The General Data Protection Regulation (GDPR) is a pan-European regulation that controls the way companies and other organizations handle personal data. It is the most important data protection initiative in 20 years and has significant implications for every organization in the world that serves people from the European Union.
To give people control over how their data is used and to protect the "fundamental rights and freedoms of individuals", legislation sets strict requirements for data handling, transparency, documentation and user consent.
Each organization must maintain a record and monitor the processing of personal data
As a data controller, each organization must keep a record and monitor personal data processing activities. This includes personal data managed by the organization, but also by third parties - the so-called data processors.
Data processors can be anything from software providers as services to embedded third-party services, tracking and visitor traffic to the organization's website.
Both data controllers and processors must be able to be accountable for the type of data being processed, the purpose of the processing and to which countries and third parties the data is transmitted.
If personal data is sent to organizations or jurisdictions beyond the reach of the GDPR or which are not considered "adequate" by the GDPR, you must specifically inform the user about it and the risks involved.
All consents must be recorded as proof that consent has been given
On 4 May 2020, the European Data Protection Council (EDPB) adopted guidelines on valid consent under the GDPR.
Valid consent must be a free, specific, up-to-date and clear indication of the user's wishes, ie a clear and affirmative action by the user.
The EDPB guidelines make it clear that scrolling or continuing to browse a site is not a valid consent and that cookie banners are not allowed to have default check boxes .
Cookie walls (compulsory consent) are also considered non-compliant.
The EDPB is the highest supervisory authority responsible for implementing the GDPR across the EU and is composed of representatives of the data protection authorities of each EU Member State. Their guidelines and decisions are the basis for enforcing the GDPR at national level.
Individuals now have the "right to transfer data", the "right to access data" along with the "right to be forgotten" and can revoke their consent whenever they wish. In this case the data controller must delete the personal data of the individual if it is no longer necessary for the purpose for which they were collected.
In the event of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.
In addition, the GDPR obliges public authorities, organizations with more than 250 employees, and companies that process sensitive personal data on a large scale to employ or train a Data Protection Officer (DPO). The DPO must take steps to ensure GDPR compliance throughout the organization.
In relation to Brexit, the UK government plans to implement equivalent legislation that will largely follow the GDPR.
What does GDPR mean for my site?
If your site serves people from the EU and you - or embedded third-party services such as Google and Facebook - process any kind of personal data, you must obtain prior consent from the visitor.
To obtain valid consent, you must describe the extent and purpose of processing your data in plain language to the visitor before processing any personal data.
This information must be available to the visitor at all times, e.g. as part of your privacy policy. You should also provide an easy way for the visitor to change or revoke their consent.
All consents must be recorded as proof and any monitoring of personal data, as well as by integrated third party services, must be documented, on the basis of which country data is transmitted.
See EU-infopage on data protection law reform.
What is the definition of personal data?
The GDPR defines personal data as "any information relating to an identifiable or identifiable natural person" ("data subject"); an identifiable natural person is that which can be identified, directly or indirectly, in particular by reference in an identifier such as a name, an identification number, location data, an Internet identifier or one or more factors related to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. "
Internet IDs such as IP addresses are now considered personal data, unless they are anonymous.
Nicknames are also subject to the GDPR, if reverse engineering can identify the data to which they belong.
Date of implementation of the GDPR: 25 May 2018
The EU Data Protection Reform was approved by the European Parliament and the European Council on 27 April 2016. The European Data Protection Regulation applies from 25 May 2018 and replaces the Data Protection Directive.
GDPR fines and penalties
Agencies in the event of non-compliance risk being fined up to € 20 million or 4% of the agency's global annual turnover, whichever is higher.
GDPR checklist: 6 things I need to do
1. Prepare your body:
Introduce stakeholders across your organization to GDPR requirements. Conduct training for cybersecurity, design-based and privacy-based privacy officials. Designate a Data Protection Officer (DPO) if required, ie if more than 250 people are employed.
2. Check your data:
Make sure you know where all your data lives, who has access and which devices. Determine where personal data is processed, including from third-party processors. Document the reasons for legal processing and update current privacy policies.
3. Auditing partners:
Make sure service partners, ie third-party services embedded in your site or software providers as services, also comply with the GDPR or under official data penalties. Check and map their international data streams.
4. Obtain your consent:
Apply methods for seeking, obtaining, and recording consent to ensure compliance Keep a clear record of what each individual data subject consents to, and provide data subject options for revoking or changing consent.
5. Response to data rights:
Implement procedures that allow your organization to comply with data subject rights, ie data access, correction and deletion. Document how they will be practiced by both customers and employees.
6. Prepare for data breaches:
Ensure that procedures are in place to detect, investigate and report breaches of personal data within the 72-hour deadline for GDPR notification.
GDPR compliance and requirements
Courses, training and GDPR certification:
You can obtain the qualifications of the EU GDPR Foundation (EU GDPR F) and EU GDPR Practitioner (EU GDPR P) (both ISO 17024-accredited) in various courses from e.g. IT Governance. The International Association of Privacy Professionals (IAPP) also provides online training.
GDPR compliance software:
There are numerical toolkits, frameworks and software solutions that can help you in the GDPR compliance process, ie DPOrganizer, which helps you make your own data processing personal.
Cookiebot can help you automate user consent processing on your site and document cookies and other crawlers used.
