Internet users are constantly inputting information online, whether willingly or unknowingly. Today, more than 54% of the world’s population uses the internet, and if historic numbers are considered, that number will continue to exponentially grow year over year. Personal online data is now protected, and there are new regulations to ensure that webmasters know how to do it.
The EU has enacted General Data Protection Regulations (GDPR), a set of rules meant to secure personal user data. This data includes users name, address, social security number, email address, IP address, and location.
But the internet stores far more information than just how to reach the data subject. Consider not just business activity online, but social interactions. There is a lot of data that can be found from social activities or contact forms. This sensitive personal data include race, sexual orientation, political and religious beliefs, and medical details.
These guidelines protecting this information are enforceable as of May 2018. Data subjects are protected under it, so data controllers and webmasters now have a significant task at hand: protecting current and future personal data that’s collected.
Protecting this data doesn’t mean just storing it properly. These guidelines also ensure that a user can access the information they’ve provided the site, as well as correct any inaccurate information or have it completely erased and removed. Subjects also have the rights to object to having their information used for marketing or promotional matters. The webmaster should ensure that this option exists and is accessible for users.
GDPR applies in the EU, but webmasters all over the world should be paying attention and practicing these guidelines. Any information, including behavioral data, collected on an EU citizen is covered under the GDPR. That means, all information stored, used, or studied that pertains to an EU citizen is at the mercy of EU laws. Every website, regardless of country-base, must comply.
The globality of the internet has made these laws somewhat difficult to create. These guidelines have taken effect after four years of drafting and planning. It’s unlikely that this is the final word in internet data security, but it’s indicative of guidelines that will be used around the world.
As a webmaster, there are two starting points to ensure your site is on the way to complying: audit your data so you know what you’re collecting and have all of it documented.
When users visit your site, you have the opportunity to ask for as little or as much information to be shared. Considering the protection that is now provided to visitors, the first step should be reviewing the data that’s collected. If it has no legitimate interest, meaning it does not pertain to exactly what the site is offering or hopes to provide, it shouldn’t be collected.
Data Collection
Data collection goes far beyond the information that the user inputs into a form. User engagement online is at an all-time high, and behavioral monitoring piles a lot of additional information on visitors. Under GDPR, webmasters and organizations are also being held accountable for this collection.
The protection under which data is stored also needs to be prevalent and plain to visitors. Users should be explicitly aware of the data that’s being collected and what you intend to do with it. This will give them the option to proceed with sharing it or not, and allow your website to hold the information given.
Knowing the who, what, where, how long, and why data is essential to adhere to data protection laws. It falls to the webmaster to be able to answer those questions and provide the necessary data accordingly.
It’s also important to know where the data goes. Since these guidelines are implemented by the EU, precautionary safeguards are necessary for international sharing. For instance, if data is transferred outside of the EU to the USA, there needs to be a Privacy Shield, as its considered trans-Atlantic commerce.
Even if you’re not sharing, users want to know what you know about them already. Sites that collect an abundance of personal data, like Facebook, allow users to download gigabytes that display all of the information that’s been stored. Under these new laws, every website needs a similar offering. Users need to know they have access to their information, and control over what is done with it. If they choose to abandon engagement with that site, they must be readily able to delete it, and they need to have verification that it’s been wiped.
The unfortunate truth is that data breaches happen. When hackers make their way into the pool of personal information, GDPR dictates that supervisory authorities, such as the Information Commissioner’s Office (ICO) need to be advised within 72 hours.
For countries outside of the EU, these laws apply for the appropriate supervisory authority. In some cases, depending on the severity of the breach, the users will have to be alerted as well.
Users will more often than not know when they are sharing personal data, but it is still up to the site to be transparent. The best ways to let users know is to update your privacy policy to reflect these changes and how you’re practicing them. This should outline exactly the extent of the information that is collected on the user and how they can access it if need be.
Some organizations may appoint a Data Protection Officer (DPO) to keep track of what data is handled and how. If that person’s not in place, the webmaster should be held responsible for trafficking data that’s being collected.
Even without a DPO, the expectations for how data is collected and handled need to be met. There are easy ways to begin minimizing or condensing the amount of data you collect. Do a comb through the site. Are there any forms that require superfluous information from users? It shouldn’t be collected. Are the users consciously agreeing to share their information? They need to.
Users should only be asked to provide information that directly pertains to their visit to the site. Collecting too much data without any use for it will only help to stockpile information that needs to be secured – and could be breached. There could be a lot of unused information lurking on contact forms. This is the practice of legitimate interests; if you don’t need it, don’t ask for it.
Practicing these guidelines now, no matter where you are in the world, is the best way to protect your site and the users’ data that’s on it. Make sure your site is protected and transparent in the ways this is data is being collected and stored. These guidelines are only the beginning of how user data will be protected and getting on top of it now is the best way to ensuring a secure site for the foreseeable future.