Forewarned is forearmed.
The whole digital world is on the threshold of great changes.
Starting from May 25, 2018, the major updates to the EU data protection rules will come into operation, meaning that everyone working with the clients and asking them to share some sort of personal information in return for specific products, services, or actions should get ready for the new digital privacy terms and regulations.
The modern-day web community has become extremely vulnerable. Sometimes it seems that Google and Facebook know about us, our preferences and behavior more than do our family and friends. Each time we install a new app on our smart devices, we are asked for the permission to access our location/gallery/contacts, etc.
Whenever we register on social media platforms or sign up on a website, we are asked to enter our personal details. And what happens to this data after we click the register button and agree to the privacy terms and conditions? By the way, how often do you read those endless pieces of data?
You never know at what point your personal data can be stolen or sold. In order to put an end to the digital feudalism and keep the users’ private data protected, EU releases stronger rules on the data protection.
What we are going to discuss in this post is the General Data Protection Regulation that will go into effect on May 25.
GDPR is a set of laws that are being enacted by the European Union but impacts everyone who is outside the EU. The set of regulations deals with the digital data and the way it’s being managed in the online world. If you are a web developer, designer, or just building web templates, then make yourself comfortable and keep reading further. The following information is just for you.
What is GDPR
This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
The EU data protection and privacy overhaul come in two major parts:
- GDPR is the modernized replacement of the Data Protection Derivative that was presented back in 1995. All of the principles of the latter are kept in the General Data Protection Regulation, with the addition of new requirements that reflect the changes of the modern-day digital era.
- The second part is the revamped ePrivacy Directive of 2002, better known as the cookie law. Originally, ePD was planned to go live on May 25, alongside with GDPR. However, it is still in draft negotiations. The document is expected to be finalized in late autumn - early winter 2018.
The delays of the ePD release may be a good thing for developers who can get ready for the upcoming changes and narrow scope of the ePD quite easily when the time comes.
Although we are talking about the EU regulations, you shouldn’t necessarily be located in the European Union in order to get ready to bring the respective changes to the way you treat your customer’s digital privacy.
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
This means that if you do business in Europe or simply collect data on the European users, then you should protect their personal data in the full accordance with the revamped regulations. The regulations apply to all businesses regardless of their size, location, and financial turnover. If a business is not ready to accept the changes, then it should not work with the EU clients.
Personal Data vs Personality Identifiable Information
The European term “personal data” is different from it US equivalent “personality identifiable information”. Here is the reason why.
As per the European regulations, personal data refers to any data related to the identified or identifiable natural person. This can be literally everything - a piece of data or a number of data points that are combined together to create a record about a person. In the EU, personal data contains a “sub-category” of the sensitive personal data, which refers to:
- Racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Health data.
- Sex life or sexual orientation, etc.
Sensitive personal data should be protected better than the regular personal data. The leakage of the sensitive personal data will result in the greater consequences.
GDPR provides an expanded meaning of the ”personal data” term, which includes:
- Genetic data
- Biometric data (such as facial recognition or fingerprint logins)
- Location data
- Pseudonymized data
- Online identifiers
Online identifiers include the terms like IP addresses, cookies, user account IDs, mobile devices ID, and other forms of the system-generated, which are especially important for web designers and developers.
The American “personally identifiable information” pertains a more limited set of characteristics compared to the EU’s GDPR.
Unlike the latter, the personally identifiable information doesn’t see personal information as contextual, which grows the risks of the data leakage.
Controller vs Processor
When one possesses personal data, the EU’s GDPR defines two main parties - data controllers and data processors.
- A controller is a person or an organization that decides what data is collected and how it’s used.
- As a data processor, a person or an entity processes the data on behalf of the controller.
As a web designer or a web developer, you can possess both roles.
As a processor, you cannot engage another processor without the prior written authorization of the controller. The relationships between the data controller and data processor are regulated by the written agreement, according to which the data processor should:
- processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the processor is subject;
- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligation to respond to requests for exercising the data subject’s rights;
- at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
- makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
How to Develop for GDPR
With all that being said, the logical question is how should web designers and developers work with the clients starting from May 25?
