The Impact of GDPR on Web Development

The Impact of GDPR on Web Development

The following blog post is provided for informational purposes only. We strongly recommend you engage in more research of your own and consult a legal advisor. While we’ve worked hard to learn a great deal about these GDPR regulations, we shouldn’t serve as your primary source of information, and are not a legal resource.

As you’re likely aware given the surge of notices to your inbox, the General Data Protection Regulation (GDPR) became enforceable in Europe on 25 May 2018. This regulation was put in place to protect the privacy of European Union citizens as it relates to Non-Personal Data and Personal Data that is collected when using data capture entities, including websites.

The regulation is intended to promote fairness and transparency and gives the citizen several rights which include declining to be tracked, controlling how or what data is captured about them, and ultimately being deleted from the site system if requested. If your site offers goods or services in the EU, then you need to be compliant. For example, your local middle school in the United States probably does not need to be compliant. On the other hand, your local high school academic academy who recruits and/or accepts study abroad students will need to have compliant sites.

The GDPR requires developers to be mindful of new considerations when constructing and maintaining websites. For current sites, it means backward engineering tools, techniques, and workflows to accommodate the new regulations. For new site development, familiarizing yourself with the GDPR and its requirements should be a part of your planning from the beginning of the project.

As GDPR is very much in its nascent development, we are all doing our best to interpret the regulations in a way that encourages compliance. Outlined below are our initial thoughts and insights to apply to web development projects that we believe meet the spirit of the new regulations.

When beginning a GDPR project, the following areas and questions posed are among those to be considered.

Secure Hosting Environment

Are you using best security practices for architecture, access, and passwords? The server should live behind a firewall, access should be done using ssh or sftp, and monitoring should be in place for intrusion and DDOS detection.

Secure Data Transmissions

Site traffic to access the site and related files should be using secure socket layer “https” mode. Third-party scripts and assets should also be pulled into the site over “https” connections as well.

Secure Data Capture

Site data capture tools such as forms must be opt-in for every field. Nothing can be preselected and an additional privacy disclaimer should be presented. Data that is submitted should be  encrypted when stored.

Cookie and Session Management

All site traffic should NOT be tracked by cookies or sessions until the visitor has opted in. You must present an alert box that states how you will capture data, display an opt-in button, and link to the comprehensive privacy policy.

Data Management

You must track all data sources and have a plan for how long you will keep these records and a method, automatic or manual, to delete. This workflow must be documented

User Access

You must provide a method for the user to manage their data collection preferences and a mechanism to update, access and delete data.

Manage Third-Party Services

Verify that the external services, such Google Analytics, YouTube and other plugins used within the site comply with GDPR. Implement the service based on their recommended methods for compliance. The site’s privacy policy should detail what service(s) are used, how they collect data and link to their GDPR privacy statements.

Digital Privacy Officer (DPO)

Your organization will need to assign an individual to function as a point of contact on these types of items.

Crisis Communication Plan

Have a method in place to broadcast to all users in the system if a data breach happens. Any data breaches to users’ personal information need to be shared with relevant authorities within 72 hours.

While this new GDPR regulation is ambitious and requires a lot of work to comply, it forces us to truly consider the individual prospect/consumer and their needs. Ultimately, this will result in a better and more transparent and secure user experience that benefits not only the end client but the site owner as well.

GDPR Regulation Resources

Comments

comments