GDPR: New Rules for Processing Personal Data for EU Residents
This regulation directly effects all 28 EU countries will replace the framework Directive on the protection of personal data 95/46 / EC of October 24, 1995. An important subtle aspect of the GDPR is the extraterritorial principle of the operation of the new European regulations for the processing of personal data so companies should be closely attentive to them if the services are focused on the European or international market.
The new regulations provide EU residents with the tools for the total control of their personal data. Since May 2018 the responsibility for violating the rules for the processing of personal data has become tougher: according to the GDPR fines in the amount of up to 20 million euros or 4% of the company’s annual global income. In this article, we analyzed new rules for the processing of personal data in the EU and formulated recommendations for companies on how to respond to the GDPR.
GDPR Zone of Action
The GDPR has an extraterritorial effect and is applied to all companies that process personal data of residents and EU citizens regardless of the location of such a company.
Of course, branches and representative offices of organizations on the territory of the EU will have to meet new requirements.
The other (unobvious) category of subjects will be considered in the following example:
The organization is based out of the EU territory. It sells online products and services to users including users from the EU. Services are provided to users in local languages in local currencies on the national top-level domains of EU countries (eg .de, .nl or .co.uk). At the same time, this organization does not perform any operations or subcontractors directly on the territory of the EU.
Should such an organization comply with the GDPR?
Yes, indeed. After all, services and goods are obviously offered to EU residents, because:
- services/goods are adapted to the local languages of EU residents;
- services/goods are paid in local EU currencies;
- services/goods are provided on national top-level domains of EU countries.
This means that organizations that process personal data of Europeans in different countries implementing online sales (for example, railroads, airlines, hotels, hostels, and others) are subject to the GDPR and must comply with the new European regulations for processing personal data.
It is important to note that in addition to the processing of personal data in the GDPR, the concept of monitoring the behavior of data subjects is used, which drives another category of subjects under the GDPR. The GDPR applies to organizations established outside the EU if they (as a controller or processor) control the behavior of EU residents (to the extent that such behavior takes place in the EU). Monitoring can include:
- tracking the EU resident on the Internet;
- use of data processing methods for the profiling of individuals, their behavior or their relation to something (for example, to analyze or predict personal preferences).
The European legislator also shares the concepts of a data controller and a data processor. The controller, acting as the captain of the vessel, bears greater legal responsibility than the processor that acts as a seaman on the ship. In fact, controllers decide what happens to personal data and are responsible for processing, and processors are some kind of “executors”.
For example, the cloud system that your employees use to perform tasks and projects, which also store personal data of clients, will be a data processor, and you, correspondingly, the controller.
What is meant by personal data in the GDPR?
Personal data is any information related to an identified or identifiable individual (data subject), by which, directly or indirectly, it can be determined. Among other things, such information includes name, location, online identifier or one or more factors distinctive to the physical, physiological, genetic, intellectual, economic, cultural or social identity of that individual (Section 1, Item 4). The definition is broad and fairly clear that even IP addresses can also be personal data.
It is important to note that there are certain types of personal data that belong to the category of special or confidential personal data. This information discloses racial or ethnic origin, political views, religious or philosophical beliefs and union membership. In addition, this group includes genetic, biometric data used for identification of an individual, data on health status, information related to sexual life or sexual orientation (Article 9).
6 principles of GDPR data processing
The general approach of Europeans to the processing of personal data is formulated in the form of six basic principles:
- Legality, justice, and transparency. Personal data must be processed legally, fairly and transparently. Any information on the purposes, methods, and volumes of personal data processing should be stated as accessible and simple as possible.
- Limitation of purpose. The data should be collected and used exclusively for the purposes stated by the company (online service).
- Minimization of data. You cannot collect personal data in a larger volume than is necessary for processing purposes.
- Accuracy. Personal data that is inaccurate must be deleted or corrected (at the request of the user).
- Restriction of storage. Personal data must be stored in a form that allows identification of data subjects for a period of no more than necessary for processing purposes.
- Integrity and confidentiality. When processing user data, companies must ensure the protection of personal data from unauthorized or illegal processing, destruction, and damage.
Notification of violations of the GDPR
Companies are required to notify regulatory authorities (and in some cases data subjects) of any violations related to personal data within 72 hours after the detection of such a violation.
