GDPR

GDPR Fines

How GDPR administrative fines and sanctions will be applied

Fines under the General Data Protection Regulation (GDPR). What you need to know about GDPR fines, the guidelines on the application of GDPR administrative fines, ways to protect against GDPR fines, penalties, sanctions and the sanction mechanism under the GDPR.

If there is one thing that people know about the GDPR it’s that GDPR fines (administrative fines) can go up to 20 million Euros or 4 percent of annual global (note global!) turnover, whichever of both is highest. 

The maximum fines of course don’t mean that by definition this highest level of administrative fines is applied. The exact fines depend on numerous factors such as how severe non-compliance and potential personal data breaches are, the measures that have been taken to be GDPR compliant (with GDPR awareness a first one), the degree in which an organization fails to set up the essential mechanisms to prevent personal data breaches or deliver upon the requests of data subjects in the scope of the several data subject rights they have (right of access, right to data portability, right to erasure etc.), the willingness to respond to such requests, the degree in which privacy by design is respected, additional measures and rights when consent is the chosen legal ground for lawful processing and far more.

Two levels of GDPR fines – understanding them

On top of the mentioned maximum GDPR fines a second level of fines (10 million euros or two percent of global annual turnover) is foreseen, which means that the GDPR differentiates. The GDPR text itself sums up these two levels of fines and factors influencing them in Chapter 8 (remedies, liabilities and penalties, and thus those famous fines too) of the GDPR text.

In Article 83(1) the general conditions to impose administrative fines are described. Administrative fines need to be looked upon per individual case and be ‘effective, proportionate and dissuasive’.

In Article 83(2), criteria are mentioned and further in the Article the text looks at the two groups of fines. Among the criteria which the GDPR mentions in its Article 83 are the nature, gravity and duration of the infringement, the scope and purpose of the personal data processing, the number of data subjects and the degree of damage concerned by an infringement, the level of cooperation with the data protection authority and far more.

By splitting up the GDPR fines in two groups, the GDPR by definition indicates factors regarding the different impact and importance of several potential breached obligations. If you read Article 83 but also the details it mentions for both groups of fines you’ll for instance see that the unlawful processing of specific categories of personal data and conditions for consent are fined higher than, for example, breaches with regards to aspects such as privacy impact assessments.

However, all in all it does remain hard to understand for many and in the end you simply don’t know what GDPR fines will be applied. So, is there a slightly better way to know how GDPR fines will be calculated, how you can prevent GDPR fines and what your options are?

Avoiding GDPR fines: the use of a cyber insurance and the need to move towards compliance

The most simple and obvious answer to the question how to avoid GDPR fines is obviously making sure that you are as GDPR compliant as possible, can demonstrate you have done all you could in a prioritized way, taking all aspects of GDPR, risks from the data subject perspective and the different types of personal data and data flows and processing in your organization and its ecosystem of partners into account, along with the major rules of the GDPR such as consent and other principles of the lawfulness of processing personal data.

Yet, 100% GDPR compliance is a myth for reasons we, among others explained in our article on the business strategy aspects of GDPR and information management. That’s why GDPR awareness isn’t just about staff awareness but also means looking thoroughly at all the Articles in the GDPR, which in turn point to other ones you need to know.

A second question that arises is how you can pay potential GDPR fines? After all, if you never are fully sure then what happens if you are fined anyway?

This question is often asked and in some companies, who feel they won’t be ready, find the interpretation of GDPR too hard, feel uncomfortable or don’t think they will be financially able to pay potential GDPR fines is answered by taking a cyber insurance. However, in many cases a cyber insurance will only cover the costs of a breach and of the various aspects of solving and looking into it, as well as the communications around it.

GDPR & WordPress: Technical Measures You Should Implement Now

On May 25, 2018, the EU General Data Protection Regulation (GDPR) comes into effect. We show you which technical measures you should implement immediately to ensure that running your WordPress website is legally compliant. While seeing no need for pressing the panic button, we offer you an overview of important issues around GDPR which we consider technically reasonable.

