics to be compliant.
Google Adsense is a potential minefield. As
of writing update on 22 May 2018, Google's information is limited, their "workaround" does not work as intended and I've yet to receive a reply to my queries.
Google state that you can opt-out of personalised, or interest tracking, adverts across your account in the settings. This, according to my understanding, should show basic adverts based on the content of the page, like Adsense used to do. In practice this does not work, targetted adverts are still served and adverts still set multiple cookies. Both of these are in violation of GDPR so for the time being, I have blocked adverts, require consent and then shown. Hopefully closer to the deadline Google will fix these issues.
I have found no practical solution here except to disable logging entirely. Server logging is unconditional, meaning it cannot be turned off for some and on for others.
From what I can tell you are allowed to collect and store personal data as part of web servers logs for the purposes of detecting and preventing fraud and unauthorized access and maintaining the security of your systems.
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service' attacks and damage to computer and electronic communication systems.Recital 49 (excerpt)
If you don't have a legitimate need to store these logs you should disable logging on your web server.
- Guide to the General Data Protection Regulation
- Preparing for the GDPR
- General Data Protection Regulation
- The GDPR cookie consent and customer centric privacy
- Google Analytic and GDPR - Is it compliant?
- GDPR compliance tools in WordPress
- GDPR - Guide to Compliance
GDPR is a complex regulation and it is imperative that your organization develop the right roadmap towards becoming compliant.
While the focus of this post is Google Analytics, these steps also apply towards other digital analytics and marketing vendors. Each organization is different and there are certainly more than you'll need to do for compliance, so we'd love to hear about your challenges.
Please share your tips, concerns, and questions in our comments section below to continue the conversation about how to progress towards GDPR compliance.