For example, the recent news about the hacker attack on Uber is a vivid example of a violation of this rule. Uber told the press that hackers had access to personal data of 57 million users and drivers a year later. If the GDPR were now in force it would be impossible to avoid a high fine of 4% of the annual turnover.
The list of national authorities in the field of personal data for all EU countries is given here. There is also a pan-European regulator – Working party 29 or the Working Group on Article 29. However, after the entry of the GDPR into force, the Working Group on Article 29 will replace the new body – the European Data Protection Board (EDPB).
The rights of the data subject (individual)
The GDPR significantly expands the rights of citizens and EU residents to control their personal data. European users have the right to request confirmation of the processing of their data, the place and purpose of processing, the categories of personal data being processed, to which third parties personal data is disclosed, the time period where the data will be processed, and also clarify the source of the organization’s receipt of personal data and require their correction. Moreover, the user has the right to demand the termination of processing of his data.
The GDPR also provides for the right to erasure, right to be forgotten, which enables Europeans to delete their personal data upon request in order to avoid their distribution or transfer to third parties.
This is not a new right; it is also in the current Directive. The Court of Justice of the European Union (CJEU) in its decision in the Google Spain case in 2014 explained that data subjects have the right to delete information about them from search results if it does not represent a public interest. However, right to be forgotten extends not only to search engines. Any company that processes data must delete someone’s personal data upon request if it does not contradict the interests of the public or other fundamental rights of Europeans.
For example, if you are a news service, before you delete the data, check and make sure that such removal does not affect freedom of speech and the right to access information guaranteed to Europeans by Article 11 of the European Union Human Rights Charter.
The right to data portability
The right to data portability is an innovation in the EU data processing rules introduced by the GDPR. This right obligates companies to provide a free electronic copy of the personal data to another company at the request of the subject of personal data itself.
For example, a startup called “Sunny” wants to enter the market with a site for the exchange of social media but the market already has its own giants with a large market share. The right to portability of data will make it easier for potential customers to transfer their data from one online service to another (without re-entering the same data on different sites).
Another example. The data subject uses the e-book reader service “E-book”. At one point the user decides to switch to the “Read online” service. In this case, the right to portability of data allows you to get personal data (for example, preferences in the literature and others) from the “Electronic Book” and transfer them to another service.
Consent for Processing
The GDPR sets high requirements for the form of obtaining consent for data processing. The consent of a person for the processing of his personal data must be expressed in the form of a statement or in the form of clear & active user actions. Consent for the processing of personal data will be invalid if the user had no choice or was not able to withdraw his consent without prejudice to himself. If the user has agreed to the processing of his/her personal data, the controller must be able to demonstrate this.
It is not recommended to use the default fields about the consent with the already ticked box or other methods of obtaining consent by default. Consent can also not be expressed in the form of silence or inaction of the user. Information on the procedure for revoking consent for the processing of personal data must be placed in such a way that the user can easily find it.
Special protection of children
Children’s personal data deserve special protection because they are less aware of the risks, consequences, guarantees and their rights regarding the processing of personal data. The consent for the processing of the child’s data must be authorized by the parents (or legal representatives of the child). The age threshold for parental authorization is set separately by the EU Member States (13 to 16 years).
Appointment of the person responsible for protecting personal data
This requirement applies to companies that conduct regular and systematic large-scale observations, monitoring individuals (above it was mentioned); or who carry out large-scale processing of special personal data, for example, medical records or information on criminal convictions.
In any case, any organization can voluntarily appoint a data protection officer to manage the processing of user data and monitor compliance with the requirements of the GDPR. In this case, the company should publish information about such an employee, as well as send it to the national regulator for the protection of personal data of the relevant EU country.
What to do?
Despite the fact that the new requirements for the processing of personal data are serious, they have positive sides for non-European players: it is easier to adhere to a single set of rules for data protection and processing than to take into account the national details of processing personal data of each individual EU country how it was done before GDPR. Moreover, the reform is aimed at stimulating economic growth by reducing costs and bureaucracy for companies operating in the EU. Compliance with one rule instead of 28 (the number of EU member states) will help small and developing companies to enter new markets. According to the law, in a number of cases, obligations vary depending on the size of the business, the nature of the data being processed, and other factors.
Also, mechanisms for responding to inquiries of European regulatory authorities and personal data subjects (users) that are possible within the framework of the GDPR (for example, about data clarification, their removal, termination of processing or the transfer to another company by the right to data portability) should also be thought through in advance.
