What is GDPR?
The General Data Protection Regulation (GDPR) is a EU-wide regulation that controls how companies and other organizations handle personal data. It is the most significant initiative on data protection in 20 years and has major implications for any organization in the world, serving individuals from the European Union.
To give people control over how their data is used and to protect “fundamental rights and freedoms of natural persons”, the legislation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
Any organization must keep record of and monitor personal data processing activities
As data controller, any organization must keep record of and monitor personal data processing activities. This includes personal data handled within the organization, but also by third parties – so called data processors.
Data processors can be anything from Software-as-a-Service providers to embedded third party services, tracking and profiling visitors on the organization’s website.
Both data controllers and processors must be able to account for what kind of data is being processed, the purpose of the processing and to which countries and third parties the data is transmitted. Data may only transfer to other GDPR compliant organizations, or those within jurisdictions deemed ‘adequate’.
All consents must be recorded as evidence that consent has been given
No processing of sensitive personal data is allowed without a person’s explicit consent. For non-sensitive data, implied consent will do. In either case the consent must be freely given on basis of clear and specific information about data types and purpose – and always before any processing takes place, also known as ‘prior’ consent. All consents must be recorded as evidence that consent has been given.
Individuals now have the “right of data portability”, the “right of data access” along with the “right to be forgotten” and can withdraw their consent whenever they want. In such case the data controller must delete the individual’s personal data if it’s no longer necessary to the purpose for which it was collected.
In case of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.
Furthermore, GDPR imposes an obligation on public authorities, organizations with more than 250 employees and companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO). The DPO must take measures to ensure GDPR compliance throughout the organization.
In relation to Brexit, the UK Government plans to implement equivalent legislation that will largely follow the GDPR.
What does the GDPR mean for my website?
If your website is serving individuals from the EU and you – or embedded third party services like Google and Facebook – are processing any kind of personal data, you need to obtain prior consent from the visitor.
To obtain valid consent, you need to describe the extent and purpose of your data processing in plain language to the visitor, prior to processing any personal data.
All consents must be logged as proof and all tracking of personal data, also by embedded third party services, must be documented, hereunder to which countries data is transmitted.
Check out the EU-infopage on the reform of the data protection laws.
See also their infographic Data Protection – Better rules for small business
How GDPR Cookie Manager helps
Using our tool, you can automate GDPR compliance for your website on the requirements regarding tracking and consent.
GDPR Cookie Manager enables you to monitor and document any kind of tracking on your website, display the relevant information to your website visitors and automatically obtain and log all user consents.
What is the definition of personal data?
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Online identifiers such as IP addresses now qualify as personal data, unless anonymized.
Pseudonymized personal data is also subject to the GDPR, if it by reverse engineering is possible to identify whose data it is.
GDPR enforcement date: 25th of May 2018
The EU data protection reform was adopted by the European Parliament and the European Council on April 27th, 2016. The European Data Protection Regulation is applicable as of May 25th, 2018, and replaces the Data Protection Directive.
GDPR Fines and Penalties
Organizations in non-compliance risk heavy fines of up to €20 million, or 4% of the organization’s global yearly turnover, whichever is higher.
GDPR compliance and requirements
GDPR Courses, Training and Certification:
You can achieve the EU GDPR Foundation (EU GDPR F) and EU GDPR Practitioner (EU GDPR P) qualifications (both ISO 17024-accredited) on various courses from i.e. IT Governance. The International Association of Privacy Professionals (IAPP) also provides online training.
GDPR Compliance Software:
There are numerus toolkits, frameworks and software solutions that can assist you in the process of getting GDPR compliant, i.e. DPOrganizer, that helps you make your personal data processing compliant.
GDPR Cookie Manager can help you automate the handling of user consents on your website and document cookies and other trackers in use.
Original Article: cookiebot.com
Nice to read
General Data Protection Regulation PDF download
EU Commission: Protection of personal data
GDPR ‘adequate’ countries
UK Information Commissioner’s Office (ICO): The UK data protection reform
Privacy by Design – The 7 Foundational Principles (PDF)
2018 reform of EU data protection rules
Infographic: Better rules for small business