The practical guide to GDPR
The German data protection law has been effective for a long time, at least I got used to it. With the European standardization to the GDPR a lot of panic has arisen especially in the last months. How should a blogger deal with it practically?
The GDPR is not a devil's stuff, it follows some clear principles:
- Personal data should not be collected in the first hand. Where nothing was collected, nothing can be abused.
- If you are already processing personal data, then the user should know what data is collected for which purpose and what happens until deletion of it. This guide him to use this service or not.
- If this processing of data is not strictly necessary for the actual offer, the processing step must be optional.
- If you (as a user) allow others to process your own personal data (implicitly or explicitly), then you have to be able to decide differently (and any time later) how to deal with our data. This may be the desire for change, deletion or transfer (export) of your data. Whether every wish must be met or not, is not that clear beforehand.
- If you feel misguided, you need to know where to complain about this data processing.
In a nutshell the GDPR is a consumer protection law. This implies a separation of provider and consumer. On the internet, this separation is not so easy.
Central point of the entire GDPR is the documentation requirement. The provider has to explain why he collects which data.
He has to balance between the interests of the consumer, his own interests, and possibly the interests of third parties. If he can explain, why this data collection is necessary, he does not need to request consent for this data collection.
Consent is only necessary, if it can be denied. So if the service is possible in a comparable way, without having this data, then there is a consent acquisition is compulsory. Of course, this consent must be documented and is itself required to be documented.
How the consumer can articulate the desire for change and deletion must be documented. It must also be documented under which conditions the request can be executed or denied. Especially with more complex systems, it is often not possible to remove arbitary parts afterwards. A discussion between different users may lose their meaning, if a participant later wants to delete his comments or change their meaning. In this case, the interest in consistency outweighs the interest of the individual. The right to forget therefore has limitations in the archival requirements, even if the access can be made more difficult (block the search).
The consumer needs a contact person, usually the responsible data protection officer, in order to place his objections. Logically, this contact person must not be identical with the person about whom the complaint should be made. It is therefore basically inadmissible to have the same person responsible for data protection and data protection at the same time. A data protection officer is unnecessary for smaller ones, in this case higher-level bodies, i.e. the state or federal data protection officer take over.
How do I do that?
Take your website, open it in the developer mode of your browser first. This shows, which data sources the website integrates. Typically:
- active integration of other services, such as counting pixels, web analytics, social networks (like-count), (Facebook / Disqus) comments, videos, etc.
- internal contact forms
- internal comments, reviews, cross-links for articles
For each of these points you have to check:
- Is access required in this form?
- If so, then document the type of access and justify its purpose. Thus, the GDPR is fulfilled in terms of balance and documentation, and the data collection is permitted without consent.
- If not, then either remove this access or ask for permission from the website visitor.
- If the consent is given, then you can use this access.
- If the consent is not granted (or withdrawn later), then you have to that this feature is not activated.
It is important to note at this point, that the GDRP does not prohibit anything, but - on the contrary - allows everything that is justifiable. The GDPR thus stresses that the website operator is concerned about the implications of its offer for the consumer!
In all these documentations, the three points need to be written down:
- What data is this? How and where do they arise?
- Why is this data collected? What is the purpose of the action?
- How long is the data needed? When will it be deleted (automatically)? How can you change it later?
If you stick to these principles, you have already done almost everything right.
When transferring data to third parties or the processing of data by third parties (web host, forum provider, web analyst, ...), it is advisable to make a contractual fix by means of data processing. This will not always be possible individually, but the GDPR (in contrast to the previous German law) allows you to accept the contract proposal of your provider. It is worth asking!
Sounds theoretical? Look at a real example (in German).
But the lawyers!
Right, that's her job. The field of data protection is currently undergoing major changes. Unfortunately, lawyers tend not to formulate a clear statement, instead they like to point out weak points in the current situation. The results are dubious scare tactics and massive uncertainty.
Contributing to this is that the responsible state and federal data protection officers themselves have no experience with the new law, let alone assess the specific case of your website. Therefore, they give only general, usually sharply worded statements, such as the following: Personal data must not recorded, if so deleted immediately, stored not longer than 10 years, when the tax office no longer insists on the documentation.
In short: If you hire a lawyer, then he is liable with his insurance for a wrong advice. His interest is thus in the avoidance of the insurance case, not in the practical implementation of his recommendations to your concrete problem. On the other hand, if you have not even commissioned the lawyer, then …
Of course you should not completely reject the various statements of different lawyers, but it does not hurt to consider them with a good deal of scepticism. Whether the relevant proposals are applicable to your own circumstances is usually not so clear.
Then I looked at the rest and decided that I wanted to have them on. Comments on articles are important to me, so I explain how they work and what I consider to be worth preserving. There was no change to the previous situation, I just wrote it down.
With cookies, I am in the fortunate position of being able to do not use them as far as possible. But there are some long-lasting cookies that need to be documented. At the same time I turned off the default value for setting this type of cookie. Now you have to actively select it. Not a bad idea either.
The integration of external content such as Youtube videos and CSS / fonts seemed to me to be really problematic at first. So I tried to do these things on my server alone and failed miserably. Since this part does outreach my technical experience, I have a valid reason to integrate the external content, as they are needed. The GDRP has as appropriate clauses for this case. Documented and finished.
What you should never do is: Just throw it all down. The internet has become big and interesting, because we never gave up. Let us not chase down our own work for an unfounded fear.