in , ,

LoveLove

Keeping Your Website GDPR Compliant – Everything You Need To Know

It has been over a year since Australian businesses were put under pressure to quickly comply with the General Data Protection Regulation (GDPR). In theory, the GDPR was intended to focus only businesses with an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU. However, in practice it has impacted websites and businesses all over the globe in one way or another.

If you’re like myself, a professional in the web development industry, who is constantly managing data, you probably already know that the GDPR can be a bit of a pain in the neck to comply with. As an Australian developer, we’re already challenged with navigating the vague Australian privacy laws and now GDPR is adding to this complication. More so, with increased regulation comes an increased workload. Countless hours of deleting old data and ensuring you are operating within the boundaries of the law is both time consuming and tedious work. 

The following may help you navigate your way through the GDPR and provide some helpful tips in streamlining the process from start to finish. Of course, I’m a web developer (and not a lawyer), so these are just the lessons I’ve learned along the way, so you’ll still want to talk to someone with a real law degree for advice on making sure your business as all the i’s dotted and t’s crossed.

1. Having a reliable security wall in place

Data breaches are hitting major organisations every day and becoming an increasingly inconvenient cost and reputation burden for them. Businesses hit with a data breach are hit with GDPR non-compliance fines, the cost of hiring crisis lawyers, customer service teams, publicists and social media management teams. Needless to say there are also major reputational damages that come with this. As such, it is becoming increasingly significant for web developers to provide clients with secure digital experience platforms and minimise the risk of data breaches and as a result, minimise GDPR compliance fines. 

I use digital experience platform WP Engine that offers Cloudflare Global Edge Security, an additional external fire wall to minimise the chance of a data breach. Since implementing this, we’ve not seen any data breaches across our clients. 

credit card, shopping, sipora

2. Check your Privacy Policy

In today’s society, privately managing citizen’s personal data is absolutely paramount. ‘Personal information’ is clearly classified as information which is identifiable as being about you. This includes information such as your name, email address, identification number, or any other type of information that can reasonably identify an individual, either directly or indirectly. One of the big changes which comes with the GDPR is the increased sensitivity over dealing with personal information and privacy policy. 

Companies or individuals that have collected personal information must comply with the principles of data protection set out in the GDPR for the purpose of fairness, transparency and lawful data collection and use. Legally, data collectors must gain consent from the customer in order to gain personal information and then process it. They must also have permission to share this information with a third party. 

3. Opting into Terms and Conditions 

Opting into a website’s terms and conditions is often something which is done by consumers with haste and neglect for what they are agreeing to. Website Terms and Conditions are still largely “implicitly” agreed to (that is, if consumers are using the site, they’re agreeing to those terms “by default”), although product/service terms and conditions must be “explicitly” defined (clicking “I agree”) if someone is creating an account or signing up for a service. For example, if you create a new Gmail account or are buying something on iTunes, etc. In these transaction based experiences, it is the consumers right to understand which of their data is being collected and give their permission accordingly. 

The GDPR aims to extend this right of consumers to control how their data is collected to all online activity (even when they’re just browsing a website without purchasing or signing up to anything), with the goal of ensuring all individuals (at least inside the EU) are fully aware of when and what they are agreeing to in terms of collection of their data.  

4. Capitalising on Cookies 

‘Cookies’ are small text files that can be stored on your computer, tablet or mobile device when you visit a website. These small files contain information about browsing activity. As a developer, we will use persistent and session cookies to track the use of a website. Cookies give us the ability to personalise and tailor online experiences. This is invaluable and when you think about brands like Netflix or Spotify, personalised online experiences are the core of their business models. 

Now that GDPR is in play, businesses trading with the EU need to ensure they have automated software in place that blocks cookies from loading on a person’s computer in the EU unless they click allow. There are many different plugins you can install that help with this.

5. Partner with a digital experience platform that uses local servers

There is no doubt that GDPR has brought a huge level of complexity to the compliance game. Between the Australian, US and now European privacy requirements, it is more challenging than ever for a business to be adhering to the legalities behind managing data and privacy. This is only the beginning and as data breaches are flung more and more into the media spotlight and data grows exponentially this space is only going to become more complicated. 

As such, engaging a digital experience platform that has localised servers can help minimise the impact of some international regulatory requirements (especially for clients also in those same regions), as well as streamlines the entire privacy and compliance process to reduce the chance of any unexpected surprises you may not have realised you needed to abide by. In our case, using WP Engine’s Evercache servers here in Australia meant there was one less headache to contend with – and it certainly didn’t hurt that the servers were insanely fast.
Women Love Tech would like to thank Adam Ithiel from theProduct for his article.

Women Love Tech

Written by Women Love Tech

Women Love Tech is an award-winning lifestyle technology site. Discover the best smartphones, latest apps, cool gadgets, social media, emerging tech and news. Be inspired by our regular profiles of women in tech as we continue with our mission to promote women in STEM and to make technology easy and fun!

Comments

Leave a Reply
  1. Hi Onli,

    Adam Ithiel from theProduct here (I served as a contributor for this article). To answer your question regarding cookies, this comes down to the different international requirements between “explicit” and “implicit” consent regarding the use of cookies.

    Based on my (not a lawyer) understanding, for businesses/websites that either have a presence in, directly market/serve (including shipping/sell products) to the EU, they are required to have “explicit” consent before serving cookies. That is, a little box that says “do you want cookies – yes/no”. If they say yes, tracking activates, if not, it doesn’t.

    For businesses/websites that do not meet any of those requirements, they fall under the privacy guidelines of the countries where their business is registered and their website is hosted. For WomenLoveTech.com, which is owned by Foyster Media Pty Ltd (Based in Australia) and is hosted in the US by Dreamhost Networks, this means that they only require “implicit” consent. This means that while there must be a valid privacy policy (https://womenlovetech.com/privacy-policy/) which identifies and clarifies the use of cookies, explicit consent is not (necessarily*) required.

    *There is also a technical and practical requirement here though. Technically, every site should have have explicit consent for their EU visitors, however practically that isn’t always possible (especially if EU viewership is very small / incidental). The ability or desire for the EU to enforce this for every single website on the planet, especially those not specifically/intentionally targeting the EU, is practically non-existent, so in these cases, having a privacy and cookie policies that meets the standards of the Australian Privacy Act 1988, the OAIC’s “Australian Privacy Principles”, the United States Children’s Online Privacy Protection Rule (“COPPA”), and the terms of service of any 3rd party companies a website owner is using/integrating on their website ‘should’ be considered sufficient for the most part.

    Having an implicit notification of the use of cookies (a little box that says “we have cookies – ok”) is also a good idea, but no one can really figure out if that is an actual legal requirement in Australia under current legislation and ‘principles’. While I recommend it, this is something I let my clients make a judgement call for themselves.

    If you’ve got any other questions, I’m more than happy to discuss things in detail with anyone that would like to know more, however please keep in mind that I am unable to give specific legal advice as I am a web developer, not a lawyer. 🙂

    Thanks
    Adam Ithiel
    Digital Services Manager
    theProduct.com.au

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Loading…

Loading…

0

Comments

Sennheiser Momentum Review: Rediscover Music With Quality Sound

Promoting Positive Indigenous Stories On Social Media