The circumstances of this year 2020 are changing us all… After taking a couple of weeks of vacation with my family, the first thing I find on Nelio’s website is a new pop-up window showing the following information:
And indeed, if you don’t click the ACCEPT AND CONTINUE button, you can’t continue browsing the web, but… What about this change? What happened? 😳 My partners tell me the updates of the GDPR made it very clear that they had to put a mask on the web 😷.
When the EU law on the handling of personal data appeared in April 2016, the General Data Protection Regulation (often referred to as the GDRP) fell on us. Well, I’m lying. It fell on us as we approached the effective deadline for implementing it of May 25, 2018. We are great advocates of the right to maintain our privacy, but reading and understanding almost 100 legal articles was not a pleasant or easy task.
And let it be clear that we are capable of reading whatever it takes, but we are also lovers of websites with clean designs and a user interface that prioritizes usability. So the idea that any the first thing any new visitor would find when visiting our website would be a pop-up window (with information that nobody reads) where they would have to click on an accept and close button was turning our guts up.
The fundamental principles governing the GDPR make perfect sense in trying to protect personal data. The aim is to reduce the processing of personal data and pseudonymize them as soon as possible. To give maximum transparency to the functions and the processing of personal data. To allow the interested parties to supervise data processing. And finally, to create and improve security elements to ensure that data are not used for undesired purposes.
For all this, what the GDPR asks from companies is an active responsibility. That is, companies must ensure that they have taken the necessary precautions and measures to reasonably ensure that they are in a position to comply with these principles.
Even if we agree with the principles of the GDPR, when we go into detail about the measures to be taken to “reasonably ensure” that we comply with the principles, we start to walk on thin ice. And let it be clear that we are of the opinion that one’s own responsibility must prevail: try to be as consistent as possible with the principles you want to defend and don’t be a smart-ass.
Compliance With The GDPR On The Web
To comply with the GDPR on the web, in short, you must perform the following steps as described by Marina Brocca (in Spanish):
- Appoint a Data Protection Delegate (DPD) or responsible for coordinating the adaptation to the GDPR,
- Develop a record of treatment activities. That is, a description of the treatments you carry out on the blog of users, clients, affiliates, etc. and that you must make available to the Data Protection Agency of your country.
- Carry out a risk analysis. To do this, the data protection agencies provide tools that allow you to determine the level of risk involved in treatments, with the aim of establishing the most appropriate security measures to reduce it to a level considered acceptable.
- Review and implement the security measures on your blog based on the results of the analysis such as integrating SSL certificates, backups, antivirus, etc.
- Establish the necessary mechanisms and procedures to notify the data protection agency and those affected by security breaches, if applicable.
Although they may seem like a lot of very cumbersome steps, what this regulation is telling you is that you do not have the right to do whatever you want with your visitors’ personal information. Be transparent and responsible with any type of personal information that you may keep about them. Personally, I think these are more than adequate measures if you want to gain the trust of your users, but…
What About Cookies?
The new criteria should be implemented no later than October 31 of this year 2020, thus establishing a three-month transitional period for adaptation. Seeing this, the first thing you think is: did we really need more excitement this year?
For your peace of mind, the document is only 38 pages long… For those of us who are not lawyers, either we are getting used to legal documents or it seems to me that it is written in a much more understandable way than the first document I read on this subject.
Indeed, the most remarkable thing is that it is now very clear that the acceptance of cookies by scroll is not valid. Only acceptance with an Accept button is considered valid.
To adapt to the new normal and to be able to go out to the street, we have no choice but to put the mask on the web. Now all new visitors have the option of explicitly indicate whether or not they want cookies to be saved in their browsers.
We hope that this measure will generate more confidence in us but our recommendation is that you remove the mask from our website by accepting cookies. This will help us improve our website with our A/B tests, which collect aggregated and anonymous analytics (as we have always done).
What about you? Have you already adapted your website to the new normal? 😷