Web Development Web Design

How has GDPR effected web design?

It’s nearly been a year since GDPR was rolled out across Europe, we are looking into how it’s effected the way websites are built in order to climb through the hoops the European Union laid out.

The General Data Protection Regulation was created to strengthen the rights of EU citizens when it comes to the collection, storage and use of their personal data. The Regulations apply to any business or organisation that offers goods or services, paid or free to anyone in the EU.

If your website intentionally provides services or products to anyone within the EU you will have needed to ensure your website is compliant. Failure to comply could cost you up to €20 million or 4% of annual worldwide revenue.

GDPR has eight core rights that individuals are granted regarding their personal data:

Right of access

If a client requests to view their data you must provide it to them in a commonly used format such as a CSV file. This document should contain all the information you have stored, this will normally range from contact details and address to previous orders and purchasing habits.

Right to be informed

Websites must be transparent in what data they collect from clients and how it will be used. This is normally handled through your sites privacy policy, it will need to clearly explain every aspect of how personal data is used.

Right to rectification

You must enable a client to correct incomplete or inaccurate personal data and information you have stored. You will need to provide a gateway for this to take place in an easy manner.

Right to erasure 

Clients must be able to request deletion or removal of personal data when there is no compelling reason for you to maintain and process. This is a common occurrence once a client no longer uses your product or service. Also referred to as “the right to be forgotten”.

Right to restrict processing

Individuals have the right to block any further processing of personal data. This does not mean you have to remove the information completely but are no longer to process the information.

Right to portability

You must allow individuals to obtain and reuse their personal data for their own purposes, this goes hand in hand with the right to access. Information should be provided to the client in a common format such as CSV.

Right to object

The right to object gives clients the option to stop you using their personal data for activities such as direct marketing, research and statistics. For the client this will see them opt out of receiving marketing communications.

Rights related to automatic decision making, including profiling

The rule specifies when companies can use profiling and automated decision making, this has been common practice in the e-commerce industry for a long time. Targeting clients based on their previous purchases and creating a profile of interests in order to target them with specific products or services.

To comply with GDPR, you must demonstrate that you’re implementing data protection by design and default on your website. This should include designing databases to use encryption techniques to ensure that if there was a data breach the data would be encrypted and therefore useless.

Websites now need to be designed in line with the privacy by design framework which is as follows:

  • Privacy must be proactive, not reactive, and must anticipate privacy issues before they reach the user. Privacy must also be preventative, not remedial.
  • Privacy must be the default setting. The user should not have to take actions to secure their privacy, and consent for data sharing should not be assumed.
  • Privacy must be embedded into design. It must be a core function of the product or service, not an add on.
  • Privacy must be a positive sum and should avoid dichotomies. For example, PbD sees an achievable balance between privacy and security, not a zero-sum game of privacy or security.
  • Privacy must offer end to end life cycle protection of user data. This means engaging in proper data minimisation, retention and deletion processes.
  • Privacy standards must be visible, transparent, open, documented and independently verifiable. Your processes, in other words, must stand up to external scrutiny.
  • Privacy must be user-centric. This means giving users granular privacy options, maximised privacy defaults, detailed privacy information notices, user friendly options and clear notification of changes.

If you’re worried that your website isn’t reaching the current levels of privacy and security that are set out by the European Union get in touch with us today. We can provide a free consultation to see which areas you can or need to improve in.