Learn About GDPR and Website Compliance
What is GDPR?
- Why GDPR?
- Who does GDPR it apply to?
- What are the penalties?
- What is personal data?
- Transferring data outside the EU
- Who enforces GDPR?
- Do we need a Data Protection Officer?
- Does GDPR apply to SME businesses?
- What should we do in case of a data breach?
- How can I make our organization GDPR compliant?
- How do I make a website GDPR compliant?
- Is my website affected by GDPR?
- What trackers you have on your website?
- Are you gathering consent the right way?
- Are your privacy banners affirmative?
- Have you made it easy to withdraw consent?
- Got names for 3rd party plugins that process data?
- Can visitors contact you for their personal data?
- Do you have evidence of valid consent?
- Have you updated your data and privacy policies?
- Have you cleaned up your mailing lists?
- Are you collecting too much information?
What is GDPR?
What Does GDPR Stand For?
GDPR (General Data Protection Regulation) is the most significant change in data protection for decades. The regulation requires businesses to protect the personal data and privacy of EU citizens. It introduces tougher fines for non-compliance and breaches and gives people more say over what companies can do with their data. Any company that does businesses in Europe needs to comply with GDPR.
The overall objective of GDPR is to give citizens back control of their personal data and to simplify the regulatory environments for international business by unifying data and privacy regulations. GDPR is a regulation and replaces a directive (the Data Protection Directive). With a regulation, GDPR help to unify data and privacy regulation in the EU to reduce administration and inconsistencies among local laws. With directives, unlike regulations, each member state has discretion as to the implementation of data protection regulation and can thus differ from country to country.
Who does GDPR apply to?
While the regulation originates from the EU, it also applies to companies outside EU offerings goods and services (paid or free) or who monitor the behavior of individuals in the EU.
Under the former Data Protection Directive, a business was subject to the data protection law only if it was located in an EU country or used equipment in an EU country to process data. However, the new regulation also applies to any business that offers goods or services to individuals in the EU or monitors such individuals’ behavior. This is a broad expansion of the requirements that will affect many more organizations across the globe.
What are the penalties?
The GDPR penalties can reach a maximum of EUR 20 million or 4 percent of the annual revenue (whichever is greatest) of the organization, depending on the facts and circumstances of the case.
Furthermore, for the first time, class action litigation is also allowed, resulting in exposure to both regulatory enforcement and private litigation for the same transgression.
What is personal data?
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of the law.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymized, the anonymization must be irreversible.
Examples of personal data include name, surname, an email address such as [email protected], a home address, ID card number, cookie ID, Internet Protocol (IP).
Examples of data not considered personal data include a company registration number, an email address such as [email protected] and anonymized data.
Transferring data outside the EU
Personal data can flow from European Economic Area (EEA), which includes all EU countries and non-EU countries Iceland, Liechtenstein, and Norway to third party countries without any further safeguard when the European Commission has acknowledged the country to have adequate protection. Countries recognized to have adequate protection are Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection. Talks are ongoing with Japan and South Korea.
Who enforces GDPR?
The GDPR enforcement is done through Data Protection Authorities (DPA’s) who provide expert advice on data protection issues and handle complaints against violations of GDPR. There is one in each EU Member State.
The main contact point for questions on data protection is the DPA in the EU Member State where your company/organization is based. However, if your company/organization processes data in different EU Member States or is part of a group of companies established in different EU Member States, that main contact point may be a DPA in another EU Member State.
Do we need a Data Protection Officer?
Your company/organization needs to appoint a DPO, whether it’s a controller or a processor if its core activities involve the processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behavior of data subjects includes all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising.
The DPO may be a staff member of your organization or may be contracted externally on the basis of a service contract. A DPO can be an individual or an organization.
It is worth mentioning that the GDPR is based on a risk-based approach and organizations are encouraged to implement protective measures corresponding to the level of risk of their data processing activities.
Does GDPR apply to Small & Medium-Sized Businesses?
