What Web and Business Experts Say About Implications of GDPR Regulation [Checklist Inside]

1. Main principles.
2. Who will have to comply?
3. Free GDPR checklist for small businesses.
4. The rights of European data subjects
5. Experts talk about the consequences for web developers
6. Experts talk about the impact on businesses and possible pitfalls

On 25 May, the European General Data Protection Regulation comes into force.

If you are a web developer/designer or an entrepreneur whose business involves collecting data from individuals in the European Union, you must be already aware of the GDPR and its main provisions. If not, please read our post that explains the GDPR to web designers and developers.

In this article, I want to go further than just describing the GDPR requirements. I believe that this European regulation hallmarks the dawn of a new era of comprehensive data protection. I want to explore the meaning of these changes for all of us, paying particular attention to small businesses and web developers.

I invited web development and business templates experts to speak about post-GDPR markets and the pitfalls the new policy may have.

---

---

Please feel free to participate in the discussion! We will be glad to read your comments and respond to them!

But before we delve into making long-term prognoses, let’s get clear about the basic tenets of GDPR.

What are the main principles of the new General Data Protection Regulation?

In a nutshell:

• Companies will have to be very explicit about what data they collect, how it’s done, and for what purposes you are using this information.
• Private customer data should be processed in all transparency and stored no longer than it’s necessary for the specific legitimate purposes.
• Users will have to give separate and informed consents for collecting different types of their private data.
• Consent should be asked for through positive opt-ins and be easy to withdraw. Every user will have the right to be forgotten and have their private data removed.
• Data-collection for children under 16 can be made only after obtaining consent from a holder of parental authority.
• In case of a data breach, companies will have to notify data protection authorities within 72 hours and inform customers about the breach "without undue delay".

Read the full “Principles” chapter of the GDPR.

Who will have to comply?

• The EU GDPR applies to any company that is based inside or outside of the EU and collects, stores, or transmits data belonging to EU residents (any information related to an identifiable person, including IP address).
• The regulation does not apply to situations when data processing is done for personal and household use, only for commercial purposes.
• Companies with less than 250 employees will have to comply but with some exceptions (like not having to maintain a record of processing activities, having to appoint data protection officer, etc)

Download our Free GDPR Checklist for Small Businesses

---

---

What are European Customers Entitled to Under GDPR?

• They have the right to be informed, meaning that they will know what types of data they are sharing when entering a website or filling out a form. This information should be free and easily accessible.
• They will be able to access freely any data that a particular resource collects about us. This information will be given after a login or within one month upon request (2-3 months in some cases). If a website refuses to satisfy the request, they will need to give good enough reasons and indicate the authority to whom the user can complain. No admin fees can be charged for making such requests.
• If they want to make changes in the data that are being collected by a particular entity, they will be able to do it across all its platforms.
• Users now have the right to be forgotten, so that all sensitive data about them would be deleted (with a possible exception for the information that can serve the good of all humanity).
• They can continue using a resource without giving the permission to process personal information. The resource will be collecting the bare minimum of data but no profiling will be allowed.
• Users will have their personal data transferred from one resource to another upon request.
• Users should find leaving any platform and deactivating their personal accounts much easier than it was to register and share their data. They will have the right to object the use of their personal data for marketing purposes.
• If users are making some major decisions or initiating actions based on their interaction with a website, they will have the right to talk to a real person at some point if they need to.

What consequences will the GDPR have for web developers and web designers?

Read Heather McNameeWhat long-term consequences will the GDPR have on the global web development and web design trends? on Quora

As web designers and developers working in the new GDPR landscape, it will be important for us to learn the available tools for assisting in GDPR compliance and reassuring clients. This means the advice and common practices that people have been giving out for years are now going to be misleading and downright dangerous.

We are already seeing GDPR compliant forms and checkboxes but expect to see more tools to make it easier to geo-detect users and prevent cookies from being fired until consent is given.

So far, some of the solutions are thin on the ground, but in the coming weeks and months, it's going to up to web developers to be vigilant as tools are developed to make these tasks easier.

While the GDPR regulations are black and white, their interpretation and use in various systems still seems to be open to interpretation as many are still sharing conflicting opinions and advice.

