There are two very useful studies that examine the nature of GDPR. The first is the Enterprise approach of IBM which has a five point plan that is matched to the GDPR regulations on both data protection as well as data privacy. There is a strong opening Assessment/Audit of the current usage of personal data throughout an organization’s web facing systems.

The second approach  is by Varonis which follows all 99 Articles of the GDPR regulations in a post entitled GDPR Requirements in Plain English. What is useful about this approach is that users get a to see a question and answer about GDPR requirements unfold article by article of the GDPR documentation. And if you open up this excellent GDPR reference website, one can see not only the complete articles statements but also detailed annotations or recitals by the EU regulators as to how and why decisions were made on GDPR rules.

This reviewer found the detailed, article by article approach very illuminating as to what was intended and required by the GDPR regulators.

IBM identifies 4 key GDPR compliance tasks

IBM has several white papers and reviews of GDPR  but also the current state of Web Security. Thus its 4 step approach is rests on a solid systems base.
1)Conduct an audit of all identifiable personal data used, stored or accessed throughout a website.
2)Ensure  and account for data protection of  visitors personal data.
3)data subjects’ consent, rights to access, rectification, erasure and portability.
4)Timely communication of a personal data breachto data subjects

Now IBM has a guidebook that outlines some of  executives reactions to GDPR from enterprises to small businesses. Only 36% say they will be fully  ready for complete compliance with GDPR regulation. But 59% will use the exercise of achieving compliance as a means to better security and information handling. The insights into how a broad range of organization are approaching GDPR provide insights to the entire compliance process.

Varonis: Detailed Reading of the GDPR 99 Articles

My first reaction was “Holy Catfish, this is going to be too detailed and  a tiresome approach.”. The dry and cryptic  language of the GDPR articles with data subjects, data collectors,data processors , pseudonymization, identifiable , etc, would be too confusing…. As it turns out I was Dead Wrong. Partially, that is due to the fact that the GDPR Articles are well laid out and elaborated. But it is also the logic of the rules which holds together very well. And the best way to see this is to sample the Varonis approach.

Following the GDPR Articles

EU citizens personal data now has a variety of protections. If your organization’s websites and apps have any personal data about EU citizens, GDPR articles and rules now apply to you.

This covers any files or databases used by your website[s] that contain or paseed onto 3rd party data processors any EU citizns personal, identifiable data. So you will need to perform an audit that pinpoints the storage and usage of such personal data both internally and with 3rd party data processors in anticipation of the need make that data available to EU citizens according to GDPR Articles 12 to 23. In addition there are consents to personal data transfers and/or processing required in Article 6.

It doesn’t matter what country the hard drive containing the data is in, if it is about an EU citizen then GDPR applies. Again, this places more emphasis on doing a comprehensive audit, particularly of personal data collectedby your websites but passed onto 3rd party data processors.

Personal data is at the hearrt of GDPR. read Article 4 definitions to get a clearer picture of personal data’s scope.

Personal data should be kept accurate and up to date, safely secured, transparent about how it’s going to be used, restricted to the minimum amount needed to do the job. GDPR’s Article 5 set a high standard for personal data protection and usage. Clearly data protection is on the front burner as much as Data Privacy.

Tell people what you are going to do with their personal data. Do that only that. If their are large quantities of personal data appoint a Data Protection Officer to handle questions of consent, dat breach notification, and operating persoal data rectification requests.

Consent can be tricky. Preserve records of received consent. But expect backlash to default optin, consent buttons

This is the first of severral GDPR articles that cite special treatment for children. 15 or younger is the date demarcation. Parental approval will be required; particularly for mature audience, financial risk, or adult action websites.

Unless required by law do not collect data about race, politics, religion, union status, health data, sex life or sexual orientation.Review the data you currently have on hand and make sure that none of these special categories of data exist and / or could be inferred from the data you control. It’s important to also consider ahow seemingly innocuous data fields like “hobbies” and what that might reveal about a person.

Only recognized legal agencies can keep any personal data regarding convictions or criminal offenses. This is like children and Article 9 data.

Data that has no personally identiable fields, so called bulk traffic data, does not require consent. But such data may become susceptible to tracing with added felds or linking data. Beware trojan tools.

