GDPR and you

Vores blogs er normalt skrevet på dansk, men da vi et stigende antal internationale samarbejdspartnere, er dette skriv på engelsk.

GDPR and you

The General Data Protection Regulation

GDPR is nothing less of a jungle. It’s complex, huge and a hassle for a lot of companies. Many companies have a hard time grasping the scope of the new GDPR. This inspired us to develop this document blog, so that you can get a somewhat quick overview of the enormous new EU-wide data regulations.

We suggest that you read this document, Here’s why.

Failure to comply with the new regulations, can result in an initial fine up to €10.000.000 or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. Continues failure to comply, will result in a fine on up to €20.000.000 or 4% of the global annual turnover. This is true for all companies, both enterprise sized companies and small business.

The General Data Protection Regulation (GDPR) is EU’s initiative to protect its citizens personal data. It will be enforced May 25’th, 2018. At first, it might seem fustrating  and time consuming for organizations to comply to all these new rules. However, it ensures that the organization gets a better overview of their own data and data flows. The document containing the entire GDPR can be found here: https://gdpr-info.eu/.

We will briefly highlight some of the key changes and describe how we accommodate these regulations. It should be noted that this is not the entire GDPR but rather a collection of the regulations, which we believe requires attention when working with web development and business critical software.

HTML24 will always aim to develop according to GDPR’s standards and best practices, and to do our best to inform and help all customers to make the right decisions. It is, however, up to our customers to make the necessary legal decisions.

Placement of data

It is legal to transfer personal data to other EU-countries which comply with a certain security level. However, as HTML24 uses Curanet as hosting provider for the majority of our customers, all data will be kept in Denmark. Therefore this should be of no concern if standard HTML24 hosting is used.

Consent of your users/customers

When saving and processing data of one of your users/customers, it is important to be clear and unambiguous in the communication with the customer. The process of data must have either a clear purpose or the customer must give their consent – in any case you must inform your customer of:

  • What information is stored.
  • How long the information is stored.
  • That your customer has the rights to get the information corrected, deleted or handed out.
  • How the customer can get the information corrected, deleted or handed out.
  • That the customer at any time can withdraw its consent – and how this is done.
  • Where to ask questions regarding the above.

Data Protection Officer

The Data Protection Officer (DPO) must ensure that the company complies with all the new rules. This is only required under certain circumstances. HTML24 finds it important to bring it to our customers attention that they should consider appointing a DPO. The details can be found here: https://gdpr-info.eu/art-37-gdpr/.

Data portability

All customers have the right to transfer all their data in a machine readable format (e.g. excel, .txt etc.) to another system if they so wish. To this end HTML24 would like to suggest all our customers to create an “Export information” button if any customer information is handled. Using data integration, it is possible to extract all the data from a given user, with a press of a single button. Such solution will save an enormous amount of time for both the user/customer and the company.

Right to be forgotten

The customer has the right to be “forgotten”. This means that the customer has the right to be completely removed from the system. A proper solution is to build a “remove user” button, that completely wipes the user from all of your systems at once. This is the best and most time-efficient solution, and can be implemented fairly easy.

An example of this, is found in In the CMS WordPress there is the ability to “deactivate” a user and to “delete” a user. The latter will completely remove the user along with all personal information. Using data integration, these buttons can be integrated with other systems, e.g. ERP, CRM etc, so that the given user will be completely wiped, with a single press of a button.

Privacy by design

This part of the GDPR is to ensure that the security of the systems involved are capable of handling personal data in a secure way. You need to ensure that all the systems you use  comply with these rules. Meaning all exchange of data must be encrypted.

For instance, we develop a ton of data integration solutions. Here, the data routed between the systems via KOEBT (our integration platform) are encrypted with SSL. HTML24 will help you as much as possible ensuring that the data is handled correctly in all systems, but in the end you as a customer are responsible for this.

Impact assessment

As a data controller (i.e. a company that handles data) you are responsible for writing an impact assessment (in Danish: konsekvensanalyse). An impact assessment is a description of the technologies used to handle personal data. This must be bundled with an assessment of the risks in regards to being a customer in your system, and which precautions and security measures regarding the storage of personal data.

Breach notification

In the case of data breach it is mandatory to inform the national personal data authority (Datatilsynet in Denmark) within 72 hours of becoming aware of the breach. This means that you must notify the given authority/Datatilsynet and your customers of the breach “without undue delay”. If HTML24 discovers a data breach, HTML24 will notify you as client as fast as possible with as much relevant information as possible.

Documentation for compliance with GDPR

It is your responsibility to be able to document that you comply with GDPR. This means that you must be able to show that data is handled the right way in the systems you use.

HTML24 can draw such document, if requested.

SSL security and encryption

Secure communication from a web browser to a system is something you as a data controller need to be aware of. SSL (Secure Socket Layer) is shown as a little padlock in the browser when you visit websites secured with SSL. HTML24 will, if SSL has been bought, make sure to set up SSL, but you should ensure that all your other systems also uses SSL.

Exchange of data

When online systems exchange data between platforms (data integrations), it is important that you, as a data controller, have an overview of which platforms are used and how they handle the data. At HTML24 KOEBT is the integration platform that is used. KOEBT always uses SSL to exchange data which means that all data exchange between KOEBT and other platforms is encrypted.

Final words

GDPR is huge, complex and easy to get lost in. Although we have only touched on the surface, we hope that this writing have given you a better view of the field.

We would love to help you, with GDPR. If you have any questions regarding your company and GDPR, feel free to contact us at info@html24.net