Focus 4: data processing and personal responsibilities

What happens if we buy a product from an ecommerce site and the next day we realize that our credit card has run out of credit? How are our preferences and therefore our data managed when we agree to browse a website or blog? And again: to whom do we really entrust personal information once a contact form has been filled out? We will try to answer these and other questions in this fourth e last insight dedicated to information security in the digital age. Yes, because data processing goes hand in hand with the personal responsibilities of site administrators, i.e. the people who own a site or a digital project. The situation has always been fragmented, at least until a few years ago. The epochal change came in 2018, with the advent of General Data Protection Regulation, Also known as GDPR. Let's start right from this point and see how to set up a data management policy in a workmanlike manner.

THE EUROPEAN GDPR AND THE ACTUAL SCOPE OF APPLICATION

Impossible to have never heard of the General Data Protection Regulation, officially regulation (EU) n. 2016/679. In operation for two years now, the GDPR has marked the beginning of a new era, raising the level of user protection with regard to the processing of personal data by websites, blogs, ecommerce and virtual spaces in general (forums, landing pages, video streaming platforms, search engines, etc.). Speaking in a few lines about this boundless and partly ambiguous legislative instrument is an impossible mission, the fact remains that it is our duty to provide some useful guidelines to shed light on such a vast and complex issue. First let's look at the highlights of the GDPR, however, let us try to understand what its actual scope of application is.

Which countries are affected by the GDPR?

Every country in which an organization that addresses EU citizens via the web and processes certain personal data operates is a country in which the GDPR has the right to apply. This is the conclusion reached by adding together the areas specified by the GDRP. From this it can be deduced that practically all the companies and professionals who have relations with the European Union, from Switzerland to the United States of America and many others, must comply with the regulation. For more information on this we recommend reading this complete guide to the GDPR.

Assuming that the GDPR has legal value in Switzerland as well as in the rest of Europe, let's see point by point i main aspects to keep in mind to interpret the regulation correctly and apply it accordingly.

• each user who visits your site must confirm his consent to the processing of data. Consent must be free, specific, informed and revocable at any time
• in the absence of consent it is assumed that the data will NOT be collected or that the visit to the site will be prevented
• the consents must be archived and memorized, so that they can always be found by any agents and state authorities
• the consent register must contain a series of essential information, such as the moment in which the consent was given
• consent is not the only possible legal basis, but one of the 6 provided by the GDPR. However, in many situations and for many businesses, consensus remains the easiest way to go

THE ePRIVACY DIRECTIVE (COOKIE LAW)

The GDPR is not the only reference to observe. Directive 2009/136/EC (also known as the ePrivacy Directive) is the second fundamental tool for the correct management of personal data. specific legislation the rules for the use of third-party cookies within your own virtual space, or rather the requirements that allow the activation of cookies on the first visit of a new user. Again, the principle is based on maximum protection, offering the user the full option of declining the access of cookies to their data with a simple click. As we will see in the last paragraph, the administrator and therefore the manager of the website must provide the user with a system, typically a banner, to accept or decline the access of cookies.

Some cookies are exempt from this type of consent, but it is very likely that a business showcase site hosts at least one digital token, or cookie. The privacy policy must be reported in a specific document, and this also applies to the cookie policy. At the moment the ePrivacy directive, or cookie law, is under discussion, because the intentions of the legislators aim at the transition to what will be the ePrivacy Regulation, operating in concert with the GDPR. In all likelihood, however, there will be no significant changes in the provisions, which is why it is good right now to adapt and arrive prepared for the approval of the regulation, destined to be made official within a few years.

THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA)

The California Consumer Privacy Act came into force on 1 July 2020, one of the most structured forms of protection currently approved in the United States, as well as baseline guideline for each US state outside of California. As is the case for Europe with the GDPR, the CCPA also has enormous repercussions for the USA, such as to go beyond the borders of one's own country. While not as restrictive, the CCPA can also have a real impact on your business based in Switzerland or any other country. The conditions you must meet, in addition to addressing California citizens, include:

• have annual gross sales in excess of $25 million; or
• having at least 50% of its turnover comes from the sale of personal data

or

• buy, receive, sell or share the personal information of 50.000 or more consumers each year for commercial purposes.

Difficult? Not exactly. Since IP addresses are personal data, it is likely that any website that in a year get from California 50.000+ unique visitors are within the scope of the CCPA. This is just one example of how globalization, also and above all information technology, has now created connections and interdependencies between national legislations.

HOW TO COMPLY WITH DATA DIRECTIVES

In the light of what has been written so far, adaptation to national, European and international directives is certainly not an accessible task without making use of suitable tools. It is no coincidence that they have been developed in recent years entire platforms designed to manage obligations of the GDPR (and not only) with a fast, practical and partly automatic approach. The website administrator, i.e. the owner of the organization, the web master or the agency that follows the project, all he has to do is register on these platforms and fill in the data required by the system (data owner, url of the site, etc.). At this point the software and related plugin will show users the banner which summarizes the terms and conditions of data tracking and cookie activation.

The same platforms, at least the most famous, are able to generate privacy policy documents, cookie policies and any terms and conditions, with a pre-formatted text that you just need to fill in and customize as needed. Among the names of the most successful platforms we mention in no particular order the Italian Iubenda, the American Quantcast or the Danish Cookiebot, each specialized in a regulation or set of regulations. The solutions provided are free but in this case they have limited functionality. We at Innovando therefore recommend choosing the plan that best corresponds to the size and effective methods of data collection of the organization, thus avoiding any hypothesis of crime. You don't mess around with user data, especially since the penalties, in case of non-compliance, they can be very, very salty.

We hope we have given you all the information you need. If not, please contact us without obligation for a free and personalized advice on data protection.