RGPD: protecting your users' data
The RGPD/GDPR - Everything you need to know about the European law changes that impact your site or application
The RGPD/GDPR is the European regulation aimed at regulating the use of personal data collected, in order to protect the end user.
It concerns both data controllers (website/application/database owners) and the service providers who develop them (like us). It went into effect on May 25, 2018, and the penalties for non-compliance can be quite severe.
Principles
The objective is to give back to the user the control over his data and what is done with it, and to avoid abuses. Here are the main principles:
- Explicit and positive consent - For each private data, the user must choose what he/she authorizes or not in terms of use.
- The right to control the data - The user can at any time ask you to extract, transfer or delete his data.
- The principle of data minimization - The user should only be asked for data that is directly related to the functioning of the core of the platform he is using, the rest should be optional or even disappear.
- Prohibition of profiling - The data must not be used to carry out automated processing that significantly affects the user.
- Creation of the DPO - The Data Protection Officer is the person responsible for the implementation of the RGPD throughout the life of the platform, it is mandatory in certain cases (sensitive data, public body or large volume of data processed). In the case where the DPO is not required, a data controller must still be appointed.
Impact on my business
These principles have a very concrete impact on platforms that collect and use their users' data. As of May 25, it will be mandatory to respect the following prerequisites:
Data collection
The law regulates both the collection of personal data and their use. Therefore, it is necessary to apply the principle of data minimization and to collect from the user only the data that is important for the proper functioning of the platform; For each data collected, the following questions must be asked:
- Why collect this data?
- Is it relevant to keep it ?
If there is no justification, the data should be deleted.
Example: if you sell clothes, it is necessary for the proper functioning of your site to ask the postal address of your users to send them their orders. If you manage an application to revise the highway code, it is not.
Consent, evidence and duration
The use of personal data of users can only be done in the context of the proper functioning of the site or application, any other use (analysis, advertising ...) will be systematically subject to the request of his consent.
Consent must be explicitly requested for the processing and collection of each data, including for all the services of the site that would collect them (Analytics, Twitter, Adsense, AddThis, Yoast, Pixel Facebook, ...). The scripts already in place will only have to work once consent has been given, and the proof of the user's consent will have to be stored.
Consent must be explicit and positive, so it is forbidden to pre-check boxes for the user or to use complicated turns of phrase in order to push the user to accept.
Cookies that are used for the proper functioning of the application do not need to be mentioned. Server logs if they are only used to search for incidence are not concerned either.
Example : If you have a script on your site that collects cookies from your visitors in order to offer them targeted advertising, you must submit it to their consent and trigger the script only after validation.
Transparency and traceability
The whole database should be mapped. For each data processing, the purpose should be clearly established, and linked to the user's consent when necessary; Each piece of data will also need to be linked to all services that may have access to it to verify the purpose of its use and validate that the user has given consent. If this is not the case, it must be requested prior to any processing.
Users must also have access to all the data collected on them and be able to change their consent when they wish. The mandatory mentions of any platform (legal mentions, GTC, T&C) must be updated to integrate the mandatory mentions of the RGPD.
Each form must also have an access link so that the user has details of the purpose of the use of the information he agrees to fill in, as well as control over its use.
Actions to be taken to comply
Those responsible for websites and applications have an obligation to comply with this legislation. The compliance procedure is done jointly with the agency team. The actions to be carried out are the following:
Data mapping
It is mandatory to create a data processing register. For each data processing it is necessary to identify :
- The persons having access and the data controller
- The category of data and its level of sensitivity
- The purpose of the collection or processing of this data
- The place and country where the data is hosted
- The duration of the retention period for the categories of data
- The security measures implemented to protect it
A specific interface developed for this purpose by the agency is deployed to facilitate the management of the mapping.
We set up an online tool to perform the mapping of your website or mobile application. It allows you to centralize everything on a secure instance and to easily access the documents in case of control. Here is an example of the application of the tool:
Forms management:
Mapping page for a form:
Length of time personal data is kept
For each piece of mapped data, you will need to determine the retention period. In general, you can only keep data for as long as it takes to accomplish the purpose for which it was collected. When you enter the data in the mapping of your platform, you must therefore associate a deletion date to each data, which must be respected.
With the exception of data of specific interest (historical, judicial, statistical) and which must be archived according to defined procedures, no data should be kept without reason. For example, during a payment, the card data should only be kept for the time of the payment.
In general, the personal data of any user who has been inactive for 3 years should be deleted.
Implementation of the consent system
Implementation of a script on the platform allowing the user to give or not his consent for the processing of his data for purposes other than the proper functioning of the platform (HR, analysis, communication, ...). Deployment for the user of the interface to manage his consent.
For each cookie or tracking script such as Google Analytics, Adwords, etc., we must ask each user their consent before activating these scripts.
Since September 2020, it is necessary to offer the user the possibility to refuse everything (source CNIL (French) in order to avoid any circumvention. The consent management tool Advency has been updated in this sense.
Example of a consent banner on cookies and tracking scripts:
For each form to be RGPD compliant, you will have to display either a link to a page explaining the purpose of the data collection or processing, or a link and a checkbox to obtain the user's authorization for the possible use of the data (newsletter, resale, etc.).
Example of widget on your forms (there must be at least the link):
All evidence of consent given by users will need to be stored, and will be stored via the tool we will make available to you.
At the time of compliance, you will have to ask your users once again for all the consents corresponding to the processing of their data in order to have them validate them. You will then be able to continue processing for those who have accepted.
How it works ?
The tool does not save the user data entered in the various forms. In order to ensure anonymity, we store a token (a key, for example "qZgyt23eo24dzLnsd3") that will refer to a consent. This token will also be registered on your platform: it allows you to have the proof of consent (positive or negative) and makes the link between a data in your Drupal site or mobile application and the personal data processing platform where your mapping is managed. Regarding the authorization of cookies, the latter is stored for a maximum of 1 year in the user's browser, after which the user must renew his consent. A user must be able to change his consent at any time: it is therefore necessary to set up specific pages or at least a contact section so that the user can at any time change his consent on a data or a set of data.
Your duty:
- Never use data for a purpose other than that intended
- Never use data without or against your user's consent
Reviewing the disclosures
Your information notices (legal notices, T&C, GTC, ...) must be modified to comply with the requirements of the new legislation. The agency will take care of the operational modifications if necessary, but not its edition (to be done by a lawyer)
Contract
Conclusion of the contractual clause binding the agency to your structure to fix our obligations and our role as subcontractor in terms of security, confidentiality or data protection. In the case of hosting at the agency, information about the security of the hosting will be included.
Organization of internal processes and documentation
Internal processes should be defined for taking data protection into account at the design stage of each development, for dealing with user complaints in the exercise of their rights and for setting out the process in the event of a data breach.
It is also a matter of documenting all the operations involved in complying with the RGPD.
Compliance actions may take more or less time to implement depending on the history and functional density of your platform. It is mandatory and a priority in the case of platforms dealing with personal user data.
Your project manager will be your contact in the agency for all the follow-up of this compliance. Note that if you process sensitive data (health data, religion, ethnicity, data related to convictions, etc.) the process may be different.