IMPORTANT NOTE: The information below is not legal advice.  Please consult with an attorney that specializes in the GDPR regulation and all other regulations applicable to your website to make sure the processes of your website are in full compliance.  Brilliant Directories is not liable for any violations of the GDPR or any other regulations that apply to your website.


The European Union passed a new law in 2016 regulating how the personal data of individuals must be obtained, processed, and secured by companies and websites.  This new law raises many questions for directory website owners and Brilliant Directories customers, and we created this FAQ to help answer some of those questions.


IMPORTANT: We have released a tool to help manage user consent, which is an important part of the Lawful Basis For Processing requirement described below.



What is the GDPR?


According to the regulation's website:

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. 


A summary of its purpose is given in Article 5 of the regulation.  All personal data shall be:

"a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."


For more specifics about the contents of the GDPR, please see the full text of the regulation.



What Organizations or Websites Does the GDPR Apply to?


GDPR rules apply to any organization or website that processes or stores personal data of citizens of countries in the European Union

 

Even though Brilliant Directories is based in the United States and all website data is stored exclusively in the United States, if your Brilliant Directories website has personal data of any citizens of European Union countries, this regulation applies to their data.



How is "Personal Data" Defined for the Purposes of the GDPR?


For the purposes of this regulation, "personal data" means any information related to an identifiable person, who can be identified directly or indirectly by referencing the data.


This includes the individual's name, ID numbers, location information, online identifications, IP addresses, photos of the individual, and other related data.


General information about businesses in the European Union, where no specific individual is identified as part of the data, is generally NOT regulated by the GDPR.  If your website contains data about businesses registered in the European Union, but does not have ANY information about a specific individual (individual phone number, individual email address, etc), then the GDPR will generally not regulate that data.



Who is Responsible for Ensuring Compliance with the GDPR?


The owner, or "Controller" in charge of a website and its contents is generally responsible for GDPR compliance.  For Brilliant Directories websites, this means the Brilliant Directories License holder (whomever purchased the license, is the current license holder, or is specifically designated to be the "Controller" of the website for GDPR compliance purposes).


While the Brilliant Directories license holder is ultimately responsible for GDPR compliance, Brilliant Directories also strives to offer tools and resources to make compliance as easy as possible for license holders.



Which Parts of the GDPR Apply to Directory Website Owners? 


The GDPR is a wide-ranging regulation that covers many different industries and situations, and offers many different paths for compliance.  In this section we highlight the portions of the regulations and paths to compliance that most closely apply to directory websites.



Lawful Basis for Processing


The first part of the regulation to ensure compliance with is a legal basis for obtaining a member's information in the first place.  There are several different lawful bases that can be used, but the one that will apply to the vast majority of Brilliant Directories customers is the "Consent" basis.


These are the general principles of a member providing consent:

  • Members must provide their consent to obtain, process, and store their personal data.

  • This consent must be clear, concise, specific as to how their data will be used and for how long (generally this will be indefinitely in the case of a directory), and separate from other terms and conditions.

  • This consent cannot be given through a pre-checked box or similar means, it must be collected through an un-checked box or other means that demonstrates intent to consent.

  • A record of when this consent happened, along with the content of the consent and how the consent was obtained, must also be stored for future reference.

  • Identify any 3rd parties that will also process or store their personal data.  By default, the only other 3rd party that would be sent their data from a Brilliant Directories website would be a payment gateway.  If the website owner provides access to member data to another 3rd party, this must be clear in the consent as well.

  • It must be clear that members can withdraw this consent at any point, and how to do so.



Individual Rights


Once individuals have provided consent for the website to obtain, process, and store their data, they have specific ongoing rights regarding that data.



Right to be Informed


If members of a website have not already provided consent to the levels outlined above, then they must be informed that their data is being used on the website.


Generally speaking, this will apply to members that have not signed up themselves in the past and are not aware of how their data is being used on the website.  


If personal data about members was added to the website without their knowledge or consent, this data should be removed or consent from the individual must be obtained to continue using their data in order to be GDPR compliant.



Right of Access / Right to Rectification / Right to Object


Individuals have the right to access and update the personal data of theirs that the website is storing or processing.  For Brilliant Directories websites, if the above criteria are satisfied, then members inherently have the ability to access and update all of their personal data stored on the website.  And because members have direct access to all of their data, they can object to its use by removing or modifying it as desired.



Right to be Forgotten


Individuals have the right to request that their personal data being stored and processed on the website to be erased completely.  All members have access to change / erase their personal data by logging into their member account, and can also contact the website owner to erase their data completely, which can be done in the Admin area of every Brilliant Directories website.



Right to Data Portability


Individuals have the right to get a copy of their data stored by the website in a standard format, such as a CSV file.  For Brilliant Directories websites, this data can be exported directly from the website's database in CSV format.  To do this, an Admin of the site can login to their account and navigate to Developers >> MySQL Database.

From here, click on the database in the left sidebar that ends in _directory, and then click on the users_data table.  This table has all of the personal data about the members.  Search for the member that needs the data and this data can then be exported in CSV format.


For an even easier way to do this, please see the Export Member Data Add-On.



Security


The GDPR requires that the latest security best practices are implemented in the hosting of a website and the storage of data.  All websites using the Brilliant Directories platform are hosted in the IBM/Softlayer data center in Dallas, TX, which implements the latest security best practices.  For details about the security practices and features employed in the data center, please see these resources:

https://www.ibm.com/cloud/security

https://www.ibm.com/cloud/compliance


To ensure security in the transfer of data to and from the data center, please make sure a valid SSL Certificate from a reputable Certificate Authority is applied to the website.  This can be purchased from any Certificate Authority or reseller and installed through cPanel (Admin Area >> Developers >> cPanel Dashboard).  Brilliant Directories also offers a service for this here, or as a part of the VIP Add-Ons package.



The GDPR Applies to Personal Data


While the items outlined in the GDPR are generally good practices for establishing a relationship of transparency and trust with your members, some website owners would prefer to avoid having to comply with these regulations altogether.  Complying can be burdensome for many website owners, especially small business and single-proprietor websites.


If you want to make sure you do not have to worry about being compliant with the GDPR, the easiest way to do so would be to simply delete all member content on your website that is related to citizens of European Union countries.  While this is not ideal for many situations, some website owners that are not primarily focused on EU countries may find this to be the best option.


Short of doing this, there are some other steps a website owner can take to avoid worrying about GDPR compliance:

  • Remove any personal data related to citizens of EU countries and only keep general business-related information.

  • Do not import member data that contain personal information of citizens of EU countries; only allow members to sign up themselves, in which case they will be fully aware of how the data is being used.

  • Update the Country Settings of the site to exclude all EU countries (Admin Area >> Settings >> Country Settings).  This will prevent members from signing up using a credit card from any of these countries.  While this will not be 100% prohibitive, it will help restrict the number of members from EU countries.