If you have used the Internet in the last 18 months, you must have heard about the European regulations for the protection of personal information, implemented under the pretty name of GDPR (General Data Protection Regulation).
Since its launch on May 25, 2018, you've certainly received a lot of e-mails with the headline "We've updated our Privacy Policy", while many sites offer you the option of accepting or rejecting the use of cookies, with different levels of consent.
In an all-digital landscape, where personal information are sold for a huge amount of money (algorithms go so far as to deduce sexual or political preferences, to target with appropriate advertising messages), this regulation aims to modernize and standardize the jurisdiction. This while giving users more control over the processing and protection of personal data.
But what do users really know about what's going on with their data? And how can they control what they are willing to distribute or not? This is where the GDPR comes in with the biggest legislative change for privacy in decades, and it goes in the direction of valuing and empowering individuals.
"To date, the largest fine for non-compliance has reached 205 million euros."
The rule applies to all companies that collect information on European citizens. On the web, it therefore concerns any site accessible from a computer in Europe, in short, the vast majority of the web.
A fine can be sent for non-compliance, and can amount to up to 4% of the annual turnover of the target company. To date, the biggest fine has been paid by British Airways to the tune of 205 million euros, due to a data leakage by 500,000 users following a computer attack on their servers.
To make sure your site is up to date, here is the recipe to follow.
The 4 rules to follow for your website
The GDPR is not only about digital and automated information. It covers any form of information collection, whether manual, paper, photographic or video.
Given the Cherry Pulp agency's penchant for digital, I will focus on the implications that the rule has had on the creation of websites.
The European directive is based on 4 key principles:
1. The consent
Before starting any data collection, consent must be explicitly given by the user. And the user must have access to all information necessary to justify his or her choice, such as the purposes behind a transfer of information. In case of control, the company must be able to justify that explicit permission has been given.
In practice: Before any browsing or collection of cookies, the user must be given the choice to continue with or without cookies, possibly with a choice in the type of cookies accepted. For this reason, cookie dialog boxes have become more intrusive recently.
Implied consent, such as "By continuing to browse this website, you accept our privacy policy", is no longer acceptable.
Finally, the user must be able to rectify his or her choice at any time.
2. The transparency
The company must be clear about its intentions regarding the data processed. This information must be easily accessible and understandable.
In practice: A "privacy" page must describe what information is recorded, and for what purpose. This page must be accessible from the first screen, when the visitor is asked to consent to the processing of his data.
When an external service is installed on the site, such as an advertising subcontractor or a statistics tracking system, this must be clearly specified.
3. People's right
A person may ask to see the information held on him or her. In the event of a request for access from a user, the company will have a maximum of one month in which to satisfy it. Similarly, the right of oblivion, allows individuals to request the complete deletion of the data held, the company also has a period of one month to comply. It is up to companies to guarantee the rights of individuals by putting in place appropriate measures, tools and procedures.
In practice: the department responsible for processing the company's data must be able to export and delete the information of the persons concerned. Depending on the complexity of the platform and the frequency of requests, tools can be put in place.
4. The responsibility
Any company carrying out personal processing must guarantee their good security (anonymisation, intrusion tests, impact analysis, etc.), and has the obligation to inform its users in the event of a breach of security of the stored data.
In practice: security is a factor that should never be neglected when creating a website. Since the GDPR, failures to set up a solid system can be punished by IT law and can lead to fines in case of exposure of sensitive data.
Following these rules does not harm the success of the website.
For many websites, the storage of personal data is not part of the business model. In these cases, complying with the rule should not be a limitation on the user experience.
It should also be stressed that certain information can still be used without explicit consent. For example, a cookie may be stored to remember the language choice of the site, as long as this information cannot be linked to an identifiable user.
Since the launch of the regulation, statistics show that more than 90% of users agree to the use of their data without looking too closely, a bit like the famous Terms & Conditions that nobody reads. This is of course no reason to ignore the rule, but it does mean that in many cases your website will work exactly the same way it did before it was implemented.
Cherry Pulp accompanies you
Complying with this new European regulation may seem a difficult task. At Cherry Pulp we take privacy and legislation very seriously.
We are working on tools to enable our websites to comply with the new regulation, while continuously working on the security of servers containing personal data. Please do not hesitate to contact us if you have any questions about the GDPR, or if you wish to update your website.
Si vous avez des questions ou désirez mettre votre site à jour pour le GDPR, contactez-nous !
Contactez-nous