What is the major change that the website owner should take due to the entry into force of the EU's new data protection rule "GDPR"?

New rules on the protection of personal information from the 25th of May 2018 within the EU "General Data Protection Regulation (GDPR)Will be enforced. With the enforcement of GDPR, it is prohibited to bring out the data of users in the EU region acquired on the website outside the EU region, and handling of personal information such as the strict limiting of utilization of the collected personal information to only designated use is tightened , A violation will be subject to a large fines. However, despite the introduction of stricter personal information protection new rules, publisher response tends to be delayed. A publisher who is regulated and asked for change about the change required by the publisher by GDPR and how to respond is summarized in the blog.

Publishers Have not Realized Just How Big a Deal GDPR is - Baekdal Plus

According to Thomas Biekhdar of web consulting company Baekdal, most existing web publishers (website owner) feel that they are "burdens" about the GDPR that took effect before the enforcement. Companies that are engaged in the EU or those with users in the EU are obliged to respond to GDPR but most of the interests and interests will not affect the business so far It is gathered whether to modify the privacy policy which does not touch the regulation, and it is said that it is beginning to discuss the unfavorable workaround. Many discussions come from the legal aspect and Mr. Peakaru criticizes himself only pursuing outlaws of how to invalidate regulations by GDPR and avoid penalties.

The basic principles of GDPR are the following five.

1: Collection and retention of personal data must be based on user's "consent"
2: Only necessary and appropriate information related to the specific service to be provided can be collected
3: Transparency to data to be collected / retained
4: The user has "Right to be forgotten (right to delete data)"
5: IP address is regarded as personal information

However, there are exceptions to each of these principles, for example, there is an exception that "consent" of "1" is not limited to direct consent. Moreover, it is possible to accept the act of entering an address at a shopping site as one form of consent. And even if the user exercises the forgotten right, for example, there are many data which can not be deleted if the data needs to be saved due to the necessity of processing by the publisher's accounting and tax, for example, many exceptional loopholes Mr. Bikedar points out that there is.

However, Mr. Bikedar points out that the attitude of avoiding the GDPR regulation is not in line with the trends of the world. According to Mr. Bekdar, it is said that those who use highly popular ad blocking software use ad blocking software to block tracking behavior more than the purpose of erasing advertisement display. Furthermore, it is clear that web users around the world are trying to block tracking of personal information about themselves, regardless of popularity such as Snapchat or Instagram story where data uploaded in a certain period is erased Bekkaru thinks that if it seems to try to maintain the business style that was established only under the situation of loose personal information protection as in the past, it can not cope with the change of the times.

Considering the case where "a completely new user" visits the site, Mr. Bikedar said that from the visit of "one-time user" that could only use the site as long as that can not collect any information that can identify the individual Says. Moreover, it is not allowed to load any third party service. The reason is that loading a third party service could result in the transmission of data that could identify an individual, such as an IP address. Since the first site visitor does not do anything that can be interpreted as "consent", in the end, it means "There is nothing the site can do."

Mr. Peakaru pointed out that many publishers do not fully understand this meaning. Basically you can not load third party services on the site, so embedding of advertising partner's ad script is also NG, adding social widgets is not good, even embedding quizzes in articles using third party services is NG Mr. Bikedar points out.

Mr. Bikedar touched on the response of Google, one of the most interested companies of the European Commission as a target of GDPR, while noting that there might be indications that such idea is overly concerned. Google believes that if you look for a way out of GDPR it will invite a court struggle that could be subject to a high penalty and that such disputes will criticize the media and compromise trust from users, I point out. As a result, the way Google chose says it is the same idea as Mr. Bikedar, "Do not do anything until the user gives consent."

To prepare for the introduction of the coming GDPR regulation, Mr. Bydald thinks that the publisher after the implementation of GDPR needs to categorize the site visitors into the following four categories.

1: One time user
2: Limited users signing up for services
3: User who fully signed up for service
4: User who stopped using the service

· Support for One Time User
"One Time User" includes not only cases where there is a possibility that it will be used only at that time, such as visiting the site for the first time, but also cases where the user has not done any action requiring consent . As mentioned above, one-time users can not read third party tools and social widgets and can not automatically load embedded content and can not identify users even within their own site It can only analyze in shape.

Due to this change, Mr. Bikedar said that the advertising model must be designed at all and that the one-time user's traffic revenue will be greatly affected.

· Limited sign up user response
For example, in the case of a "limited sign-up user" who applied for a limited service such as reception of a newsletter, but is not yet a complete service subscriber, it is interpreted that there is certainly "implicit consent" Although there is room, the data that can be managed is limited to those related to the requested service. Users who subscribe to the newsletter have no room to interpret "I agree with reading third-party trackers". Before the introduction of GDPR, the fact that users interpreted every action taken on the site as "data that can be used fairly" will no longer work after the introduction of GDPR, so the publisher will be a limited sign-up user It seems that it is necessary to change the data handling method of the data greatly.

· Complete sign up user's response
A more extensive response is possible for "complete signup user" who agrees to use all available services. However, the third party tracking script is required to be "related to the service provided in the site". Publishers need to limit the information collected by tracking scripts to service-related ones, and are responsible for maintaining transparency, data management and all other personal information.

· Users who stopped using
"When the user stops using the service, basically it returns to the starting point," Mr. Bikedar expresses. In other words, as soon as the user stops or deletes the account, the data must be deleted. The only exception is information that is required to keep holding legal information such as account information.

And information gathered by analyzing individuals such as personal preference information gathered for advertising purposes is obligated to be cleared when the user releases the subscription. The handling of such information is a completely different aspect from the world before the implementation of GDPR, and it is said that a big change is required.

As mentioned above, after explaining the handling of user data that is obliged to be changed after the implementation of GDPR, Mr. Bikedar said, "By rethinking the approach to GDPR, change in information handling is not a" problem "but a" solution " It is a great opportunity to do. " According to the purpose of GDPR, by handling data in consideration of user's privacy, we can show that we are building trusting relationships with users and respecting users. Performing a site in accordance with GDPR is to make it easy for users to control their own information handling, and by complying with GDPR, it is possible to construct a service incorporating the element of "privacy consideration" Mr. Bikedar argues that it should be advantageous in terms of service management to take advantage of trends around the world where privacy protection is important, and thus to improve the competitiveness of the service.

in Note,   Web Service, Posted by darkhorse_log