Will anything really change from January 2022 on GDPR and cookies? Should we have to adapt to new rules or should we have done it some time ago?
Lately, all we’ve been hearing about is what’s new in the regulations, processing registers, consents and cookies.
To get to the bottom of the issue, I created a list of questions starting with my own doubts and the most common ones I’ve read in various industry groups and I also interviewed Frida Del Din from legaledigitale.com.
We started with a general introduction to the regulations, cookie law and the GDPR’s reference figures. We talked about how to comply and what solutions can be adopted in the case of small sites that do not bring in earnings.
To clarify the issue of compliance we also looked at specific examples to understand how to act from case to case. Then we talked about the penalties and what you risk if you are still not in compliance.
Table of Contents
GDPR and processing register, what changes from January?
I am Ivan Messina from SupportHost, a provider that is becoming popular in the Italian market.
Frida Del Din (legaledigitale.com) is a lawyer who deals with GDPR, trademarks, contracts and intellectual property.
During our interview, I asked Frida all sorts of questions about GDPR, the registry of processing, and the changes that are currently being discussed.
The video interview was in italian, it was then transcribed and translated.
Introduction to GDPR
Let’s start at the beginning and see how GDPR was created, what cookie law is, and what the GDPR reference figures are.
Before we start, it’s best to remember some important definitions.
Data processing
We’re going to be talking about data processing a lot in this article, but what exactly is meant by it? Here’s a clear definition:
Processing is any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data.
This means that even the consulting also known as viewing and collection of data are included in these operations.
Personal Data
Now that we understand what is meant by processing, let’s also take a look at the definition of personal data:
Personal data is information that identifies or makes an individual identifiable, directly or indirectly.
Data Processing Register
The processing register or register of processing activities is a document that specifies the operations that are carried out on personal data. Here is a timely definition:
It is a document containing the main information (specifically identified by art. 30 of the GDPR) relating to the processing operations carried out by the data processor and, if appointed, by the data controller.
Having clarified the meaning of the terminology, let’s move on to questions about the regulation.
What is GDPR and why was it introduced? Does it refer exclusively to the site or to the company as a whole?
The GDPR is a European regulation that applies in all member states and aims to regulate the processing of personal data.
The regulation stems from the need to reform privacy legislation within the European Union.
The GDPR was therefore created as a general regulation that covers all personal data processing. This means that it does not only refer to the aspects of sites, but to all business processes. Whenever a company has to process personal data, such as those of customers or suppliers, it must do so in accordance with this regulation.
Is the cookie law part of the GDPR?
GDPR is a general regulation that covers the processing of personal data. When we talk about cookie law or cookie discipline, however, we are referring to a specific branch that deals with the processing of personal data that occurs precisely through cookies or other tracking systems.
The discipline of cookies will be included in the new ePrivacy Regulation that will replace the previous ePrivacy directive. The regulation has not yet been approved, but when it comes into force it will be just such a special regulation used to regulate cookies.
What is the difference between data controllers, data processors and sub-processors?
The data controller determines the manner and means of processing the data, for example, a company that processes the data of its customers. The owner can designate the job to a data processor which is a person who processes personal data on behalf of the owner also known as the data controller.
We speak of sub-processors when the data processor makes use of additional employees who process personal data or have access to data. In the latter case, the data processor must be authorized by the data controller to be able to appoint sub-processors in turn.
GDPR compliance
Let’s take a look at the basic steps to follow in order to comply with the GDPR. We also give specific examples with different types of sites to understand how to act if we are using a contact form, technical cookies or Google Analytics.
Is having a cookie bar, cookie policy and privacy policy enough to comply?
The process for complying with the GDPR must start with upstream processes that must be put in place before we get to the point of drafting cookie and privacy policies. These processes include analysis, processing mapping, and assessment.
For the principle of accountability, the regulation requires us to justify the choices we make. Consequently, in order to write a cookie policy and privacy policy that is actually adherent to what you put into practice, you must first do an upstream analysis.
In this way, you can also make sure that you are in line with what the regulation requires or if not, you can make necessary changes.
Let’s consider the case of a site that is used to share ideas. There are no contact forms on the site and no email address is entered. The only cookies used are some technical WordPress cookies that cannot be disabled. In this case, do you need a cookie bar, cookie policy and privacy policy?
