Complying with the new European General Data Protection Regulation is potentially a big deal for our website. Since we have users from the European Union or European Economic Area (even if they are not in Europe at the time) they and their personal information is protected by the GDPR. This would potentially include a site like ours that offers an open registration form.
What is Personal Information?
The GDPR demands that all organizations — wherever in the world they are located — processing Personal Information of EU citizens do so in compliance with the regulation. This means that all Personal Information must be securely processed and managed.
Personally Identifiable Information, or PII, is really the American term. Personal Information is meant to be the EU equivalent of PII. However, the two do not always correspond with each other precisely. So, all PII is personal data but not all personal data is PII. Personal data in the context of GDPR covers a broader range of information. Therefore, to comply with GDPR you need to look at the broader context of what personal data is (not only PII) and that includes PII as well as other forms of personal data.
The current EU Data Protection Directive 95/46/EC (DPD) defines personal data as the following:
‘Personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
In many ways the definition of GDPR is an open question that will eventually be decided in the courts. To be on the safe side, any information submitted by a user should be considered personal information, including meta values such as an IP address.
Key Points of the GDPR that May Affect the Clay Family Society (CFS) Membership Management System (MMS)
Since the CFS Database does (in most cases) store personal information, it is subject to the GDPR. Here are what we see are the key points to address:
- clear statement of use – a form that obtains consent to use personal data must include a clear, honest and unambiguous statement of how the data will be used. This can possibly be on a separate page where you have published your privacy statement.
- evidence of consent – you must have a record of the user’s consent to use their personal data. This should probably include a date and an IP address so that you can show that the person submitted their consent on a specific occasion.
- opt-in only – you cannot use an opt-out checkbox or an opt-in checkbox that defaults to being checked. The user must take the step of consenting to the use. This is critical.
- means to see what information is stored – you need to be able to provide to your users, on request, all of the data you have stored for them.
- ability to delete data – you need to provide a way for a user to have all of their personal information deleted from the database.
- server security – you need to take care to protect the security of the data stored on the server. In most cases, this will be up to the hosting provider, but if you are managing your own server, you’ll need to demonstrate that the server has been secured against data breaches. Installing a security plugin is a very good idea.
- notice of data breach – if you do experience a hack or data breach, you are required to let your users know their data may have been compromised.