David Alexander
Digital Marketer, Mazepress

Public blockchains are a big problem with GDPR compliance. Even though the information is encrypted, just by the fact it is publicly accessible has potential negative consequences for GDPR. But hopefully these issues will be overcome soon by technological innovations or legislative influence as the advantages for applications of blockchain technology to create an entirely new user experience of the internet are tremendous.

Crystal Stranger, EA
Co-Founder, peacounts.com

Comment from TemplateMonster:

I remember how inspired we all were at the beginning of 2000’s when technologies allowing to collect and use personal user data began to emerge and develop. Now we are even more enthusiastic about ways to protect the privacy of the end users of our products. It is not hard for TemplateMonster developer team to comply with GDPR because we have always followed Privacy by Design principles in the creation of our products. For us and our clients, GDPR is an opportunity to make our data collection and processing procedures even more transparent and customer-friendly.

In making our templates, we are very clear about all the potential uses for the private customer information and provide full details about it. We also apply the PbD concepts to the use of cookies that carry personal data and can be viewed as identifiers by implementing user controls over it. The architecture of our themes always enables visitors make conscious privacy choices. The interfaces are highly dynamic, they will hide or show content based on user preferences.

I’ve also encountered some annoying misconceptions about GDPR among our clients and even other web development professionals. The most fantastic idea I’ve heard so far was that users will be able to delete their criminal and debt records. Some also believe that in post-GDPR era websites will not be collecting and processing data at all. This is also not true, of course. And of course, cloud services will still be used under GDPR, we just have to be more conscious about our choice of a particular resource and what data we transfer to it.

I’ve heard clients express worries that they will have to pay 20m euros if a data breach occurs. While I’m not aware of any cases of data breach involving the websites made with our themes, I believe that one should build strong data protection tools into the site architecture and sleep well. Moreover, a data breach may cost a business more than just a huge fine - your clients may lose their trust in you and leave. Guys, it’s time to get proactive about customer data protection, it’s already 2018!

Alex Keats
Web developer, TemplateMonster team lead

How will the GDPR impact businesses and entrepreneurs? What are the possible pitfalls of this regulation for entrepreneurs?

One of the big adjustments many web developers and business owners are facing under the GDPR is the need to implement valid user consent mechanisms. The GDPR dictates consent – whether it’s to a website’s privacy policy or a company’s marketing efforts – be given through a free, affirmative action.

Sprinkling affirmative consent measures, like opt-in checkboxes, throughout a business’ website and marketing emails means giving some companies a pause. There’s a persistent suspicion that asking users to explicitly consent to policies and marketing campaigns will reduce the size of a company’s customer base – and their stores of valuable data. While it may, in fact, reduce the overall number of users, instituting these measures also serves to increase customer engagement, thus making the data that is collected even more valuable.

While GDPR compliance has a lot of business owners, marketers, and web developers sweating over the possible implications, most signs point to the new regulation being a positive development for both the end-user as well as those behind the screen.

KJ Dearie
Product Specialist and Privacy Consultant, Termly

First of all, under GDPR all data processing and use should be opt-in. In general this prohibits current data-driven marketing based on third-party non opt-in personal data. As well as impose new restrictions on businesses. At least within EU and for businesses that use personal data of EU residents. Violations lead to huge fines and risks to go out of business.

1. Even if you don't work in EU but have at least some EU resident in your lists, GDPR affects you. Some people think it's EU legislation so it covers only EU residents. In fact, GDPR affects any business that processes personal data of EU residents. For example, if you ship to EU or you're an agency working with EU lists, or EU residents can sign up on your website, you're affected by the GDPR.

2. If you are a data broker or other agency working with third-party lists in EU, you have serious problems. GDPR puts data brokerage at risk in EU because data brokers selling personal data have no consent of each individual person in their lists by design. So, EU market will be closed for both EU and non-EU data brokers.

If you as a business use data brokers or work with lists containing EU residents, you are going to stop doing this to become GDPR-compliant. Companies will not be able to buy personal data as well. For example, if a company uses data brokers to enrich their lists, they will not be able to continue this under GDPR if their list contains EU residents. Or they should exclude EU residents from these lists. The problem is how data brokers work. In order to get additional data about its customers, a company needs to provide a data broker with customers’ personally identifiable information (PII). They use PII to identify customers in their databases and provide additional data they have. As a result, sensitive information is shared without user's consent which is prohibited under GDPR.