If we only use technical cookies, which are necessary for the site to function, and we do not directly collect data, we should still have a banner warning that the site uses technical cookies. It is wise to provide a privacy policy as well, in which case you can indicate that the site does not collect data.
And in the case of a site that uses only technical cookies, but has in addition (compared to the previous case) also a contact form?
In the case where no cookies are used beyond the technical ones, but a contact form is used, the privacy policy should specify the use of personal data.
Let’s take the case of a site that collects no personal data (no contact form and no email address) and only uses technical cookies. What happens if we use anonymized Google Analytics?
In this case (since they are anonymized) the cookies are considered technical cookies and do not fall under profiling cookies, which instead, would require consent before installation.
Solutions for small sites
Let’s take the case of a site that brings in no revenue. If we can’t afford a lawyer to draft policies, what are the options for such a site?
You can use a simple information banner and describe what you are going to do in the privacy and cookie policy. As stated before, it is best to always include a privacy policy even if the site does not deal with personal data.
Are there standard solutions or DIY solutions to stay within a minimum budget?
Assuming that the GDPR does not allow standard information, in this case, you can simply write the information yourself, taking into account that it is good to write it in a more spontaneous and less formal way so that it is understandable to the user who visits our site.
To critically approach the writing of disclosures, it is not enough to copy and paste the text from a site similar to ours. What you can do is to draw inspiration, but you have to make considerations and ask yourself questions about what you are really going to do, so as to write consistent information.
Going back to standard solutions again, relying on pre-written or automated solutions is always a risk. After all, these solutions themselves contain a disclaimer stating that they do not take on the responsibility.
By using Iubenda are we able to comply with the law? Do we have any guarantees?
As in the case of the automated solutions of the previous question, the service has a clear disclaimer that can be found in the footer of the site.
There are also companies that use pre-printed forms that they then adapt by changing a few commas and possibly supplementing with additional paragraphs according to the requesting party’s instructions. Could this be a cost-effective solution? Does it offer any kind of guarantee?
If you take a pre-printed document and change a few commas without a critical approach and adjust the document accordingly, there is a risk that in the end there will be things that do not match up. In the case of an audit, it is necessary that the disclosure be consistent with everything that is done in the practice.
So, you can always start with a template, but then you have to adapt it so that it is consistent and matches that specific case. This is exactly why standard or copy-paste solutions are not appropriate.
The other alternative is to hire a professional and have a personalized consultation and a tailored policy. What are the guarantees or safeguards in this case?
Turning to a registered professional means being able to rely on professional liability and, specifically in the case of lawyers, the services are also covered by the professional liability policy.
In conclusion, if a person or even a small business starting out, has budget problems, what can they do without having to resort to large investments?
In these cases, surely a consultation with a lawyer can be the first step towards a more conscious use of information and cookies.
In my specific case, on legaledigitale you can request a consulting service/training course so that the data controller can get trained and start writing the documents. The next step is to review the policy before putting it online.
Consent Register
What is the consent register? From January will there be changes or new regulations?
There are no changes from a legal perspective, but we are talking about guidelines that must still be followed.
There is no mention of a consent register in the guidelines. The only register referred to is the processing register (the register for processing activities mentioned in Article 30 of the GDPR) which covers both cookies and other types of processing.
What is the consent register and when is it needed?
It is not a real log, but it refers to keeping track of the last preference that was made by the user. Whenever I have not only technical and necessary cookies on the site, but also profiling cookies or otherwise processing data, I need the consent of the person concerned in order for these cookies to operate.
So there must be a banner and also the possibility to keep those cookies blocked until the user makes a choice.
After the user makes a choice, a technical cookie must be generated that keeps track of the preference. This cookie also gives the user the ability to change their choice when they return to the site and also to check when the preference was given.
How to comply
What do you need to do to adapt your site and company to the GDPR?
It always starts with analysis and evaluation, with these premises we take responsibility for the choices. For example, the suppliers we choose must be taken into consideration. Only after clarifying these points do we move on to draft the policy.
As we have seen before, talking about the consent register, the cookie banner must give the user the possibility to make an effective choice. Also, cookies should not be installed until the user has made a choice.
If the user closes the banner and continues with the navigation, it is as if he/she had accepted only the necessary cookies. Scrolling, as we will specify later, cannot be considered suitable for expressing consent to unnecessary cookies.
