GDPR Basics for the Web

The content below is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with legal and other professional counsel to determine exactly how the GDPR may or may not apply to you.

If you do any business in the EU, you should talk to legal counsel about your liability and how to address it.

What is GDPR?

The General Data Protection Regulation is a framework for Europe’s data protection laws that go into effect on May 25, 2018. GDPR replaces a data protection directive from 1995. The GDPR was agreed upon in May 2016, and businesses have had two years to become compliant.

These data regulations define the rights of European data subjects when it comes to transparency and control of their personal data.

The maximum sanction for non-compliance with the GDPR is 20,000,000 Euros or up to 4% of your annual worldwide turnover (based on figures from the the preceding financial year), whichever is the greater.

What is personal data?

The official definition of personal data is:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Basically, any data that can lead back to a person is considered personal data. Some examples of personal data you might collect are IPs, emails, names, usernames, etc.

Processor vs. Controller

GDPR identifies two separate entities when dealing with data. There are controllers and processors.

A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.

For example, a company that has a marketing website with a contact form that collects personal data and stores it in a company system would be the data controller and processor for that data.

If, however, the personal data was kept in a third-party system, such as a CRM, the company is a data controller, and the CRM is the data processor.

There are legal obligations for data controllers and processors. Be aware of when you are either, and how each affects your business processes.

What is lawful basis?

There are six different ways you can lawfully process personal data for users:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

For ecommerce sites, the personal data you collect when purchases happen is obtained legally as it is necessary information for you to complete your “contract” with the user.

For many basic marketing sites without ecommerce functionality, the data processing is still lawful under "contract" even though the user hasn’t made a purchase. An example of this could be that a user filled out a contact form, submitted personal data, and is expecting a response from you. You need the personal data to be able to complete your side of the contract.

However, users do need to “consent” or opt-in if you plan on sending additional marketing materials, adding them to an email marketing list, etc. It must be explicit what the user is opting-in for.

Regardless of the type of lawful basis that applies to your site, the type of lawful basis being used should be called out in your privacy policy.

What does GDPR change?

Below are only a few of the changes that are happening due to GDPR. Head to the ICO’s GDPR Guide to learn more.

Consent

We touched on this a bit earlier in lawful basis for personal data collection. GDPR states that passive acceptance of consent to be tracked (for example “by using this site you agree to cookies…”) is no longer good enough. If consent is your lawful basis, users must actively and explicitly opt-in before having any personally identifiable data collected.

Right to Erasure

Just as a user has the right to opt-in before having personal data collected, a user can ask for any data related to their person and ask for it to be erased.

This means your team must have documentation in place of what personal data is being stored where, how to access it, and how to properly dispose of it.

Data Storage

EU citizens’ data must be stored in the EU, unless the data transfer process and storage is in compliance with GDPR restrictions.

Data Breach Policy

If there is a data breach including personal data, there are certain authorities (the ICO and more) to be notified within 72 hours of becoming aware of the breach. If there is a high risk that this data breach will adversely impact individuals, you must also notify the individuals.

This means there needs to be documentation, data breach detection, reporting processes, etc. in place.

Data Protection Officer

Another key regulation from GDPR is that a Data Protection Officer needs to be appointed for your business if you are a public authority, have “regular and systematic monitoring of data subjects on a large scale”, or your “core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.”

While your business may not meet the above criteria, it might be wise to designate someone to fulfill this role in order to handle any data processing requests, manage Data Processing Agreements, ensure compliance, etc.

The DPO is responsible for the following:

…monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.

The DPO also must report directly to the highest management level.

How does GDPR affect my U.S.-based business?

It all depends.

If you do business in Europe, you are likely collecting personally identifying data and are therefore responsible for being compliant with GDPR. If you don’t do business in Europe, you still may be controlling and processing EU data subject’s personal data.

The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

According to the ICO, an EU data subject’s rights follow that data subject, as well as any person within the EU and perhaps, in the case of transactions involving EU-related business, any EU expatriate living abroad. Non-EU based entities may have to consider whether or not their business interests would be affected if they are found to be in violation of EU law.

Because of GDPR, these are some of the actions you may need to take:

• Update your privacy policy
• Add opt-in for analytics tracking
• Document all personal data
• Ask users to opt-in to email marketing
• Appoint a DPO (Data Protection Officer)
• Sign DPAs (Data Processing Agreement)
• Pay fines if non-compliant

How does GDPR affect my analytics?

Again, this all depends on the analytics tools you’re using, how they’re configured, and from where users are being tracked.

Google Analytics

Google Analytics, without customized data collection, should not track personal data and is easily GDPR compliant. All of the standard Google Analytics tracking is anonymized.

Double check that you aren’t sending any personal data through these custom features:

• User ID override
• All custom dimensions
• Campaign dimensions: Source, Medium, Keyword, Campaign, Content
• Be sure not to include PII in custom campaign parameters utm_source, utm_medium, utm_term, utm_campaign, and utm_content.
• Site search dimensions: Site Search Term and Site Search Category
• Event dimensions: Event Category, Event Action, Event Label
  Learn more at Analytics Help.

Your DPO will need to accept the Data Processing Agreement within the Google Analytics Account, and provide contact information.

There are additional settings which can be configured to ensure compliance, such as Data Retention. Within Google Analytics, you can choose how long Analytics retains user-level and event-level data associated with cookies.

FullStory

FullStory can collect personal data in two different ways:

• Actively through an API or integration
• Passively by recording personal data typed into fields

It is possible to set up FullStory so that it doesn’t collect any personal data, including telling FullStory to not store IP addresses and to exclude certain elements.

When it comes to asking for consent and letting users opt-in, FullStory has created the FS.consent API for you to add to a page. Once added, the sensitive information won’t be recorded unless a user opts-in.

Your DPO will need to accept the Data Processing Agreement for FullStory, or send your version to privacy@fullstory.com.

Additionally, FullStory has gone to great lengths to provide users with the ability to opt-out and companies the option to delete users’ sessions.

You can read more about FullStory and GDPR compliance on the FullStory site.

What’s my takeaway for GDPR?

Talk to legal counsel about any liabilities and/or responsibilities you may have when it comes to EU data subjects’ rights. There are a lot of small details, and it encompasses far more than your mere web presence.

If there is any chance you are collecting the personal data of EU data subjects, a good start would be to document all such data, including where and how it gets into your (or your data processor’s) systems, what it is used for, and who it is shared with, if anyone. This kind of personal information inventory may help legal counsel determine what compliance steps you need to take, and also help you plan the carrying out of those steps.

If you need your site updated to comply with GDPR, let us know. We can help configure your analytics, add opt-in functionality, document where data is stored, and more.