The GDPR is the important legislative document that significantly increases the level of protection of personal data in the EU and beyond. It requires very careful study and observation. The reform provides clarity and consistency of the rules that should be applied in the field of data protection. It also restores the confidence of the user-consumer which allows businesses to make the most of the opportunities in the single European digital market. Personal data is surely the “currency” of the modern economy. The collection, analysis, and movement of personal data around the world have acquired enormous economic importance.
How to make your application compliant to GDPR?
1. Think about whether you really need all the data that you collect
The first step is to check what data you collect. Do you really need them? The best way to the future with the meaningful use of data is to manage the minimal necessary set.
2. Encrypt all personal data
Encryption is often referred to as a key factor of GDPR compliance but in fact, it is not necessary. Although you should not ignore this possibility.
Data leaks are inevitable but according to experts the best way to reduce the damage from data theft is end-to-end encryption. In this method, the data can only be decrypted on the client’s device using keys to which only he or she has access. If you cannot use encryption because of cost or performance, you can use alternative methods, such as pseudonymization.
3. Make HTTPs an important part of your application
The feedback form often contains personal information, for example, e-mail addresses, telephones or even home addresses. You open the door to the hackers when you store and send this information as plain text. Use encryption and tell customers how and what time you will store their data.
The next step is to implement HTTPS, a protocol that encrypts data between the client and the server. The client, in this case, receives an SSL certificate with a key for a secure connection. Therefore, it is important to get a certificate from a reliable provider and install it correctly. Also, make sure that your certificate is not susceptible to protocol vulnerabilities.
4. Bring your consent forms to order
Since May 2018 you will have to forget about the pre-ticked check marks. The new law requires “free, specific, informed and unambiguous user consent.” This means that your consent forms must be empty or set to “no” by default.
5. Ask for consent piece by piece
If you want to contact clients for marketing purposes, you will need to ask for consent for the processing of each type of data separately. For example, if you want to send promotional materials via email, phone and mail, you will need to make three separate items in the form of consent.
If you only need email, you can only have the consent for marketing. But if you use personalization, segmentation, or targeting, you will need to obtain consent for the marketing mailing and consent for the collection of additional demographic or behavioral data.
6. Be specific about a third party
If you transfer personal data of your customers to third parties, you will need to indicate all the participants in your consent form.
At the same time, many users do not want to give access to their data to third parties. The best way to deal with this issue is to use your web analytics platform. Google Analytics does not come into conflict with the GDPR because it cannot track specific users.
9. Allow users to easily withdraw their consent
Users should be able to unsubscribe and withdraw their consent at any time. For example, in your newsletter, there must be a function “unsubscribe”.
But even the link “unsubscribe” can work for you, as in this example:
Since May 2018 you should stop using cookies for advertising, analytics or project operation or you should find the legal basis for their use. These can be legal obligations, legal interests that do not violate personal rights, contract execution requirements or user consent.
11. Avoid security questions that contain personal information
When registering with a web application you can often see such questions:
This is prohibited by the new law. Since May 2018 security issues cannot concern the client’s family, his preferences, his home, and so on. It will be best to use two-factor authentication or allow users to create their own questions for verification but warn them about the danger of disclosing personal information.
12. Inform users about the records with their IP addresses
Check if your system is using IP addresses or location information during the authentication process. If your records contain such data, you must warn users about the ways and time of storing this data. Encrypt your entries and do not store sensitive data such as passwords in them.
13. Ensure that all personal data is deleted after payment
If you use forms of payment you will probably collect personal information of your users. In many cases, these data remain in your system which is illegal according to the GDPR. You should redo your processes so that these data are deleted within a certain period of time.
14. Allow users to decline the tracking of business analytics system
Commercial sites often track user behavior to improve recommendations. Now such activity will require flawless and clear agreement. If the user refuses to track you must respect this choice.
15. Delete user data when unsubscribing
Users should be able to delete their accounts and personal data. Your task is to clearly show them that all data will be deleted.