After implementing the system, it must be reviewed periodically. The classification of cookies should be checked to ensure that there are no incorrectly classified cookies. Periodic checks should therefore be established to verify the classification of cookies.
Similarly, after making changes, for example installing a new plugin, you will need to check that no other cookies are being used, or in that case, classify the new cookies correctly.
Regarding plugins, I personally use the GDPR cookie consent by WebToffee, which one do you recommend?
On legaledigitale I use Cookiebot which from the beginning had the settings for granular consent, to choose between the various categories of cookies or revoke consent.
There are no free plugins, but for example, the one I recommended (the GDPR cookie consent) costs $69 per year.
Specific examples
If I use a form on a site to sign up for a newsletter, and obviously name and email address are required to do so, is it necessary to include a checkbox to accept the privacy policy? Or is it implied because the user is subscribing to the newsletter?
When I go to fill out a form with my data, if there are various types of processing it is necessary to provide checkboxes to check to accept or not accept. In this specific example, the positive action is already given by filling out the form and sending it.
A further step could be the double opt-in, which is an additional step to confirm the registration. In this case therefore after having sent in the form, in our example in order to subscribe to one newsletter, an email would be sent to the subscriber, asking confirmation to finalize the subscription.
However, as a matter of practice, you could also insert a checkbox for reading the privacy policy. In this way, you can insert the link to the policy and allow the user to read it.
The same solution can be applied to the case of a contact form for requesting information. In this case if, for example, the data is kept only for the time necessary to respond to the user’s request, you can specify in the information statement the purpose and the time for which the data is kept.
Is it possible to accept cookies only by scrolling? Are there exceptions where this is possible or is it always prohibited?
In the 2014 guidelines, consent with scrolling was considered valid. Staying on the site, therefore, was considered sufficient to accept cookies. With the new guidelines, scrolling alone is not sufficient to express consent to the installation and use of cookies.
However, it should be noted that the guidelines do not completely exclude scrolling as a means of acquiring consent, but refer to the use of this system in conjunction with other positive actions taken by the user to express (and therefore unequivocally) consent.
For a webmaster who is creating a client’s site, is it better to take care of the policy, or to instruct the client to hire a lawyer to write the policy?
It is important to consider that offering a service (in this case, dealing with policy) also means taking responsibility for what you are doing. So unless you have an experienced staff member or are sure you want to take responsibility, it is best to delegate it to a lawyer.
GDPR and sanctions
Do you risk sanctions?
Every semester inspections are scheduled on specific categories of companies or other entities that process data. But, you have to be cautious of the fact that if you get reported, inspections are triggered.
Have there been cases of small companies or small sites being fined? How much are the penalties?
Yes, even small ones and they have done meticulous checks also regarding the sites and also regarding the newsletters. As far as penalties are concerned, there are no minimum amounts, only maximum amounts, and the regulation defines all the parameters to be able to apply them. From what I have seen, the amount is in the order of a few thousand euros.
It must be considered that the sanctions are proportionate to the company’s turnover, but must in any case have a deterrent effect. The criteria include the type of violation, the data involved (especially for sensitive data), but also the possible repetition of the violation.
We can see a list of GDPR-related fines here.
What do you think about the fact that today most of the sites are not yet in order?
I think it’s a good idea to comply with the law right from the start because the processing of data is not marginal. An online activity lives on data and we have to consider that there are not only administrative sanctions.
Assuming, for example, the case of a newsletter built up over the years with investment and a lot of effort, if an inspection is carried out, and it is ascertained that the data has not been collected correctly, the use of that list could be inhibit. Doing things right, therefore, is also an investment in the future of the business.
Conclusion
We’ve taken an in-depth look at GDPR starting with why the regulation was introduced and concluding with who is involved in the process. We’ve looked at the processing register, the consent register and saw what needs to be done to comply.
We looked at the issue of cookies with specific cases on Google Analytics cookies and scrolling. To better understand how to adapt your site to the GDPR, we looked at a number of specific examples and saw in particular what solutions need to be adopted for small sites.
Finally, we also talked about plugins that can help us implement cookies on the site and saw what fines you risk if you don’t comply with the regulation.
Did we help you get some clarity on the GDPR?
In your case, how did you comply and what plugin do you use on your site? Let me know in the comments below.
Leave a Reply