Chapter 3 Privacy Rights  – Articles 12 to 23

This series of articles are at the heart of GDPR’s EU Citizen Privacy Rights

Consent and reuested information be providedto the citizen/data subject data subject 1)in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. Consider checking for clarity with a tool like the WhiterRhino’s Marketing Detector Tool.
2)Request information shall be provided without undue delay and in any event within one month of receipt of the request.
Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.
3)Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
refuse to act on the request.
4)The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

This is a vital article- and so it is cited verbatim:

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
   • the identity and the contact details of the controller and, where applicable, of the controller’s representative or the contact details of the data protection officer, where applicable;
   • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
     where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
   • the recipients or categories of recipients of the personal data, if any;
   • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
   • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
   • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
   • where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
   • the right to lodge a complaint with a supervisory authority;
   • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
   • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information
4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

Again this is a vital GDPR requirement best explained directly by Article 14

1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
   1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
   2. the contact details of the data protection officer, where applicable;
   3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
   4. the categories of personal data concerned;
   5. the recipients or categories of recipients of the personal data, if any;
   6. where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
   1. 1. 1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
         2. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
         3. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
         4. where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
         5. the right to lodge a complaint with a supervisory authority;
         6. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
         7. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. The controller shall provide the information referred to in paragraphs 1 and 2:
   1. within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
   2. if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
   3. if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
5. Paragraphs 1 to 4 shall not apply where and insofar as:
   1. the data subject already has the information;
   2. the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
   3. obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
   4. where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

EU Citizens/data subjects are allowed to ask if you have any of their data. You must reply in a timrrly manner whether or not you do.
If you do have their personal data, you need to provide EU citizens/data subjects an accounting:

• Why you have it
• What categories of personal data you have
• Who in your organization or third-parties accessed it (in particular if they were in another country)
• How long you plan on keeping their personal data
• What they’re able to request to have their data deleted or fixed as requested
• Source of where data was obtained
• That they have the right to lodge a complaint with the EU Commission if they’re displeased with your response.
• Unless something weird is going on, provide the data electronically
• Don’t compromise other people’s data while doing this

And you have to be able to fix the personal data including the right to have incomplete personal data completed and within a reasonable amount of time. If you cannot immediately do so you have to inform the data subject of the delay and what options they have.

If any of the following conditions apply, you need to be able to remove their data from your system ‘without undue delay’ which while they don’t come out and say it here, probably means within in 30 days.

• Data subjects withdraw consent to hold their personal data and there is no legal reason to keep it
• Personal data has been unlawfully processed and used for a purpose beyond its declared intentions
• Personal data has been used for profiling which the data subject objects to
• Personal data on children has been collected without proper consent of parents
• Personal data have to be erased to be in compliance with other EU States legal requirements

EU data subjects can ask you to pause on all processing of their personal data prior to working out a final disposition for that data.

EU Citizens whose personal data is subject to bulk correction must be informed of those corrections

EU Citizens can request that their personal data be transferred/exported to them in common data extraction/transfer formats – CSV, JSON, XML, or XSL

People can object to “profiling”, shaping content or what’s presented to them and request to be opted out.

EU data subjects shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

EU nationa states can enact laws which bypass or intensify the GDPR rules. There are 10 exception situations cited starting with National Security.

Chapter 4 Obligations of Data Controllers and Data Processors Articles 24-43

Data Controler’s website admin need to document what you’re doing to comply with GDPR and be able to prove that in cases where it’s not self evident.
So website admin needs to keep a record of GDPR training, procedures, data audits done, consents obtained, etc.

Data Protection Methods and Data Privacy by Design become key methods to insure broad GDPR compliance.Finally consider data handling options.

Personal data that is shared across websites reuires both data controllers to have GDPR administrative capabilities in place.

If your website collects the bulk of its personal data from the EU or any criminal or child data, you should have an EU based citizen as Data Protection officer handling GDPR matters.

If you contract out 3rd Parties to store and/or process any portion of your collected personal data, you as Data Controller must:

• insure that the Data Processor is GDPR compliant
• insure that any 3rd Parties that your Data Procesor uses are also GDPR compliant
• you have a mutual agrement of GDPR responsibilities for data protection of collected personal data

The Data Controller DPO has strict control on what can be done with personal data entrusted to 3rdParty Data processors. Those data

Data Controllers must keep records of its own and its contracted 3rdParty Data Processors GDPR activities including consent, compliance statements, and processing. The Small Business Exception applies if you have less than 250 employees and aren’t collecting data every day and aren’t dealing with special categories or criminal data you don’t have to do Article 30 record keeping.