Solutions for WordPress
The General Data Protection Regulation (GDPR) regulates data protection law throughout all 28 EU nations and imposes firm fresh rules on controlling and processing personally identifiable information (PII). From 25 May 2018, every single website collecting data from EU citizens must need the GDPR requirements. And it would be very easy to comply with general GDPR regulations and industry best practices, activating plugins that you could choose from:
1. GDPR COMPLIANCE & COOKIE CONSENT WORDPRESS PLUGIN is an all-in-one solution for your website.
- Meet ALL GDPR REQUIREMENTS, such as:
- Data Access – Dedicated form for Users to access currently stored personal data,
- Right to be Forgotten – Dedicated form for Users to request deletion of stored data,
- Browse user requests for data access/deletion and set custom email notifications
- Cookie Consents – create a dedicated box for Cookie Consent and block all cookies until cookie consent is given
- Automatically add consent boxes for various forms on your website
- Data Breach – send global email notifications about the data breach
- Pseudonymisation – pseudonymize some of the user data stored in a database.
- Predefined integrations for most popular WordPress plugins like WooCommerce, Contact Form 7, Gravity Forms, Mailchimp, Events Manager, BuddyPress, Formidable Forms and more!
- Check currently activated plugins for GDPR compliance
- Easy integration for custom plugins
- Manage everything easily via your WordPress admin panel
- 5* Customer Support
- Online Documentation
2. WP GDPR Compliance currently supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments. Making it easy to add a consent checkbox and to keep a consent log. Additional plugin support will follow soon.
WP GDPR Compliance helps you as a site owner take care of:
- Keeping a consent log for supported plugins.
- Adding checkboxes to supported plugins for explicit visitor consent.
- ‘Right to access’ through encrypted audit logs.
- ‘Right to be forgotten’ by anonymizing user data.
– Data Access – Dedicated form to request personal data stored on a website;
– Right to be Forgotten – Request to delete all stored data (confirmed by email link);
– Manage and automate user requests for data access/deletion and set custom email notifications;
– GDPR Consent checkboxes – Easily add consent boxes for various forms on your website like WordPress Comments and customized contact forms;
And perfect integration with most popular WordPress plugins:
– WooCommerce Orders & Checkout fields;
– Contact Form 7 GDPR Consent checkboxes;
– Gravity Form GDPR Consent checkbox and Entries fields;
– BuddyPress GDPR Consent checkboxes;
24/7 Live Support
Any of the plugins will only help you to technically walk through the GDPR norms, but in full detail, if you have the slightest concern about GDPR obedience (which most of you probably will) we always recommend contacting a lawyer, even if it’s just temporarily. This is one of those areas we strongly urge you to not try and tackle on your own. A lawyer can provide you with legal advice specifically tailored to your situation. If you get this wrong, it could result in heavy fines.
StylemixThemes must follow the rules of the GDPR, because:
- serves customers from the countries of the European Union;
- offers its services to EU citizens in the English language.
To use our themes and plugins and receive support, you have to register one or more Envato purchase codes on our site. These purchase codes will be stored together with support expiration dates and your user data. This is required for us to provide you with downloads, product support, and other customer services. We manage all this data according to Envato policies and rulers, as well as GDPR requirements.
How did StylemixThemes prepare for the establishment of the new regulations?
We store information that we collect through cookies, log files, and/or clear gifs to record your preferences. We may also automatically collect information about your use of features of our Services, about the functionality of our Services, frequency of visits, and other information related to your interactions with the Services. We may track your use across different websites and services. In the European Economic Area (“EEA”), the information referenced above in this paragraph may be considered the personal information under applicable data protection laws.
If you register on our website, we store your chosen username and your email address and any additional personal information added by you to your user profile. You can see, edit or delete your personal information at any time (except changing your username). Website administrators can also see and edit this information.
We may use your information and data to:
- Enhance or improve User experience, our Site or our Service.
- Send e-mails about our Site or respond to inquiries.
- Send e-mails and updates about StylemixThemes, including our e-mail marketing newsletter (in case we have clear consent for it). You may opt out of these emails at any time.
- Perform any other function that we believe in good faith is necessary to protect the security or proper functioning of our Site or Service.
The payment data of the client is encrypted by the payment service which has a PCI DSS security certificate.
Thus, StylemixThemes adheres to the principles of transparency, accuracy, confidentiality and other norms of GDPR and respectively stands by the new regulations, which establish clear rules for interaction between users and companies in the field of providing personal data. This is a serious step in protecting personal information on the Internet and crucial a tool to fight manipulation and misuse of personal information.
As you probably already realized, GDPR is a really big deal! This will affect almost every WordPress site on the Internet. With the approach of the deadline, we urge all to take time, conduct a study and ensure that your site meets all requirements. You could be looking at some pretty stunning fines if you do not!