The General Data Protection Regulation (GDPR) is an EU-wide regulation that controls how companies and other organizations handle personal data. It is the most significant initiative on data protection in 20 years and has major implications for any organization in the world, serving individuals from the European Union.
To give people control over how their data is used and to protect "fundamental rights and freedoms of natural persons", the legislation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
Any organization must keep record of and monitor personal data processing activities.
As data controller, any organization must keep record of and monitor personal data processing activities. This includes personal data handled within the organization, but also by third parties - so called data processors.
Data processors can be anything from Software-as-a-Service providers to embedded third party services, tracking and profiling visitors on the organization’s website.
Both data controllers and processors must be able to account for what kind of data is being processed, the purpose of the processing and to which countries and third parties the data is transmitted.
If personal data is being sent to organizations or jurisdictions beyond the reach of the GDPR or that are not deemed 'adequate' by the GDPR, one must inform the user specifically about this and the risks involved.
All consents must be recorded as evidence that consent has been given.
On October 1 2019, the Court of Justice of the European Union ruled that the only form of valid consent in the EU is explicit consent.
This means that websites must obtain an affirmative and active consent for any type of personal data, and not only sensitive categories of personal data, as the GDPR mandates.
The CJEU ruling on valid consent means that your website’s consent banner is not allowed to have any pre-ticked checkboxes on categories of cookies apart from those strictly necessary for the basic function of your website.
This is known as prior consent.
Individuals now have the "right of data portability", the "right of data access" along with the "right to be forgotten" and can withdraw their consent whenever they want. In such case the data controller must delete the individual’s personal data if it's no longer necessary to the purpose for which it was collected.
In case of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.
Furthermore, GDPR imposes an obligation on public authorities, organizations with more than 250 employees and companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO). The DPO must take measures to ensure GDPR compliance throughout the organization.
In relation to Brexit, the UK Government plans to implement equivalent legislation that will largely follow the GDPR.
If your website is serving individuals from the EU and you - or embedded third party services like Google and Facebook - are processing any kind of personal data, you need to obtain prior consent from the visitor.
To obtain valid consent, you need to describe the extent and purpose of your data processing in plain language to the visitor, prior to processing any personal data.
All consents must be logged as proof and all tracking of personal data, also by embedded third party services, must be documented, hereunder to which countries data is transmitted.
Check out the EU-infopage on the reform of the data protection laws.
See also their infographic Data Protection - Better rules for small business
Using Cookiebot, you can automate GDPR compliance for your website on the requirements regarding tracking and consent.
Cookiebot enables you to monitor and document any kind of tracking on your website, display the relevant information to your website visitors and automatically obtain and log all user consents.
The GDPR defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Online identifiers such as IP addresses now qualify as personal data, unless anonymized.
Pseudonymized personal data is also subject to the GDPR, if it by reverse engineering is possible to identify whose data it is.
The EU data protection reform was adopted by the European Parliament and the European Council on April 27th, 2016. The European Data Protection Regulation is applicable as of May 25th, 2018, and replaces the Data Protection Directive.
Organizations in non-compliance risk heavy fines of up to €20 million, or 4% of the organization's global yearly turnover, whichever is higher.
Introduce stakeholders across your organization to the requirements of GDPR. Conduct employee training in Cyber Security, Privacy by Design and Privacy by Default principles. Assign a Data Protection Officer (DPO) if required, i.e. if you employ more than 250 people.
Make sure you know where all your data lives, who has access and on what devices. Identify where personal data is processed, including by third party processors. Document the grounds for lawful processing and update current privacy policies.
Make sure that service partners, i.e. embedded third party services on your website or Software-as-a-Service providers, are also compliant with GDPR, or under an officially sanctioned data jurisdiction. Review and map their international data flows.
Implement methods for seeking, obtaining and recording consent to ensure compliance. Keep a clear record of what each individual data subject consented to and provide options for the data subject to revoke or change a consent.
Implement procedures that enables your organization to respond to data subject rights, i.e. data access, rectification and erasure. Document how they will be exercised in both customer and employee contexts.
Ensure that there are procedures in place to detect, investigate and report on personal data breaches to meet the GDPR's 72 hour-deadline for notification.
You can achieve the EU GDPR Foundation (EU GDPR F) and EU GDPR Practitioner (EU GDPR P) qualifications (both ISO 17024-accredited) on various courses from i.e. IT Governance. The International Association of Privacy Professionals (IAPP) also provides online training.
There are numerus toolkits, frameworks and software solutions that can assist you in the process of getting GDPR compliant, i.e. DPOrganizer, that helps you make your personal data processing compliant.
Cookiebot can help you automate the handling of user consents on your website and document cookies and other trackers in use.
General Data Protection Regulation PDF download
EU Commission: Protection of personal data
GDPR 'adequate' countries
UK Information Commissioner’s Office (ICO): The UK data protection reform
Privacy by Design - The 7 Foundational Principles (PDF)
2018 reform of EU data protection rules
Infographic: Better rules for small business