Disclaimer: Our blog entry is not legal advice! Within the scope of our business as WordPress hosting provider we have dealt quite extensively with the applicable laws governing data protection in Germany as well as the upcoming EU-regulation GDPR. We are neither legal professionals nor data protection experts. We are not liable for the completeness, topicality and accuracy of the provided measures and contents.

Remove critical WordPress plugins on your website and replace them with GDPR-compliant alternatives

All plugins which are provided by the commercial WordPress enterprise Automattic themselves need a valid connection to wordpress.com and thus not only a direct connection to your data but also, for example, the personal IP of your website visitors. They are the perfect example for the kinds of plugins you should react upon prior to May 25, 2018 by substituting them with an alternative compliant with the EU GDPR regulation – at least until the plugin developers release a legally compliant plugin version in the future.

The following Automattic WordPress plugins serve as representative examples for each category in the WordPress plugin repository and are used in this article for illustration purposes:

To keep your website GDPR-safe you can resort to following alternatives which do not transmit personal data of your visitors.

Gather anonymous visitor statistics

Of course, we would also like to know about which parts and contents of our website work especially well usability-wise, what people like to read or share, for how long visitors stay or how high the bounce rate is etc. The EU GDPR will tighten up legal regulations. As was already required under the previous German data protection act, you ought to anonymize every visitor of your website entirely. In addition, no personal data is allowed to be transferred to third-party services.

This is why we recommend Statify, so that all anonymized personal data stay on your website and are not passed on to other services.

According to the developers of Statify, the plugin does not process, send or save any personal data, e.g. cookies or IP addresses beyond your website.

Use legally compliant avatars for your blog and comment sections

Important: To deactivate Gravatar completely in WordPress, you need to adjust following settings in the WordPress admin area under the menu item ‘Settings’. Go to the submenu ‘Discussions’ and scroll all the way down to the avatar section.

Now you can deactivate the selection box ‘Avatar Display – Show Avatars’. Click on Save to apply the settings and delete your website’s cache. Now your website should not communicate with WordPress.com via Gravatar any longer.

Double-opt-in feature for comments

It should be noted in advance that notifications for follow-up comments to your own comment already imply that data is being transmitted. To prevent possibilities of misinterpretation within the grey zone, use the free plugin Subscribe to Double-Opt-In Comments to let your visitor confirm in advance whether notifications about follow-up comments are desired.

Restrict antispam protection to your own website

Antispam Bee can be used GDPR-compliantly, if you pay attention to the following plugin settings! The setting ‘Use a public antispam database’ as well as the feature ‘Allow comments only in certain language’ need to be deactivated in the plugin settings, otherwise your visitors’ IP addresses will still be transferred to the service Stop Forum Spam and the speech recognition comment text will be sent to Google Translate.

Replace WordPress backup plugins with alternative solutions

For countering the transmittance of personal data to (for instance) US-American servers, and freeing further performance capacities of your website as a positive side effect, we recommend to abstain from specific WordPress backup plugins in the future.

A better alternative is using automated WordPress backups provided by your WordPress hosting service, e.g. at RAIDBOXES.

Webserver-Caching statt WordPress-Caching-Plugin nutzen

Many caching plugins, including the one by Automattic, do a good job in speeding up your website. Using caching the website can be delivered faster. But caching might also come along with loss of data control. 

A legally secure alternative, which additionally makes performance-burdening plugins disappear, is using server-side caching provided by specific WordPress hosting services. 

The advantage of such an approach: The cached data is stored – at least in the case of RAIDBOXES – on German servers with guaranteed ISO 21007-certification and does not transmit user data to external services.

 

Prohibit illegal connections of social plugins, such as the Facebook Like Button, Like Box or Twitter Widgets

In many cases, social sharing services already process data as soon as your visitors are on a website with an active social plugin. Even if a user hasn’t shared anything yet, the data is already transmitted. These circumstances are largely unknown, yet very critical in the context of GDPR. While researching for legally compliant solutions we only came across one single social plugin for free which prevents data transfer prior to clicking a share button.

