What is the GDPR?

The General Data Protection Regulation is an EU-wide regulation that controls how companies and other organizations handle personal data. It is the most significant data protection initiative in 20 years and has major implications for every organization in the world serving people in the European Union.

To give people control over how their data is used and to protect the "fundamental rights and freedoms of individuals," the legislation sets strict requirements for data processing procedures, transparency, documentation and user consent.

Every organization must record and monitor personal data processing activities.

As a data controller, every organization must record and monitor personal data processing activities. This includes personal data processed within the organization, but also third parties - so-called Data Processors (Data Processors).

Data processors can be anything from software vendors as service providers to embedded third-party services that track and profile users on an organization's website.

Both data controllers and processors must be able to take into account what type of data is being processed, the purpose of the processing, and to which countries and third parties the data is being sent. Data may be transferred to other GDPR compliant organizations or countries deemed "appropriate."

All consents must be recorded as proof that consent was given.

The processing of sensitive personal data is not permitted without the express consent of the person in question. In the case of non-sensitive data, implicit consent will do. In both cases, consent must be given voluntarily on the basis of clear and detailed information about the types and purposes of the data - and always before processing begins, also known as "prior" consent. All consents must be recorded as proof that consent was given.

Individuals now have a "right to data portability," a "right of access to data," along with a "right to be forgotten," and can withdraw their consent whenever they wish. In this case, the data controller must delete the person's personal data if it is no longer necessary for the purpose for which it was collected.

In the event of a data breach, the company must be able to notify data protection authorities and data subjects within 72 hours.

In addition, the RBP requires public authorities, organizations with more than 250 employees and companies that process sensitive personal data on a large scale to hire or train a data protection officer (DPO). The DPO must take steps to ensure compliance with the RBP throughout the organization.

Regarding Brexit, the UK government is planning to implement equivalent legislation that will largely comply with the GDPR.

What does the GDPR mean for my website?

If your website caters to EU individuals and you - or third-party services such as Google and Facebook - process any personal data, you must obtain prior consent from your website user.

To obtain valid consent, before processing any personal data, you must describe to your visitors, the scope and purpose of the processing in plain language.

This information must be available to the visitor at all times, such as in a privacy policy. You must also provide the user with an easy way to change or withdraw consent.

All consents must be recorded as evidence, and any tracking of personal data, including by embedded third-party services, must be documented, below, to which countries the data is sent.

Check out the EU infographic on data protection reform.

Also see their infographic Data Protection - Better Rules for Small Businesses.

How does the Cookiesaur tool help?

Using our tool, you can automate your site's compliance with GDPR policies in terms of tracking and consent requirements.

Cookiesaur allows you to personalize and manage all kinds of tracking on your site, display relevant information to your site visitors and automatically obtain and record all user consents in your own cookie.

What is the definition of personal data?

The DPA defines personal data as "any information relating to an identified or identifiable natural person (" data subject "), an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. "

Online identifiers, such as IP addresses, now qualify as personal data unless they are anonymized.

Pseudonymized personal data is also subject to the GDPR if it is possible through reverse engineering to determine who it is.

Effective date of the GDPR: May 25, 2018.

The EU data protection reform was adopted by the European Parliament and the European Council on April 27, 2016. The European Data Protection Regulation is applicable as of May 25, 2018. And replaces the Data Protection Directive.

Fines and penalties in the GDPR

Organizations failing to comply face hefty fines of up to €20 million or 4% of the organization's global annual turnover, whichever is higher.

GDPR checklist: 6 things to do

1. Prepare your organization:

Introduce employees in your organization to the requirements of GDPR Conduct training for employees on Cyber Security and Privacy by Design and Privacy by Default. Appoint a Data Protection Officer (DPO) if necessary, i.e. If you employ more than 250 people.

2. Control your data:

Make sure you know where all your data is, who has access and on what devices. Identify where personal data is processed, including by third parties. Document the basis for lawful processing and update current privacy policies.

3. Audit service partners:

Ensure that service partners, i.e., Embedded third-party services on your site or software providers as service providers, are also compliant with the GDPR or under an officially recognized data jurisdiction. Review and map their international data flows.

4. Obtain consent:

Implement methods to seek, obtain and record consent to ensure compliance. Keep a clear record of what each data subject has agreed to, and provide data subjects with the ability to revoke or amend their consent.

5. Respond to data rights:

Implement procedures that enable the organization to respond to data subjects' rights, i.e. Access, correction and deletion. Document how these will be exercised in both customer and employee contexts.

6. Be prepared for data security breaches:

Ensure that procedures are in place to detect, investigate and report data breaches to meet the 72-hour deadline for whistleblowing

Compliance with the requirements of the GDPR

GDPR courses, training and certification:

We work with law firms and software-houses experienced in taking you step-by-step through a checklist to prepare your company for GDPR and ePrivacy. If you would like to learn more, please contact us by email.

GDPR-compliant software:

There are a number of toolkits, frameworks and software solutions that can help with the process of becoming GDPR compliant and ensuring the security of personal data processing.

Cookiesaur can help automate user consent handling on your site and documentation of cookies and other trackers used on the site.

Subscribe to our newsletter

Stay up-to-date on e-commerce, technology, innovation and legal developments.

notify