GDPR and new data protection rules: is your site ready?

Greater awareness and transparency in the expression of consent to the processing of data, more powers in the hands of the user who wants to revoke the consent, request the deletion or modification of the data at any time or their portability to another operator that offers the same service. This is the fulcrum of the GDPR, the European data protection regulations that have come into force last May 25th. The new rules have created a lot of interest and some fear.

The General Data Protection Regulation, which will replace the current Italian privacy code and will immediately be applied, has a wide scope and deals with many aspects that have to do with data protection: from the methods of collecting the user’s consent to the exercise of the right to be forgotten, from the portability of the data to the procedures to be activated in the event of a data breach.

The Italian guarantor for the protection of personal data has tried to shed light on the most relevant passages of the regulation by publishing a guide to the application of the GDPR. But what are the most important implications in the design of web services and in the management of digital marketing initiatives? Let’s briefly try to analyze it.

In the process of collecting and managing the consent to the processing of data, the GDPR takes up and takes two very important concepts on board, namely those of “Privacy by default” and “Privacy by design”. The protection of personal data – it is the basic idea of ​​the legislation – must be considered upstream of the design of a service.

“Privacy by default” means the principle by which, by default, only “personal data necessary for each specific purpose of processing” (art. 25 GDPR) must be processed. Also, the other principle mentioned in the GDPR is very interesting, that is the one that refers to “Privacy by design”, according to which the protection of privacy must be taken into consideration right from the design phase of a system that includes the data collection of users.

Therefore, in order to guarantee the two principles, measures, which provide «minimizing the processing of personal data, pseudonymization of the personal data as soon as possible, offering transparency with regard to the functions and processing of personal data, and allowing the interested party to control the processing of data and allow the data controller to create and improve security features» must be predicted.

The GDPR sets very clear parameters to define how the users’ consent to the processing of their data must be obtained. And the provisions of the legislation will have to push websites and other digital services to review all those opaque or completely absent consent procedures. The European regulation, in fact, expects the consent to be free, specific, informed and unequivocal; and to be expressed through “unequivocal positive declaration or action”.

In practice, the GDPR confirms that not all those technical solutions that are limited to a vision of the information or to give a “silent or presumed” consent are applicable: therefore, no forms with already clicked boxes.

What impact will this regulatory change have on cookie management? Even the authorization procedures for the use of cookies must comply with the principles. Practically:

• The implicit consent to the installation of cookies (where these are used for purposes other than those for the functioning of the site, or for profiling and marketing services) will no longer be sufficient. An opt-in procedure (for example, via a checkbox to check) or a procedure to set his preferences must be made available to the user
• Messages such as “Using this site, accept the installation of cookies” cannot be considered explicit consent and must be set aside
• The user must always have access to the possibility of withdrawing or modifying consents that are already given
• The choice of consent to the processing of data must be granular, and the user must be able to choose which cookies to install and which not to insta

The scope of the GDPR news is evident for anyone who collects data from their users, but especially for the companies that do digital marketing and e-commerce. The changes outlined in the regulation will have an impact on the way the users register and the procedures to be activated to show that they have received their consent.

Guaranteeing the privacy of its users – and avoiding repercussions in terms of heavy penalties or the impossibility of using data collected with an incorrect procedure – is the challenge to face and win.