What is a GDPR?

On the 25th May 2018 the Regulation of the European Parliament and of the EU Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, called The General Data Protection Regulation, will become applicable. The GDPR function is to harmonize the provisions on the protection of personal data in all 28 EU countries (the United Kingdom may leave the EU only in 2019).

Besides to cosmetic changes related to the names of the office and positions (instead of the General Inspector for Personal Data Protection, the Office for Personal Data Protection is created, and the Personal Data Inspector replaces the Information Security Administrator), new provisions strengthen the data protection of all EU citizens. On the side of the companies, they are obliged to complete all formalities related to the improvement of technical and organizational solutions regarding the protection of personal data. The GDPR also introduces the principles of privacy by default and Right to Be Forgotten. According to privacy by default, privacy protection is set by default in information systems. Right to Be Forgotten allows users to access their data stored by companies and to erase their data from their registry.

The regulations effective since May next year from significantly increase administrative penalties. Currently, these are fines of PLN 10,000 from natural persons and 50,000 PLN from legal persons. After the entry into force of the GDPR, penalties will reach PLN 20 million or 4% of the company’s global turnover.

According to the research of the “Knowledge to Security” Foundation, only more than half of the companies changed their personal data processing procedures, and on May 25 all of them must comply with the new regulations.

GDPR and e-commerce

The new EU regulation will have a major impact on e-commerce. Instead of registering a collection with the office, online store owners will have to keep a record of the processing activities themselves. In addition, online stores will need to have user agreement for profiling. It involves grouping information about customers (e.g. gender, age, location). Persons leading such stores are required to enter separate fields for all consents (so-called checkboxes). All acquiescences must be clearly written so that the user can understand them. E-commerce stores are required to report information leaks from databases. The regulations also demand updating the rules and the security policy.

All these changes concerning e-commerce will initially hinder the lives of people in the industry, but at the price of better protection of personal data.

Impact of the ordinance on data analysis

The SEO industry is largely focused on data analysis, and Google Analytics is a commonly used tool. It is a powerful web service for collecting data on user traffic, location and behavior. Analytics also collects demographic data based on the user’s browser history.

The GDPR provides special protection for data such as race, health, religion or sexual orientation. Data overlapping with Google Analytics is: gender, age and interests, which also have special protection under the regulation. Most Google products are compliant with the GDPR, however, Google Analytics does not yet follow this rule.

The impact of the GDPR on search results

Search engines also collect data from us which they use for personalized search results. Search data can be very sensitive information. They can be used to identify political views as well as health or demographic data. Personalization is an integral part of search today, but it may be illegal soon.

Search engines aim at the users provide with the most relevant search results. Thanks to HTTPS, site security and user experience, which are part of the ranking algorithms, it can happen that transparent data collection based on consent may affect rankings in the future. We’ll have to wait and see!