GDPR and Web Development

What is GDPR?

General Data Protection Regulation (GDPR) is perhaps the most strict privacy law in the world and was introduced by the European Union. Since it was put to effect on May 25, 2018, GDPR has been directly and constantly affecting web development.

Simply put, the purpose of GDPR is to ensure that the personal data of EU citizens are protected at all costs when collecting and processing them. Even though it was passed by the EU, it applies to every organization around the globe who collect or target personal data of EU citizens. Furthermore, very high fines are issued as penalty for violation of GDPR. €20 million or 4% of the violating company’s global revenue (whichever is higher) will be applied as penalty. And the data subjects are given the right to seek compensation for the damage.

What is Personal Data?

Personal data is defined as “any information relating to an identified or identifiable natural person”. In addition, sensitive personal data such as health data, sexual orientation, past crime convictions, religious beliefs, etc. should be protected. These sensitive personal data needs more protection than generic personal data.

What’s more which concerns web development?

GDPR also protects personal data including genetic data, biometric data, location data, online identifiers, etc. This is more important for web developers since it includes data such as IP addresses, finger prints, cookies, user account information or any other data which can be used to identify an individual on the web.

Data protection principles mentioned below are defined by GDPR and should be followed when accessing, collecting, processing and storing personal data.

Lawfulness, fairness and transparency

Subjects should be aware about the data collection and processing. This is typically informed in the privacy policy of the website. It is important that the privacy policy is up to date.

Purpose limitation

Data should be used only for legitimate purposes which are specified to the subject prior to collection.

Data Minimization

No more than absolutely required amount of data for the specified purpose should be collected.

Accuracy

Collected data should be accurate and up to date.

Integrity and confidentiality

Actions such as data encryption and two-factor authentication, etc. should be used to ensure integrity and confidentiality.

Accountability

The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles. Which means that the data controller should be able to show how the system complies GDPR and actions taken to protect personal data.

Consent of the data subject

GDPR specifically mentions how consent of data subject for data collection and storing should be provided.

1. Consent should be “freely given, specific, informed and unambiguous”.
2. Requesting for consent must be in clear language and should be specific to the subjected matter.
3. Data subjects are allowed to withdraw previously given consent whenever they need and data controller should respect the decision.
4. For children under 13 years, data processing should only be done with the consent of a parent.
5. And above all, evidence of the consent should be documented.

Data subject’s privacy rights

1. Right to be informed — Consent of the data subject plays a huge role here
2. Right of accesss— Data subjects are allowed to request their data in a commonly used data format whenever necessary
3. Right to rectification — Data subjects should be given the opportunity to change incomplete or incorrect data
4. Right to erasure — Data subjects can have their data completely removed. Also known as “right to be forgotten”
5. Right to restrict processing — Data subjects can restrict the controller from processing data even though they are allowed to store the data
6. Right to data portability — Individuals are allowed to obtain and reuse their personal data for their own purposes
7. Right to object — Data subjects can object the data being used for purposes of direct marketing, research and statistics, etc.
8. Rights in relation to automated decision making and profiling — Automated decision making and profiling can be carried out only when it is necessary for the entry into or performance of a contract or, authorized by domestic law applicable to the controller or, based on the individual’s explicit consent

How to ensure GDPR compliance when developing a website?

Following are some actions which can be taken to ensure that you are not violating GDPR in your website.

Hosting environment

Server security is important to protect data. Server should be protected by a firewall, possible attacks should be monitored and data access should be secured.

Secure data transmission

“Https” connections are recommended to protect data in transmission.

Collection and usage of data

Data collector should be well aware about how data is collected and where it’s stored. If you are using a third party hosting service, it is important that you understand how these parties handle data.

Documentation

Privacy policy of the website must be descriptive, accurate and up to date. it should included how data will be collected, rights of the data subjects, data collectors’ contact information, measures taken to handle security breaches, etc. Consent from the data subject needs to be documented. Another important information to be included is how long the data will be stored and how they will be deleted either automatically or manually.

Cookies and session management

Consent from the website user should be available prior to capturing data using cookies and session management.

Data management

Data subjects should be provided with a method to access, change and remove collected data.

Third party services

When using third party services, make sure that they are complying to GDPR. Data collectors should be well aware about how they work and handle the collected data.

Handle data breaches

GDPR states that any form of breaches should be informed to users and relevant authorities with 72 hours. Data collectors should have a method in place to inform breaches and should include all the parties that should be aware about the breaches.

Conclusion

Any organization which needs to access, store and process personal data from citizens of EU should make sure that they follow GDPR to avoid any legal actions. Prioritizing transparency, consent of data subjects and security is crucial to protect collected data. Web developers have a major responsibility in complying to GDPR.

References

What is GDPR, the EU's new data protection law? - GDPR.eu

How GDPR Will Change The Way You Develop - Smashing Magazine

GDPR compliance for web designers & developers - GoDaddy Blog

The Impact of GDPR on Web Development