It has been over a year since Australian businesses were put under pressure to quickly comply with the General Data Protection Regulation (GDPR). In theory, the GDPR was intended to focus only businesses with an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU. However, in practice it has impacted websites and businesses all over the globe in one way or another.
If you’re like myself, a professional in the web development industry, who is constantly managing data, you probably already know that the GDPR can be a bit of a pain in the neck to comply with. As an Australian developer, we’re already challenged with navigating the vague Australian privacy laws and now GDPR is adding to this complication. More so, with increased regulation comes an increased workload. Countless hours of deleting old data and ensuring you are operating within the boundaries of the law is both time consuming and tedious work.
The following may help you navigate your way through the GDPR and provide some helpful tips in streamlining the process from start to finish. Of course, I’m a web developer (and not a lawyer), so these are just the lessons I’ve learned along the way, so you’ll still want to talk to someone with a real law degree for advice on making sure your business as all the i’s dotted and t’s crossed.
1. Having a reliable security wall in place
Data breaches are hitting major organisations every day and becoming an increasingly inconvenient cost and reputation burden for them. Businesses hit with a data breach are hit with GDPR non-compliance fines, the cost of hiring crisis lawyers, customer service teams, publicists and social media management teams. Needless to say there are also major reputational damages that come with this. As such, it is becoming increasingly significant for web developers to provide clients with secure digital experience platforms and minimise the risk of data breaches and as a result, minimise GDPR compliance fines.
I use digital experience platform WP Engine that offers Cloudflare Global Edge Security, an additional external fire wall to minimise the chance of a data breach. Since implementing this, we’ve not seen any data breaches across our clients.
Companies or individuals that have collected personal information must comply with the principles of data protection set out in the GDPR for the purpose of fairness, transparency and lawful data collection and use. Legally, data collectors must gain consent from the customer in order to gain personal information and then process it. They must also have permission to share this information with a third party.
3. Opting into Terms and Conditions
Opting into a website’s terms and conditions is often something which is done by consumers with haste and neglect for what they are agreeing to. Website Terms and Conditions are still largely “implicitly” agreed to (that is, if consumers are using the site, they’re agreeing to those terms “by default”), although product/service terms and conditions must be “explicitly” defined (clicking “I agree”) if someone is creating an account or signing up for a service. For example, if you create a new Gmail account or are buying something on iTunes, etc. In these transaction based experiences, it is the consumers right to understand which of their data is being collected and give their permission accordingly.
The GDPR aims to extend this right of consumers to control how their data is collected to all online activity (even when they’re just browsing a website without purchasing or signing up to anything), with the goal of ensuring all individuals (at least inside the EU) are fully aware of when and what they are agreeing to in terms of collection of their data.
4. Capitalising on Cookies
‘Cookies’ are small text files that can be stored on your computer, tablet or mobile device when you visit a website. These small files contain information about browsing activity. As a developer, we will use persistent and session cookies to track the use of a website. Cookies give us the ability to personalise and tailor online experiences. This is invaluable and when you think about brands like Netflix or Spotify, personalised online experiences are the core of their business models.
Now that GDPR is in play, businesses trading with the EU need to ensure they have automated software in place that blocks cookies from loading on a person’s computer in the EU unless they click allow. There are many different plugins you can install that help with this.
5. Partner with a digital experience platform that uses local servers
There is no doubt that GDPR has brought a huge level of complexity to the compliance game. Between the Australian, US and now European privacy requirements, it is more challenging than ever for a business to be adhering to the legalities behind managing data and privacy. This is only the beginning and as data breaches are flung more and more into the media spotlight and data grows exponentially this space is only going to become more complicated.
As such, engaging a digital experience platform that has localised servers can help minimise the impact of some international regulatory requirements (especially for clients also in those same regions), as well as streamlines the entire privacy and compliance process to reduce the chance of any unexpected surprises you may not have realised you needed to abide by. In our case, using WP Engine’s Evercache servers here in Australia meant there was one less headache to contend with – and it certainly didn’t hurt that the servers were insanely fast.
Women Love Tech would like to thank Adam Ithiel from theProduct for his article.