Learn About GDPR and Website Compliance


What is GDPR?

What Does GDPR Stand For?


GDPR (General Data Protection Regulation) is the most significant change in data protect for decades. The regulation requires businesses to protect the personal data and privacy of EU citizens. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. Any company that does businesses in Europe need to comply with GDPR.

Why GDPR?


The overall objective of GDPR is to give citizens back control of their personal data and to simplify the regulatory environments for international business by unifying data and privacy regulations. GDPR is a regulation and replaces a directive (the  Data Protection Directive). With a regulation, GDPR help to unify data and privacy regulation in EU to reduce administration and inconsistencies among local laws. With directives, unlike regulations, each member state has discretion as to implementation of data protection regulation and can thus differ from country to country.

Who does GDPR apply to?


While the regulation originates from EU, it also applies to companies outside EU offerings goods and services (paid or free) or who monitor the behavior of individuals in EU.

Under the former Data Protection Directive, a business was subject to the data protection law only if it was located in an EU country or used equipment in an EU country to process data. However, the new regulation also applies to any business that offers goods or services to individuals in the EU or monitors such individuals’ behavior. This is a broad expansion of the requirements that will affect many more organizations across the globe.

What are the penalties?


The GDPR penalties can reach a maximum of EUR 20 million or 4 percent of the annual revenue (whichever is greatest) of the organization, depending on the facts and circumstances of the case.

Furthermore, for the first time, class action litigation is also allowed, resulting in exposure to both regulatory enforcement and private litigation for the same transgression.

What is personal data?


Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.

Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

Examples of personal data include name, surname, an email address such as [email protected], a home address, ID card number, cookie ID, Internet Protocol (IP).

Examples of data not considered person data include a company registration number, an email address such as [email protected] and anonymised data.

Transferring data outside EU


Personal data can flow from European Economic Area (EEA), which includes all EU countries and non-EU countries Iceland, Liechtenstein and Norway to third party countries without any further safeguard when the European Commission has acknowledged the country to have adequate protection. Countries recognised to have adequate protection are Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection. Talks are ongoing with Japan and South Korea.

Who enforces GDPR?


The GDPR enforcement is done through Data Protection Authorities (DPA’s) who provide expert advice on data protection issues and handle complaints against violations of GDPR. There is one in each EU Member State.

The main contact point for questions on data protection is the DPA in the EU Member State where your company/organisation is based. However, if your company/organisation processes data in different EU Member States or is part of a group of companies established in different EU Member States, that main contact point may be a DPA in another EU Member State.

Do we need a Data Protection Officer?


Your company/organisation needs to appoint a DPO, whether it’s a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behaviour of data subjects includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.

The DPO may be a staff member of your organisation or may be contracted externally on the basis of a service contact. A DPO can be an individual or an organisation.

It is worth mentioning that the GDPR is based on a risk-based approach and organisations are encouraged to implement protective measures corresponding to the level of risk of their data processing activities.

Does GDPR apply to Small & Medium Sized Businesses?


Yes, the application of the data protection regulation depends not on the size of your company/organisation but on the nature of your activities. Activities that present high risks for the individuals’ rights and freedoms, whether they are carried out by an SME or by a large corporation, trigger the application of more stringent rules. However, some of the obligations of the GDPR may not apply to all SMEs.

For instance, companies with fewer than 250 employees don’t need to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.

Similarly, SMEs will only have to appoint a Data Protection Officer if processing is their main business and it poses specific threats to the individuals’ rights and freedoms (such as monitoring of individuals or processing of sensitive data or criminal records) in particular because it’s done on a large scale.

What should we do in case of a data breach?


A data breach occurs when the data for which your company/organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, your company/organisation has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. If your company/organisation is a data processor it must notify every data breach to the data controller.

How can I make our organization GDPR compliant?


The General Data Protection Regulation (GDPR) is based on the risk-based approach. Companies/organisations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Therefore, the obligations on a company processing a lot of data are more onerous than on a company processing a small amount of data.

For example, the probability of hiring a data protection officer for a company/organisation processing a lot of data is higher than for a company/organisation processing a small amount of data. At the same time, the nature of the personal data and the impact of the envisaged processing also play a role. Processing of a small amount of data, but which is of a sensitive nature, for example health data, would require implementing more stringent measures to comply with the GDPR.

How do I Make a Website GDPR compliant?


The General Data Protection Regulation (GDPR) is based on the risk-based approach. Companies/organisations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Therefore, the obligations on a company processing a lot of data are more onerous than on a company processing a small amount of data.

For example, the probability of hiring a data protection officer for a company/organisation processing a lot of data is higher than for a company/organisation processing a small amount of data. At the same time, the nature of the personal data and the impact of the envisaged processing also play a role. Processing of a small amount of data, but which is of a sensitive nature, for example health data, would require implementing more stringent measures to comply with the GDPR.