It’s hard to find benefits for business because GDPR provides benefits only to consumers. For businesses it's an over-regulation nightmare. However, one of the few possible benefits is a more rigorous process of storing and processing private data that should reduce probability of data breaches in the future. Data breach is a serious matter especially for small businesses. According to National Cyber Security Alliance 60% of SMBs go out of business in the next 6 months after a cyber attack.

GDPR creates great opportunities for technology providers. GDPR is just the beginning. You should be prepared for long-term changes in the whole industry as well as in your business. Data market is one of the most oversaturated markets with a high threshold for entry. But it is going to be changed since the new regulation severely impacts traditional market players - data brokers. With the prohibition of non opt-in personal data use they are now heavily affected.

On the other hand, this creates unique opportunities and demand for companies that are developing GDPR-friendly technologies. New technology providers is one of the most underreported categories of businesses. They are going to enjoy GDPR that will pave them the way into data market. So we can anticipate the raise of new GDPR-compliant technologies for data-driven marketing in coming years. This, in turn, will fundamentally impact how businesses work with data.

Kirill Rebrov
CEO / CTO, https://demografy.com/

GDPR is just the beginning, it’s a signal to businesses in the United States and abroad that data and privacy should be taken seriously. Like all legislation, it will be tested when implemented and evolve as time goes by. Businesses that don’t fall under the restrictions laid out by GDPR should start moving their business operations into preemptive compliance, so that when more legislation comes down which will affect them, they aren’t caught off guard by it.
Are there any negative sides to it?

Data collection is an intangible cog in modern economics. That means that restricting it without careful consideration can set technological advancements back by years. In addition, it could slow the economy down as e-commerce relies on data gathering, for a large number of sales.

Nate Masterson
CMO, Maple Holistics

The General Data Protection Regulation imposes basic standards for data transparency, data security, and data breach notification for all businesses and nonprofit organizations that operate in the European Union, process the data of EU subjects, or monitor the behavior of EU subjects. What many organizations do not know, however, is that the GDPR treats personalized web identifiers - such as IP addresses and usernames - similarly to other types of personal data.

Consequently, even basic website analytics may fall under the restrictions of the GDPR. This will pose a burden to startup and small companies trying to do business in Europe, as they will be subject to the same 72-hour breach notification, privacy notice, and subject access right requirements as larger businesses.

Lily Li
Owner of Metaverse Law, CIPP/US & CIPP/E

Comment from TemplateMonster:

I always tell our clients that GDPR is not a bureaucratic issue. Rather, it is a competitive benefit and an opportunity to invest in creating awesome and protective customers experience.

Most businesses weren’t involved in buying illegal mailing lists and abusing customers data in the first place, so adding more opt-ins to a website won’t ruin their marketing. They are also able to justify their customer data use as adequate and beneficial for clients. If obtaining consent or opening up about the use of private information looks like a catastrophe, maybe it’s time to rethink your whole marketing approach and adapt a more win-win strategy.

I understand why many small business owners don’t feel too happy about GDPR - they may be still using a website built years ago without much care about data privacy. Such websites are usually poorly coded and very hard to update. If a company doesn’t have technology and client protection among its top priorities - it will inevitably see GDPR as a nuisance or threat.

On the contrary, companies that have good modern websites will find it easy enough to comply. Our templates, for instance, are built with best data privacy practices in mind - they have clean code and are easy to customize. So, it won’t be hard to adapt the websites built with them to any legal regulation.

Personally, I like the emphasis the GDPR puts on documenting procedures and mapping up data. As a developer, I value `a good routine and clean documentation.

I’m sure that marketers will find new effective ways to use anonymised data. You can build your market segmentation and channels without relying so heavily on client identifiers would be a good way to reduce privacy risks.

GDPR prescribes explicit consent for all cases of automated decision making that involves initiating actions on behalf of the company. But profiling activities involving human customer interaction that does not impact customers’ legal or economic situation may be done based on legitimate interest alone.

An lastly, complying with GDPR is not something you can do once and forever, it’s a day-today commitment to high security standards, transparency, and dedicated customer care.

Alex Keats
Web developer, TemplateMonster team lead

Did you like the article? What do you think about the impact of GDPR on web development practices and businesses? Do you agree with our experts?

Please share your thoughts in the comments!