There are four letters that have been on the minds of web developers recently.
GDPR stands for General Data Protection Regulation, which are new regulations set to debut on May 25, 2018, that will limit what personal information websitesstore about users from countries within the European Union.
Photo by Kevin
There has been a lot of coverage about the new regulations in media outlets around the world. The New York Times ran a detailed piece in January about how “Tech giants brace for Europe’s new data privacy rules.” Included in the article is this high-level summary:
Among their provisions, the rules enshrine the so-called right to be forgotten into European law so people can ask companies to remove certain online data about them. The rules also require anyone under 16 to obtain parental consent before using popular digital services. If companies do not comply, they could face fines totaling 4 percent of their annual revenue.
Now you may be wondering why companies would be so worried about these new regulations. Let me repeat that last sentence from The New York Times again:
If companies do not comply, they could face fines totaling 4 percent of their annual revenue.
That type of threat is a good way to get people’s attention.
It’s unclear to what extent the law will be enforced, especially in the United States, but there has been quite a bit of buzz about this, especially in tech circles. This is really good, since the principles of GDPR are also important from an ethical perspective, providing users with control over their own personal data.
Here at Duo, we pride ourselves on looking out for our clients and potential challenges their websites may face. That’s why we’ve already been working with clients to make sure they are prepared for when GDPR compliance begins to be enforced.
We already leverage our expertise of Drupal and web development to provide technical guidance to our clients with accessibility compliance, PCI compliance, and establishing audit trails, so we’re well-equipped for navigating the technical waters of GDPR as well.
No matter what effect GDPR will have on your organization, the privacy issues at the center of the regulations are important to consider. GDPR demonstrates this from a regulatory perspective, but major technology firms have been moving toward allowing users more control over their data for a while now. Google (https://privacy.google.com/) and Facebook (https://www.facebook.com/help/325807937506242/) are two high-profile examples of technology firms that have been improving their privacy controls over the past few years. I think this trend of giving the user more control will only continue in the months and years ahead.
Based on the GDPR, here are nine privacy topics to consider, particularly for information technology and marketing teams:
- Right to be forgotten
There has to be a way for a user to remove personally identifying information about him/herself. Typically, this is handled through account deletion. This includes notifying third-party services when the user wants personal data removed. This is the responsibility of the site as opposed to the services.
- Process restriction
In Drupal, this would essentially be a flag to make sure that no one can see user information on both the front- and back-end (i.e., content editors on the site wouldn’t be able to see the user’s information on the backend).
- Data portability
The user has to be able to export his/her data (e.g., an Excel download).
- Edit profile
Users have to be able to edit their personal information.
- Consent checkboxes
These have to be very clear opt-ins as opposed to opt-outs.
- View all data
Similarly to data portability, the user has to be able to see all of the information stored.
- Age checks
The site has to check for the user’s age. If the user is under age, parental consent is required.
- Data encryption
Personal data should be encrypted: in transit, in backups, and at rest.
Don’t collect more data than is necessary, log all access to personal data (e.g., if someone views the user’s data on the backend), and no anonymous API access to data.
There are a number of Drupal modules in progress right now to make Drupal core as compliant as possible, but none of them guarantee GDPR compliance. Each organization’s situation will be at least somewhat unique when it comes to GDPR compliance. These modules show the Drupal community’s interest in ensuring that the platform takes GDPR seriously and provides tools for organizations to become compliant.
Making sure your website is GDPR compliant will take some time. That’s why there’s so much talk about it now and why those letters are so prevalent in the minds of developers. But remember, the goal of GDPR is giving users more control over their personal data. And at the end of the day, giving users that type of control is a good thing.
Please note that none of the content above constitutes legal advice. That being said, we want you to be aware of this and to be able to share it with the rest of your team and legal counsel.