At this time, we therefore recommend the deletion of integrated Twitter Widgets or Facebook Like Buttons or the Like Box, and to rely on the social plugin by Shariff Wrapper for share buttons in posts.

Adjust contact form plugins like Contact Form 7 & Gravity Forms to GDPR

New requirements for contact forms

According to the general data protection regulation, sending a form presumes the sender’s consent. The definition for data not only comprises the personal IP, but also the email address and the content per se. An opt-in to confirm prior consent for data storage can be implemented by adding an Acceptance Checkbox for Contact Form 7 and by using the free plugin WP GDPR Compliance for Gravity Forms.

We are convinced that, in the medium to long term, all popular plugin developers will implement the necessary requirements to meet the GDPR. Until then, the WP GDPR Plugin will do a very good job!

 

Newsletter & email marketing

In your newsletter forms, the email address should be the only mandatory field, all other data such as first and surname should be requested optionally. The double opt-in procedure and greatest possible transparency hold for all forms, including the newsletter form. You should disclose what exactly you aim at or offer with your newsletter.

Double opt-in procedure remains standard

In case you haven’t done it by now, start using double-opt-in immediately! The double-opt-in procedure requires the email receiver to explicitly click on a link in a confirmation mail after the first registration. Only then the person is added to the mailing list. This ensures that nobody can sign up for a newsletter on your behalf and the registration is actually approved by you. The confirmation mail is not allowed to contain advertisement or any other content.

More technical measures beyond your WordPress plugins

SSL encryption

Although SSL encryption is not an obligation according to GDPR, secure data transmission around your website is simply not possible without an SSL encrypted connection! You can learn more about SSL in our extensive Let’s Encrypt SSL site.

Don’t want to set up the SSL certificate by yourself? Use, for example, Let’s Encrypt SSL certificates. Via free 1-click installation you can activate an SSL certificate for your WordPress website, fast and easy.

Create an opt-out for Google Analytics

Once more, we would like to point out in this context that, prior to the EU GDPR, the current applicable German data protection law has been stipulating entire anonymization of visitors since years. To guarantee this by now at the latest, the very often used Google Analytics should be extended by following line of code:

ga('set', 'anonymizeIp', true);

In case your Javascript Snippet looked like this previously:

<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-XXXXXXXX-X', 'auto');
ga('require', 'displayfeatures');
ga('require', 'linkid', 'linkid.js');
ga('send', 'pageview');
</script>

The code will look like this after the addition:

<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-XXXXXXXX-X', 'auto');
ga('require', 'displayfeatures');
ga('require', 'linkid', 'linkid.js');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview');
</script>

Moreover, you ought to create a possibility in your privacy policy, so that your website visitors can be excluded entirely from the Google analysis. You can find a free opt-out plugin for Google Analytics named Google Analytics Opt-Out in the WordPress plugin repository. It installs a cookie which prevents analytics.js from collecting data.

Anonymized IP addresses in blog comments

WordPress stores the IP addresses of comment authors by default. However, gathering the IP address is not compliant with data protection according to EU GDPR. Thanks to a small PHP snippet in your functions.php of your active WordPress theme you can prevent the storage of IP addresses in the future. We recommend you use a child theme to keep the code integrated even after your theme updates. The code to be inserted is as follows:

function  wpb_remove_commentsip( $comment_author_ip ) {
	return '';
	}
add_filter( 'pre_comment_user_ip', 'wpb_remove_commentsip' );

Finally, you need to delete still existing IP addresses in your website’s database retroactively in a one-time manual action.
The EU GDPR has a lot more (new) requirements for you to meet as a website owner than the described technical measures on your WordPress website.

We tried to be as compliant as possible on this Website implementing all the steps above.If you need help to get GDPR Complient on your Website please contact me for a quote.

First published by  by Torben

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close