Each EU nation will have a GDPR Supervisory Authority examining how well Data Controllers and Data Procesors are adhering to GDPR rules. Their status is is as legal enforcers of GDPR.

The GDPR considers Data Protection/Security for collected personal data a highest priority. It recommends such measures as:

• Practical data hygiene methods to reduce data risk exposure
• Backup vitality – ability to restore/recover from disaster
• Have a data breaches contigency plan
• adopt firewalls, encryption and secure Data Storage
• Have and utilize data security testing procedures
• provide robust firewall and other data protection for visitors personal data

Within 72 hours of a data breach, inform the areas EU Data Supervisory Authority on all info about the breach. Be prepared to take collective action.

Again with 72 hours, inform customers whose personal data has been compromised. Follow Data Breach Process guidelines.

Again the GDPR emphasis is on Data Security and Protection. New systems/services present new problems and risks that need to be accounted for.

For new services and Data Processor arrangements that may change your risk profile, alert the DSA

If your website has more than 300 Data Subjects or more than 5 reuests per month for data rights requests you should have a designated website DPO- Data Protection Officer to handle GDPR items.

For larger organizations it should be the CIO, CSSO or working for that officer. For small organizations it should be Website administrator.

The DPO acts as liason between website vistors, the area DPA and organization’s executive team on the status of website Data Security and Data Privacy.

It is an agreement within an industry of how to implement and enforce GDPR.

Outside associations can monitor how closely codes of Conduct are being observed

If a Code of Conduct is available in your industry the association has final say over whether or not you meet the requirements of it.

Certications must be approved by GDPR Data Superviory Authority

Chapter 5 – How to transfer personal data out of the EU and GDPR

Data Controller and Data Processor must comply the conditions laid down in this Chapter including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.

Permission is not reuired for export to countries with GDPR-approved rules

The data protectins safeguards of Article 32 apply again with verification suitable external 3rd party Data Processors

If a non EU company wants to handle EU data they must create binding corporate rules that match the GDPR regulations.

The so-caled China provision, requires international legal agreemnet for transfers to Non-GDPR compliant nations.

A prickly situation with these fallbacks:

1. the EU citizens/data subjects have given permission for the personal data transfer
2. the transfer is necessary for the performance of a contract between the data subject and the controller
3. the transfer is necessary for important reasons of public interest;
4. the transfer is necessary for the establishment, exercise or defence of legal claims;
5. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;

Enough said.

Chapter 6 Role of Independent Supervisory Authorities in each EU Country

National Supervisory Autorities should monitor whether companies are abiding by GDPR rules.

Supervising authorities shouldn’t take bribes or have conflicts of interest. This isn’t FIFA. Not a good sign that this has to be declared as a GDPR article

Again, not comforting to see this needs to be delineated in GDPR

This does not instill confidence in the various Natinal Supervisory Authorities

Chapter 7 – Cooperation and consistency

The rules of the road for GDPR member countries. More administrative processes with low impact on businesses.

Chapter 8 – Remedies, liability and penalties

Here we come to the meat of the matter, how much control GDPR will have over GDPR vagrants. The recent record in Europe for fining

Anyone can make a complaint to the supervising authority about any company that is in possession of their data.

If EU Data Supervisory Authority impedes a Citizens calll for action, they can be sued for negligence

A EU Citizen can take a immediate legal action against a a data controller or data processor ndependent of the their appeal to aSupervisory Authority.

Smilar to class action lawsuits in North America, this allows for joint representation in a legal action

If a Data Controller is being sued in another country a pending action may be suspended to await a decision

A genral guideline as to how a penalty clause is to be decided and awarded

Very tough rules on administrative actions and fined. Read all the details here

Countries can add on penalty fines above and beyond what is specified in the GDPR.

Chapter 9 – Provisions relating to specific processing situations

This is a mixed bag of special conditions and related examptions.

Allows for jornalist, artists, and entertainers some leeway in using personal data. Not clear from the Article how much.

Governments will need to retain EU Citizens personal data for their services and functioning.

Each EU Natin can set specific rules for their national ID.

Goverments can set more specific provisions around employment data.

Archives and other scientific research are allowed some data privacy exemptions.

Intelligence agencies are exempted from GDPR rules.

GDPR applies along with Faith based data privacy rules.

What stewardship obligations re GDPR artiles the Commission shall retain after May 25th 2018.

