If you were to travel back in time a few years and visit some websites on the Internet, you would probably notice something: the complete absence of cookie banners on all websites. The reason for this relatively recent development is a decision from the European Parliament, which came into force on 25.05.2018 - the new General Data Protection Regulation or GDPR for short.
Since the introduction of the GDPR, all those who work with personal data must follow many new rules to ensure data protection. This means that important precautions have to be taken for new web and software projects as well as for already existing systems with databases to be GDPR compliant.
What Is Personal Data?
This question is always important when processing data, because in the case of personal data the GDPR becomes relevant.Personal data is data that can be used to identify a natural person - even if only part of the data is available that would allow to identify the person.This means that data such as name, address, date of birth, health data, but also, for example, voice, weight or appearance are personal data.
Data remains personal even if it is stored in encrypted form. This is only no longer the case if the encryption or unidentification of the data is irreversible and there is therefore no possibility of reassigning the data to natural persons.
The GDPR Checklist
In order not to get lost in the legal jungle of data protection, we have made ourselves a checklist so that we can consider all points when starting software projects and ensure the optimal protection of personal data.
1) What Data is Processed?
In order to take all necessary measures to meet the requirements of the GDPR, it is first necessary to identify which data are processed and which of them are personal data.
2) For What Purpose Is the Data Processed?
Users of the software or website must be sufficiently informed about the use of their data. To comply with this rule, it is necessary to determine the purpose of data processing. Data must also not be stored without a reason and must not be further processed for other purposes.
Depending on the type of data processed, there is a varying degree of risk in the event of data loss, unintentional deletion or unintentional disclosure of the data. The higher the risk to the data subjects, the higher the level of protection of such data must be. In order to achieve a sufficient level of protection, appropriate technical and organizational measures must be taken.
3) Data Minimization
The principle of data minimization stipulates that only data appropriate to the purpose are collected and limited to what is necessary. In connection with data minimization, the principle of "privacy by default" must be observed. It means that the default settings in the software must be set so that no data that is not absolutely necessary is processed. In the case of cookies, this means that only the necessary cookies are accepted with the preselection. For registration forms, for example, it could mean not including fields for non-relevant data (for example, place of birth when registering in an online store).
According to the GDPR, the correctness of data must also be ensured, so it is necessary to regularly check whether the data in the system is correct and, if possible, to prevent invalid data (such as invalid addresses) already during data registration.
5) Storage Limitation
Personal data may only be stored for as long as it is necessary for its purpose and must then be permanently deleted. To ensure this, it is necessary to check the data regularly and possibly delete data records when the storage is no longer necessary.
6) Processing Directory
According to the GDPR, persons responsible for processing data must keep a processing directory, which must contain all processing activities. This directory should be well maintained, as it must be submitted to the supervisory authority in the event of an inspection.
Many website operators depend on information about their visitors in order to be able to analyze strategic decisions and their effects. Therefore it is necessary to analyze and evaluate data about visitors and their behavior. There are various tools available for this purpose, such as Google Analytics or Plausible.
However, before using one of these tools, you should consider whether it meets the requirements of the GDPR and whether the tools are therefore permissible. In addition, it may be that by integrating such a tool, the consent of visitors must be collected so that they can visit the site. This usually happens in the form of the infamous "cookie banner", which can negatively influence the user experience of a website.
In addition, on Thursday, January 13, 2022, the Austrian data protection authority made the decision that the integration of Google Analytics violates the GDPR, because data is processed outside the EU and no sufficient protection against monitoring and access possibilities by US intelligence services is ensured. This already shows that caution is required when selecting tools, so that you are on the safe side and you do not have to make a lot of changes later on. We recommend Plausible Analytics here, more on this can be found in our blog post on Plausible.
Cookies? Yes please! But unfortunately, these are a different kind of cookies that you don't always want to accept. Cookies are important fundamental elements of the Internet. They can be used for storing data used on web pages on the user:s device in order to be able to use them again later. A simple example is a "session cookie", which is there to remember that you are logged into a site on that device. So cookies are not always bad. If people stopped accepting cookies, large parts of the Internet would no longer function at all.
However, if you avoid collecting personal data with cookies, it is not necessary to ask the user for consent. So if you want to avoid having a cookie banner on your website, you would be well advised to avoid using cookies to store personal data.
9) External fonts
For many, it is probably surprising that external fonts play a role in data protection. If external fonts, such as Google Fonts, are integrated into a page, a connection is established to the Google servers when this page is accessed and various information is sent to these servers. This information includes, among other things, which device and which browser are used, but also the IP address of the user, which can also be used to identify a person and thus counts as personal data.
A GDPR-compliant solution to this problem is, for example, to save the Google Fonts and host them yourself instead of retrieving them directly from the Google servers.
10. Information Service, Correction and Deletion of Data
The GDPR gives every person the right to obtain information about the personal data stored by data processors. If these data records are incorrect or the person does not agree that they are stored, there is the right to request an amendment or deletion. With few exceptions, this request must also be complied with.
Backups are also affected by this right. A system should therefore be created that makes it possible to edit and remove data in backups as well.
11) Is the Obligation to Provide Information Complied With?
Data subjects whose data has been processed must be provided by the data processor with certain information about the use of their data. The information that must be provided depends on whether the data was collected directly from the individuals concerned or was not collected from the individuals themselves.
Better Safe Than Sorry When It Comes to Data Protection
As with other issues in a project, it is the same with personal data and the GDPR: Only when the goals are clearly defined can the optimal strategies be developed. In this case, the main questions are: what data is relevant to me and how should it be stored or used. Once these requirements have been clarified, the appropriate strategy for the project's realization can be implemented.
Do you need help with the GDPR compliant implementation of your project? Contact us, we will be happy to support you.