General Data Protection Regulation (GDPR) legislation. Does it affect your website?

Pin It

On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force.

The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.

What is GDPR?

GDPR stands for General Data Protection Regulation, read more about it on the official site. In short with GDPR compliance a user should be asked for consent before taking his or her personal data, view / edit his submitted data and on part of the site owner (controller/processor) need to make sure they protect the user data and if breached inform the affected users timely as well as concerned authorities. That's the gist of it. If you handle EU customers even if your business is not based in EU, this directive applies to you too.

What GDPR compliance requires ?

  • Explicit Consent
    Explicit Consent: users be asked for consent by sites before collecting their personal data such as email, name, date of birth, address etc. This consent cannot be part of 'Terms of use' or other privacy policies.
  • Access to information
    Users should be able to to view the information collected or submitted by them on your site.
  • Edit / port their data
    Give options to users to modify or remove their submitted personal information.

The GDPR provides a new one-stop-shop regulatory framework for the investigation of complaints and enforcement of the GDPR requirements. Under this framework a member state’s supervisory authority will operate in one of three roles:

  • Lead Supervisory Authority: will act as the lead supervisory authority for the controllers and processors whose main establishments are located in its member state. This will permit a controller or processor to rely on the guidance and enforcement procedures of one single EU supervisory authority.

  • Local Authority: may deal with complaints or infringements that only affect data subjects in its member state.

  • Concerned Authorities: will act when data subjects in their member state are substantially affected and will cooperate with the lead supervisory authority for the matter.

This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to data subjects residing within their territory.

Is your website required to comply with GDPR?

If your website allows access by any countries of the E.U., or you are planning to allow access in the future AND you are collecting any type of information, even if it is done by the use of Google services, like Google Analytics, then the answer is yes.


Lower level:

Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher.

Upper level: Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.

Source: gdpreu.org

What does it need to be done for all websites to comply with the new legislation?

There are actions to be taken and software to be installed, as well taking the appropriate measures for data breach prevention:

Google services

If you are using any of the following Google Services, like Google Analytics, you need to take the following actions:

Step 1: Review and accept the updated data processing terms in each account for each product you manage in the Google Analytics Suite:
  • Google Analytics / Analytics 360: Admin > Account > Account Settings (scroll to bottom of page)
  • Google Optimize / Optimize 360: Edit Account Details > (scroll to bottom of page)
  • Google Tag Manager / Tag Manager 360: Account Settings > (scroll to bottom of page)
  • Google Attribution / Attribution 360: Admin > Account Settings > (scroll to bottom of page)
  • Google Data Studio: User Settings > Account and Privacy (acceptance managed on a user basis)
Additional information about accepting these terms:
  • All clients using 360 products, clients using Data Studio, and clients using standard versions of Tag Manager or Optimize whose accounts were created before March 12, 2018, can review and accept data processing terms in their account(s).
  • For clients based in the EEA or Switzerland, updated data processing terms have already been included in online terms for all Google Analytics and Attribution accounts and for Tag Manager and Optimize accounts created on or after March 12, 2018.
  • For clients based outside of the EEA or Switzerland, data processing terms can be reviewed and accepted in the UIs of each account.
  • Once you accept the new data processing terms, they’ll supplement your current contract or Terms of Service and will take effect on May 25, 2018
  • If you contract through a Sales Partner for any 360 products within the Google Analytics Suite, you should seek advice from the parties with whom you contract.
  • If you are located in Germany, the Hamburg Data Protection Authority has been informed of these new data processing terms.
Step 2: Provide your legal entity and contact details for notifications we may need to send under the GDPR (e.g. subprocessor appointment):
  • For Analytics, Optimize, Tag Manager and Attribution, you can provide the contact details within Suite Home ( “Organization Settings” >“Data Processing Amendment - Details”). Learn more.
  • For Data Studio, the contact collection mechanism exists in Data Studio only (not in Suite Home) and is available at User Settings > Account and Privacy. Learn more.
Find Out More
You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach.


The use of SSL is mandatory and prerequisite

If your website is anything other than a simple blog that does not transmit any personal information, like user names, passwords, etc, you need to use SSL. Web browsers already produce warnings for the websites they do not use SSL and soon they will even block them.


Allow users to controll their information. A GDPR Extension installation is required:

To keep it simple, we are installing it on a core and add-ons principle. The core takes care of Joomla GDPR compliance and with the add-ons (plugins) users can extend GDPR compliance for 3rd part extensions.

GDPR Extension Core Component main features:

A. Joomla Core -

  • list user account / profile details : Name, username, password, email.
  • Allow user to edit / update info (name, password, email and even usernames)
  • Allow user to delete account.

B. Custom Section -

  • To add relevant information the site users need to know - this we are sure would be different for each website based on 3rd party services or data processing. So for now, its simple custom HTML
  • Email action for admin to manual update / remove information collected from users but not stored on site.
  • list out data collection services from which data can not be deleted as these are anonymous, example: google analytics, mixpanel etc…. We only list them and inform users that anonymous data was collected by these services and no personal information was provided to these 3rd party services.

GDPR Addons / Plugins:

The below is indicative list, the release depends upon the feedback and requests from customers.

  • Social extensions: JomSocial, Easysocial, Community Builder
  • iJoomla extensions: Guru, Adagency, Publisher
  • Contact forms: Breezing forms,
  • Newsletter extensions: Acymailing
  • Event extensions: Jevents, Event booking
  • Shopping carts: virtuemart, j2store

Interested to learn more? Call us 1 (800) 525-3061 now, email us

Pin It