The arrival of the General Data Protection Regulation

The GDPR what it is and what it means to protect personal data for websites and e-commerce sites

The purposes of the General Data Protection Regulation

To better understand the usefulness of this legislation passed by the European Union, it is essential to list the purposes of the GDPR. With this new regulation, users must first of all be more aware of the fate of their personal data and must first of all provide explicit consent. The same data must then be used with extreme parsimony, setting strict rules to allow them to be processed outside the European Community, and finally there must be severe penalties for those who violate the provisions of the General Data Protection Regulation. These are the points on which this new privacy regulation is based, but shortly after its release, the General Data Protection Regulation already presents some flaws.

The "ratio" of the member states and the Italian quagmire

The General Data Protection Regulation has presented itself as a system of rules that guarantees an important crackdown in the name of privacy. At the time of the legislation, however, the EU left the member states the possibility of being able to "interpret" the regulations contained in this new document. This means that the much-promised rigidity is gone before it even started, and French and Spanish users, for example, may see their personal data treated differently than Portuguese or German users. The Italian case is even more singular: to date, our Government has not yet issued the legislative decree relating to the General Data Protection Regulation, therefore the European regulation is still valid in our country. The thing in itself could also have positive aspects, were it not for the fact that in the absence of a legislative decree it is not possible to prosecute and punish those who violate the provisions of this new document on privacy.

What is meant by “personal data”?

The term "personal data" is used (and abused) in various areas of everyday life, but it is a misleading concept for all non-experts. At the same time, given that we are talking about the protection of sensitive data and rules against the violation of privacy, it is essential to have a clear idea of ​​"personal data". "personal data": this category therefore includes name, surname, tax code, date of birth, address, telephone number and much more. However, when we talk about privacy on web portals there are other elements that unambiguously identify a subject, even if they are more attributable to the devices that the same uses: IP addresses, e-mail addresses, cookies and etc.

In the light of this definition, a question arises: but when do users decide to entrust their sensitive data to a website? In the vast majority of cases this operation takes place during the registration phase on the portal, whether it is aimed at creating a reserved area or even just for subscribing to a newsletter. Specifically, then, many e-commerce sites they also have access to other types of data that can be defined as "sensitive": first of all, those of a financial nature (bank codes, IBAN and tax domiciliation), which are obviously essential for being able to carry out online transactions. Less considered but still attributable to the category of personal data are also consumption habits: which social network do you use? What's your favorite drink? What is the last item you bought online? These seemingly trivial questions tend to create a consumer profile, so that the user is offered only goods and services that can really pique his curiosity. The use of this data for commercial purposes must also be clearly explained to the user, always in accordance with the provisions of the General Data Protection Regulation.

What to do with the new General Data Protection Regulation

Deepen the theoretical aspects behind the protection of personal data it is essential, but all those who manage web portals and e-commerce sites basically want to understand what are the new operations to be done with regard to this new privacy legislation.

Contact forms combined with Privacy Policy

As we wrote previously, users must be aware that their personal data can be collected and processed for certain purposes. And it is therefore essential that the user, when registering on e-commerce sites or visiting an internet portal, explicitly exercises her consent. It is for this reason that the General Data Protection Regulation obliges all Internet sites to have a Privacy Policy, or a documentation in which users are explained what types of data are collected, who is the subject who collects them and why they do this, but above all it must clarify whether these are transferred to third parties and for how long they are kept in the portal database. Given that such a document is most often particularly long and boring, and web users (in spite of their own personal safety) tend to avoid internet sites where there are long texts to read, it has been established that the Privacy Policies had to be combined with those forms in which the user physically enters his personal data. It is for this reason that when, for example, you subscribe to a website newsletter, in addition to entering your name, surname and email address, the user must "tick" the box relating to the authorization of the processing of personal data .

Data logging and Google Analytics

This new legislation, among other things, in addition to regulating the protection of personal data also obliges the managers of e-commerce sites and web portals to register and keep sensitive user references. Not only that, even the date on which the user consented to the processing of his personal data must be easily verifiable. Hence the need for websites to have a real database to draw on at any time, which must be combined with a data logging tool. The latter is a software that records the IP address of the device with which the user accesses the portal, and in this way it is possible to verify at any time the origin, date and time of the consent given.

They must resort to data logging tools, for example, all those portals in which users have their own "reserved area", where they can not only check their sensitive data at any time, but if necessary they can also modify it and/or or delete them. One of the most famous data logging tools in the world is Google Analytics, the software from the Mountain View company of the same name that users use to check the performance of their website. Google Analytics records for each user IP address, pages visited, time spent and many other data. The managers of the websites that use this software, always in compliance with the provisions of the General Data Protection Regulation, must make explicit the use of programs such as Google Analytics within their portal.

Here comes the Data Protection Officer

The new rules for security of personal data provide for a specific professional figure who must assume responsibility for the management and protection of what users entrust to web portals. This figure is known by the names of Data Protection Officer or (Data Protection Officer or DPO) (abbreviated DPO). The Data Protection Manager must first of all have a profound knowledge not only of the General Data Protection Regulation, but also of all other regulations in force on privacy, whether past, present or future. He must then be an absolutely independent figure with respect to the ownership of the website, who does not receive orders from anyone and who must speak directly with the top management of the company's organization chart. At the same time, finally, he must be able to draw on financial and human resources that allow him to best carry out what is established by the new regulations for the security of personal data. In fact, even behind the figure of the DPO there are several flaws and aspects to be clarified. One above all concerns the skills of the Data Protection Officer: in reality this figure should not only have the right skills regarding privacy regulations, but should also be competent in the issues dealt with by the web portal, especially if they are of a certain importance (think to portals dealing with topics of a medical-scientific nature). It goes without saying that finding all these skills in a single figure is most often difficult, if not impossible.

What is the risk of violating the General Data Protection Regulation?

As we have also mentioned above, the sanctioning framework relating to this new privacy legislation is still incomplete, especially here in Italy where the absence of a specific legislative decree makes offenders, at least on paper, not liable to prosecution. However, wanting to give a very brief summary of the penalties incurred by those who do not put the security of users' personal data first, we can divide them into two macro areas: