The following blog post is provided for informational purposes only. We strongly recommend you engage in more research of your own and consult a legal advisor. While we’ve worked hard to learn a great deal about these GDPR regulations, we shouldn’t serve as your primary source of information, and are not a legal resource.
As you’re likely aware given the surge of notices to your inbox, the General Data Protection Regulation (GDPR) became enforceable in Europe on 25 May 2018. This regulation was put in place to protect the privacy of European Union citizens as it relates to Non-Personal Data and Personal Data that is collected when using data capture entities, including websites.
The regulation is intended to promote fairness and transparency and gives the citizen several rights which include declining to be tracked, controlling how or what data is captured about them, and ultimately being deleted from the site system if requested. If your site offers goods or services in the EU, then you need to be compliant. For example, your local middle school in the United States probably does not need to be compliant. On the other hand, your local high school academic academy who recruits and/or accepts study abroad students will need to have compliant sites.
The GDPR requires developers to be mindful of new considerations when constructing and maintaining websites. For current sites, it means backward engineering tools, techniques, and workflows to accommodate the new regulations. For new site development, familiarizing yourself with the GDPR and its requirements should be a part of your planning from the beginning of the project.
As GDPR is very much in its nascent development, we are all doing our best to interpret the regulations in a way that encourages compliance. Outlined below are our initial thoughts and insights to apply to web development projects that we believe meet the spirit of the new regulations.
When beginning a GDPR project, the following areas and questions posed are among those to be considered.
Secure Hosting Environment
Are you using best security practices for architecture, access, and passwords? The server should live behind a firewall, access should be done using ssh or sftp, and monitoring should be in place for intrusion and DDOS detection.
Secure Data Transmissions
Site traffic to access the site and related files should be using secure socket layer “https” mode. Third-party scripts and assets should also be pulled into the site over “https” connections as well.
Secure Data Capture
Site data capture tools such as forms must be opt-in for every field. Nothing can be preselected and an additional privacy disclaimer should be presented. Data that is submitted should be encrypted when stored.
Cookie and Session Management
You must track all data sources and have a plan for how long you will keep these records and a method, automatic or manual, to delete. This workflow must be documented
You must provide a method for the user to manage their data collection preferences and a mechanism to update, access and delete data.
Manage Third-Party Services
Digital Privacy Officer (DPO)
Your organization will need to assign an individual to function as a point of contact on these types of items.
Crisis Communication Plan
Have a method in place to broadcast to all users in the system if a data breach happens. Any data breaches to users’ personal information need to be shared with relevant authorities within 72 hours.
While this new GDPR regulation is ambitious and requires a lot of work to comply, it forces us to truly consider the individual prospect/consumer and their needs. Ultimately, this will result in a better and more transparent and secure user experience that benefits not only the end client but the site owner as well.
GDPR Regulation Resources
- How GDPR Will Change The Way You Develop, Smashing Magazine — Excellent in-depth article about GDPR, development, and policies.
- Preparing for a New Era in Privacy Regulation, Microsoft Corporation
- GDPR Regulation, European Commission
- EUGDPR.org , This website is a resource to educate the public about the main elements of the General Data Protection Regulation (GDPR)
Laurence oversees technical implementation at iFactory and has 20+ years in web development working with B2C, B2B, not-for-profits, and education. Laurence has worked with clients such as Harvard Institute of Politics, Rutgers University Undergraduate Admissions, Rutgers Business School, Massachusetts College of Art & Design, Phillips Exeter Academy, Lincoln Institute of Land Policy, and Perkins School for the Blind. When he is not at work, he is coaching youth soccer.