Details the EU Committe processes relavant to the Commission and GDPR.

Chapter 11 – Final provisions

As of May 25th, 2018 Directive 95/46/EC is repealed and replaced by GDPR.

In the case of Directive 2002/58/EC, the Commission will work to resole differnces and both stand in the interim

International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States prior to 24 May 2016, and which comply with Union law as applicable prior to that date, shall remain in force until amended, replaced or revoked.

By 25 May 2020 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. 2The reports shall be made public.

The commission will continue to resolve GDPR with other EU and member states legal positions on data protection.

Regulations come into effect on May 25th, 2018.

The Cookie Law

Preceding GDPR has been the European Union regulation on reporting cookie information to European citizens. Think of the Cookie Law being a precursor and test vehicle for GDPR. And so  the two regulations have been made to dovetail well together. The Cookie Law’s fines are smaller than GDPR; but GDPR’s Article 15 to 19 on EU Citizens Data Privacy rights and Article 32 on Data Protection obligations for EU citizens personal data has been found to apply to Cookie Law data.

And in fact the planned  immediate amendments  to the GDPR will be to strengthen Cookie reporting and revision requirements. So the result is that GDPR adds relevant qualifications on Cookie reporting and EU citizen control of cookie use based on their input. Even better, as far as Data Privacy advocates are concerned, is that GDPR fines apply to Cookie Compliance and are more stringent than the original Cookie Law on its own. Bottom line, EU citizens  who  have long been a victims of “large foreign data breaches” and cookie based personal data manipulation without consent – now have core protections in both arenas.

Summary

Clearly GDPR is responding to  major web trends:  massive  worldwide data breaches, the growing collection, harvesting and exploitation of personal data without consent by social media companies, and the  increasingly rampant nature and cost of Cyber-attacks worldwide. So the GDPR is devoted to Data Privacy for personal data. But as seen in examining the articles GDPR has a strong Data Protection component as well – starting with Article 1 but also covered by Articles 4, 25, and 34.Specifically, websites worldwide are enjoined to protect as primary stewards all of the EU Citizens personal data that is stored on their websites. As well Articles 12 through 23 set out clear data privacy requirements for EU citizens personal data.

But what is also notable about the GDPR is that nearly half of its 99 articles spell out the GDPR internal administrative procedures and processes. Nonetheless GDPR has won worldwide attention from non-Eurpean governments, businesses and organizations.

So by having a population of over 500 million citizens, a plan for data privacy and protection that has been twenty years in the making, and having drawn up an approach to Personal Data Privacy that is being embraced not just in Europe but worldwide, Eurpoe is having a big impact on Data Protection and Privacy practices world wide.

True GDPR may be burdensome in some aspects. But GDPR also excludes most small business website particularly if they do the following:

• keep visitors personal data stored to a minimum;
• do not share personal data with other websites
• do not rely on third party data processors like Mail Chimp or Google Analytics
• minimize use of cookies that connect to other services
• anonymize/encrypt personal data to minimize data breach and ilicit sharing risks
• provide robust firewall and other data security for their visitors personal data

Finally GDPR provides important record keeping exceptions for small business organizations defined as fewer than 250 employees or collecting less than one personal data record per day.This exception also applies to the need for a DPO-Data Privacy Officer. There is no doubt that Small Business will profit greatly from the support offered by CMS systems like Drupal, Joomla, and WordPress. For example, WordPress supplies a Privacy Policy statement template for websites, a personal data exported plugin and also a plugin for erasing selected personal data. These tools along with a flood of new GDPR plugins certainly simplify GDPR compliance for small to medium scale businesses that do not use 3rd party Data Processors.
The bottom line is that GDPR will help bring about better data protection and a new respect for the the role of explicit individual consent in preserving data privacy. In a Web world of increasingly malicious hackers, harvesters and identity hucksters – this is a welcome good trend.

Legal Caution

This review is provided as general and non-legal information and should not be construed as individualized advice. Please consult with your legal advisors as to the particulars for your organization.

Key Resources:

GDPR Official EU Website – has many rich links to documentation and terms of GDPR
3rd Party Excellent GDPR Portal – has excellent timeline on development of GDPR and and its key Articles.
Another 3rd Party Assessment of GDPR – the best review of all 99 articles including recitals/references to key issues in each Article
IBM Approach to GDPR – Major IT Technology company fully behind the GDPR direction