On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force.
The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
What is GDPR?
GDPR stands for General Data Protection Regulation, read more about it on the official site. In short with GDPR compliance a user should be asked for consent before taking his or her personal data, view / edit his submitted data and on part of the site owner (controller/processor) need to make sure they protect the user data and if breached inform the affected users timely as well as concerned authorities. That's the gist of it. If you handle EU customers even if your business is not based in EU, this directive applies to you too.
What GDPR compliance requires ?
- Explicit Consent
Explicit Consent: users be asked for consent by sites before collecting their personal data such as email, name, date of birth, address etc. This consent cannot be part of 'Terms of use' or other privacy policies. - Access to information
Users should be able to to view the information collected or submitted by them on your site. - Edit / port their data
Give options to users to modify or remove their submitted personal information.
The GDPR provides a new one-stop-shop regulatory framework for the investigation of complaints and enforcement of the GDPR requirements. Under this framework a member state’s supervisory authority will operate in one of three roles:
-
Lead Supervisory Authority: will act as the lead supervisory authority for the controllers and processors whose main establishments are located in its member state. This will permit a controller or processor to rely on the guidance and enforcement procedures of one single EU supervisory authority.
-
Local Authority: may deal with complaints or infringements that only affect data subjects in its member state.
-
Concerned Authorities: will act when data subjects in their member state are substantially affected and will cooperate with the lead supervisory authority for the matter.
This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to data subjects residing within their territory.
Is your website required to comply with GDPR?
If your website allows access by any countries of the E.U., or you are planning to allow access in the future AND you are collecting any type of information, even if it is done by the use of Google services, like Google Analytics, then the answer is yes.Fines
Lower level:
Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher.
Upper level: Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
Source: gdpreu.org
What does it need to be done for all websites to comply with the new legislation?
There are actions to be taken and software to be installed, as well taking the appropriate measures for data breach prevention:
Google services
If you are using any of the following Google Services, like Google Analytics, you need to take the following actions:
Step 1: Review and accept the updated data processing terms in each account for each product you manage in the Google Analytics Suite: |
|
Additional information about accepting these terms: |
|
Step 2: Provide your legal entity and contact details for notifications we may need to send under the GDPR (e.g. subprocessor appointment): |
|
Find Out More |
You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach. |
The use of SSL is mandatory and prerequisite
If your website is anything other than a simple blog that does not transmit any personal information, like user names, passwords, etc, you need to use SSL. Web browsers already produce warnings for the websites they do not use SSL and soon they will even block them.
Allow users to controll their information. A GDPR Extension installation is required:
To keep it simple, we are installing it on a core and add-ons principle. The core takes care of Joomla GDPR compliance and with the add-ons (plugins) users can extend GDPR compliance for 3rd part extensions.
GDPR Extension Core Component main features:
A. Joomla Core -
- list user account / profile details : Name, username, password, email.
- Allow user to edit / update info (name, password, email and even usernames)
- Allow user to delete account.
B. Custom Section -
- To add relevant information the site users need to know - this we are sure would be different for each website based on 3rd party services or data processing. So for now, its simple custom HTML
- Email action for admin to manual update / remove information collected from users but not stored on site.
- list out data collection services from which data can not be deleted as these are anonymous, example: google analytics, mixpanel etc…. We only list them and inform users that anonymous data was collected by these services and no personal information was provided to these 3rd party services.
GDPR Addons / Plugins:
The below is indicative list, the release depends upon the feedback and requests from customers.
- Social extensions: JomSocial, Easysocial, Community Builder
- iJoomla extensions: Guru, Adagency, Publisher
- Contact forms: Breezing forms,
- Newsletter extensions: Acymailing
- Event extensions: Jevents, Event booking
- Shopping carts: virtuemart, j2store
Interested to learn more? Call us 1 (800) 525-3061 now, email us
Comments: