GDPR Compliance Overview

Authored by Ameex Technologies on 13 Sep 2018

The world of data security is under severe pressure during the last few years as the number of security breaches have jumped high. About 43% of all cybersecurity breaches affect small businesses, while there’s a hacker attack on the Internet every 39 seconds. Everything has moved online which makes cybercrime the biggest threat to every company or industry in the world.

To protect their businesses as well as the classified information of their customers, EU brought a regulation called GDPR – General Data Protection Regulation. According to this regulation, every EU business or business that sells their products and services in the EU must ensure that the privacy of EU citizens stays intact by keeping personal data secure.

In May 2018, the GDPR became fully enforceable throughout the EU following a 2-year post-adoption grace period. Non-compliant companies can now get red-flagged by the authorities.

GDPR – Requirements, Deadlines, and Facts

Who is affected by the GDPR?

The GDPR applies both to companies located within the EU borders and companies that don’t have a business presence in EU but monitor the behavior of or offer products and services to EU residents (data subjects.) According to this Propeller Insights survey, executives think the industries that will be most affected by the regulation are online retailers, software development companies, SaaS/online services, financial services, and retail/consumer packaged goods.

What falls into the “personal data” category?

Personal data affected by the GDPR compliance includes name, ID numbers, and address (basic identity information), location data, biometric data, health and genetic data, sexual orientation, political opinions, and racial or ethnic data.  

Who is responsible for ensuring the GDPR compliance?

The Data Controller, Data Processor, and Data Protection Officer are responsible for ensuring compliance.

The Data Controller defines the purposes and ways in which personal data is processed, and also makes sure that all outside contractors comply.

The Data Processor is responsible for maintaining and processing personal data records. In case of non-compliance or breaches, the data processor is held liable. The data controller and data processor designate the Data Protection Officer (DPO). If a company processes or stores massive amounts of personal data or monitors data subjects regularly, it is required to have a DPO.

Non-compliance and penalties

For breaching GDPR (e.g., violating the core of Privacy by Design concepts or not having customer consent to process data,) companies can be fined up to €20 million or 4% of their global annual turnover. That is the maximum penalty for the most severe infringements. The rules apply to both data processors and controllers.

How to prepare for the GDPR?

Executive leadership needs to prioritize this cyber preparedness and a sense of urgency must be set, to come from top management. Create a team that includes sales, finance, marketing, and any sector that collects and analyzes customer data. Conduct a thorough risk assessment by understanding what kind of data you process and store, as well as the surrounding risks.

Appoint or hire a DPO. You can name anyone within the company who has a similar role to the position or hire a virtual DPO who will work as required. Create, review, and update your data protection plan, so it’s GDPR compliant. Also, pay close attention to mobile apps through which you collect data on EU residents.

Set up a plan for reporting your GDPR compliance progress; put the measures for mitigating risk in place; test your incident response plans and set up a process for continuous assessment (as you need to remain GDPR compliant.)

GDPR and Drupal

Any sensitive information, such as name, address, IP address, email address, or social security number (data that can be used to identify a living person) classifies as personal data. Companies often gather this kind of information through CRM extensions or forms for email marketing, and in that case, their website needs to be GDPR compliant. Do you want to check if your Drupal website is ready for GDPR? Here is what you should do.

Audit every third-party app and cookie created by Drupal code

When cookies can recognize a user via their device, then the collected data is personal. Ensure the compliance of your third-party integrations and apps, but also audit every cookie created by your Drupal site. Have your Drupal team perform a code-wide search for any PHP or JavaScript that creates cookies, document, and evaluate for compliance. Third-party apps also need to be audited for compliance (most popular apps are already compliant, but those less popular may not be.)

Check your data-gathering forms for consent checkboxes

Your forms need an explicit checkbox that asks for the user’s affirmative consent and explains how the data will be used. Go into your Drupal site and add these consent boxes and language to your data-gathering forms, as required.

Deletion request page

Visitors must be able to request you to remove their data from your systems. That is a relevant part of GDPR compliance, also known as “the right to be forgotten.” The request must be accessible, simple, and straightforward and you can do it by using the Webforms module (via a deletion request page) that will process the request. Put a link to the deletion request page in the footer on every page of your site.

In case cyber-attackers make a breach of your system, you are obligated to inform your users within 72 hours of becoming aware of it. As Drupal community includes many residents of the EU, they have published a Drupal GDPR Compliance Statement to show that they have taken all the necessary steps to comply with the regulation. They have created the GDPR module that allows users to see their stored data.

Ameex Technologies can help you with your Drupal website development as well as to ensure it is GDPR compliant. A compliant Drupal is integrated for audition modules for performance, security, or a general review. How do you process and store data? Reach out to us to help you perform a security audit on your website and help you apply the GDPR requirements.