EU’s GDPR will affect the way you work online. This includes both business planning and running the major business processes. To be more specific, it touches upon UX, marketing, project management terms, and the web development itself.
When you start working for GDPR, the first and the fundamental document that you need to take care of is the Privacy Impact Assessment, i.e. a written document that must be made accessible to everyone involved in the project. This is a place where you specify the discuss, audit, and specify the privacy risks that are inherent in the data that you possess.
When it comes to working for GDPR, you should have a written documentation where a client and a web designer can find the regulations, terms, and requirements on how every party should behave in the event of a privacy concern.
The PIA should make it clear:
- How and what kind of the personal data is processed and retained?
- Where and how is the data stored?
- For how long is the personal data stored?
- Is the data collection and processing specified, explicit, and legitimate?
- What is the basis of the consent for the data processing?
- If not based on consent, what is the legal basis for the data processing?
- Is the data minimized to what is explicitly required?
- Is the data accurate and kept up to date?
- How are users informed about the data processing?
- What controls do users have over data collection and retention?
- Is the data:
- anonymized or pseudonymized?
- backed up?
- What are the technical and security measures at the host location?
- Who has access to the data?
- What data protection training have those individuals received?
- What security measures do those individuals work with?
- What data breach notification and alert procedures are in place?
- What procedures are in place for government requests?
- How does the data subject exercise their:
- access rights?
- right to data portability?
- rights to erasure and the right to be forgotten?
- right to restrict and object?
- Are the obligations of all data processors, including subcontractors, covered by a contract?
If the data is transferred outside the European Union, what are the protective measures and safeguards?
What are the risks to the data subjects if the data is:
- misused, mis-accessed, or breached?
- What are the main sources of risk?
What steps have been taken to mitigate those risks?
Working for GDPR is not only about the code and design. This also suggests that everyone who is involved in the specific project is aware of the legal background of their profession and knows the regional/local/national privacy laws.
In the perfect scenario, companies should educate their teams. There should be a documented proof that the web designer or web developer has passed the respective training.
How to Design
Design requirements are an integral part of the GDPR-oriented projects.
There two focal principles that you need to keep in mind at this stage are anonymization and minimization, both on the back end and front end. Do not link personal data with other sets stored in a single location.
According to GDPR, you need to specify the data retention and deletion schedules. Still, you do not need to delete everything once you finish working on the project. You are allowed to keep the purchasing for tax and income audit. When such data is no longer needed, make sure that it is removed from your archives and the third-party services like cloud storage.
Additionally, hide the personal data from the unexpected user attacks. The personal data shouldn’t be accessible in the plain view in either back-end or front-end. It should be encrypted in both the transit and rest.
How to Code?
In order to code as per the GDPR requirements, make sure that everyone who is involved in your project uses a specific set of code libraries, tools, and frameworks, all of which are documented on the list of the approved standards and methodologies for coding and testing. The tools and techniques that you are allowed to use while you create the code are not specified in the GDPR.
The thing that is important in that you need to specify and agree upon such tools that you will use in your work in the written document. The list can be modified later on. Just make play certain that everyone from the project is informed, and the respective changes are documented.
It goes without saying that the coding tools you choose for work should be safe and provided by the reliable third-party libraries.
How to Run Privacy Tests
Working for GDPR means adding privacy by design and testing to the digital projects. The privacy tests should predict and foresee the possible hacking attacks, unauthorized data access, and the general security vulnerability.
When it comes to privacy testing, you should be really creative. Are the user passwords secure enough? Is the login data stored in cookies? Is it possible to access the data by triggering the error action intentionally? Did you mind the external alerts while running the privacy testing? Most importantly, did you document it? All of your testing efforts will be useless unless there is a living document confirming your actions.
Working for GDPR, you need to be more specific about the terms and conditions of accessing and using personal data. You should be more thoughtful about the possible issues that you may face as well as have every step that you take documented clearly.
Be more transparent to your clients. Write the privacy terms in the common language. By the way, the “less is more” rule is perfectly suited to the terms and conditions page of your project. Do not make the users spend hours to get your message. Highlight the essentials and make it easy-to-follow. This grows the chances that the users will read when you’ve written instead of simply scrolling down to the “agree” button.