Is our website affected by GDPR?


If your organization/business interacts or does business with EU citizens, for instance you sell products/services or monitor individual behavior online, than you are applicable to GDPR.

If you use third party tools from e.g. Google or Facebook, which collect personal data, then you need to collect a valid consent before a cookie or tracking technology is placed on the visitors computer.

If you have contact forms or newsletters collecting data from EU citizens, than you are also applicable to GDPR and need to ensure you do lawful processing of their personal data.

Are you aware what trackers you have on your website?


Many websites use tracking technologies, including cookies, pixels and tags, to advertise, collect statistics and perform marketing campaigns. Under the GDPR, you are responsible for providing notice and obtaining consent for each one of these technologies. Make sure to do a web audit of your website and see what trackers you have enabled and running.

If you are unsure what trackers you have on your website, then use the tool for free. It is free and will provide you a result within 5 minutes or less.

Are you gathering consent the right way?


There are specific requirements how obtain valid consent. The consent must be informed, unambigous, explicit, freely given, specific and have the right to withdraw and written in a pain language that it’s clearly visible. For consent to be informed, the individual must receive at least the following information:

  • the identity of the organisation processing data;
  • the purposes for which the data is being processed;
  • the type of data that will be processed;
  • the possibility to withdraw the given consent (for example, an unsubscribe link at the end of an email)
  • if the consent is related to an international transfer, the possible risks of data transfers to third countries.

Below is an example how you can communicate and recieve a valid consent:

  1. Consent should be affirmative, specific and unambiguous
  2. Details of recipients and data controller
  3. Purpose of processing and notification of profiling
  4. Duration
  5. Withdraw consent
  6. Link to complain, correct and transfer data
  7. Can decline

Are your privacy banners affirmative?


The standard text phrase that is included in Cookie notices is “by using this site, your accept cookies” will not be sufficient under GDPR, as it only suggests implied consent, is ambiguous and generic. You will now need granular levels of control with separate consents for tracking and analytics cookies, as well as mechanisms to also signal customer consent. They need to make an affirmative action.

Have you made it easy to withdraw consent?


It should be as easy to withdraw as to give consent. If consent is withdrawn your company/organisation can no longer process the data. Once consent has been withdrawn, your company/organisation needs to ensure that the data is deleted unless it can be processed on another legal ground (for example storage requirements or as far as it is a necessity to fulfil the contract).

If the data was being processed for several purposes your company/organisation can’t use the personal data for the part of the processing for which consent has been withdrawn or for any of the purposes, depending on the nature of the withdrawal of consent.

Example: You’re providing an online newsletter. Your client gives their consent to subscribe to the online newsletter that allows you to process all the data on their interests to build a profile of what articles they consult. One year on, they inform you that they no longer wish to receive the online newsletter. You must delete all personal data relating to that person collected in the context of the newsletter subscription from your database, including the profile(s) relating to that person.

Have you named the 3rd party plugins that process data?


Your privacy banners must clearly identify each party for which the consent is being granted. It isn’t enough to state the category name, such as analytics, but should include the identity of the organisation, e.g. Google, which process the data.

How can visitors and customers contact you for personal data?


Individuals may contact your company/organisation to exercise their rights under the GDPR (rights of access, rectification, erasure, portability, etc.). Where personal data is processed by electronic means, your company/organisation  should provide means for requests to be made electronically. Your company/organisation must reply to their request without undue delay, and in principle within 1 month of the receipt of the request.

It can ask them for additional information in order to confirm the identity of the person making the request.

If your company/organisation rejects the request then it has to inform the person of the reasons for doing so and of their right to file a complaint with the Data Protection Authority and to seek a judicial remedy.

Do you have evidence of valid consent?


GDPR requires you to keep evidence of consent – who, when, how, and what you told people. Good practice would be to document both consent given and rejected for visitors and customers when you process their personal data.

Have you updated your data and privacy policies?


You will need to update your associated policies e.g. a data protection policy. It is important for businesses to have documented policies in place to enable your staff to have a clear understanding of what is required of them.

These policies can include information such as training policy, information security policy, retention of records procedure, subject access request form and procedure, privacy procedure, international data transfer procedure, data portability procedure and complaints procedure.

Have you cleaned up your mailing lists?


Make sure to clean up your email databases. If your database of subscribers were not collected according to GDPR standards, then you will need to validate that you have received the necessary consent. This could include sending them a re-permission email so that they can choose to re-opt in. This will provide proof of consent and make your business GDPR compliant.

Are you collecting too much information?


GDPR introduces the concept of data minimization, which mandates you to only collect as much data as is required to successfully accomplish a given task. So, while it may be easy to add an extra field to collect information about phone number, gender, and location, you have to evaluate whether you need it to process the request. Additionally, data collected for one purpose cannot be repurposed without further consent.