Yes, the application of the data protection regulation depends not on the size of your company/organization but the nature of your activities. Activities that present high risks for the individuals’ rights and freedoms, whether they are carried out by an SME or by a large corporation, trigger the application of more stringent rules. However, some of the obligations of the GDPR may not apply to all SMEs.
For instance, companies with fewer than 250 employees don’t need to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.
Similarly, SMEs will only have to appoint a Data Protection Officer if the processing is their main business and it poses specific threats to the individuals’ rights and freedoms (such as monitoring of individuals or processing of sensitive data or criminal records) in particular because it’s done on a large scale.
What should we do in case of a data breach?
A data breach occurs when the data for which your company/organization is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, your company/organization has to notify the supervisory authority without undue delay and at the latest within 72 hours after having become aware of the breach. If your company/organization is a data processor it must notify every data breach to the data controller.
How can I make our organization GDPR compliant?
The General Data Protection Regulation (GDPR) is based on the risk-based approach. Companies/organizations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Therefore, the obligations on a company processing a lot of data are more onerous than on a company processing a small amount of data.
For example, the probability of hiring a data protection officer for a company/organization processing a lot of data is higher than for a company/organization processing a small amount of data. At the same time, the nature of the personal data and the impact of the envisaged processing also play a role. Processing a small amount of data, but which is of a sensitive nature, for example, health data, would require implementing more stringent measures to comply with the GDPR.
Is our website affected by GDPR?
If your organization/business interacts or does business with EU citizens, for instance, you sell products/services or monitor individual behavior online, then you are applicable to GDPR.
If you use third-party tools from e.g. Google or Facebook, which collect personal data, then you need to collect valid consent before a cookie or tracking technology is placed on the visitors’ computer.
If you have contact forms or newsletters collecting data from EU citizens then you are also applicable to GDPR and need to ensure you do lawful processing of their personal data.
Are you aware of what trackers you have on your website?
Many websites use tracking technologies, including cookies, pixels and tags, to advertise, collect statistics and perform marketing campaigns. Under the GDPR, you are responsible for providing notice and obtaining consent for each one of these technologies. Make sure to do a web audit of your website and see what trackers you have enabled and running.
If you are unsure what trackers you have on your website, then use the tool for free. It is free and will provide you a result within 5 minutes or less.
Are you gathering consent the right way?
There are specific requirements for how to obtain valid consent. The consent must be informed, unambiguous, explicit, freely given, specific and have the right to withdraw and written in plain language that it’s clearly visible. For consent to be informed, the individual must receive at least the following information:
- the identity of the organization processing data;
- the purposes for which the data is being processed;
- the type of data that will be processed;
- the possibility to withdraw the given consent (for example, an unsubscribe link at the end of an email)
- if the consent is related to an international transfer, the possible risks of data transfers to third countries.
Below is an example of how you can communicate and receive a valid consent:
- Consent should be affirmative, specific and unambiguous
- Details of recipients and data controller
- Purpose of processing and notification of profiling
- Withdraw consent
- Link to complain, correct and transfer data
- Can decline
Are your privacy banners affirmative?
The standard text phrase that is included in Cookie notices is “by using this site, you accept cookies” will not be sufficient under GDPR, as it only suggests implied consent, is ambiguous and generic. You will now need granular levels of control with separate consents for tracking and analytics cookies, as well as mechanisms to also signal customer consent. They need to make an affirmative action.
Have you made it easy to withdraw consent?
It should be as easy to withdraw as to give consent. If consent is withdrawn your company/organization can no longer process the data. Once consent has been withdrawn, your company/organization needs to ensure that the data is deleted unless it can be processed on another legal ground (for example storage requirements or as far as it is a necessity to fulfill the contract).
If the data was being processed for several purposes your company/organization can’t use the personal data for the part of the processing for which consent has been withdrawn or for any of the purposes, depending on the nature of the withdrawal of consent.
Example: You’re providing an online newsletter. Your client gives their consent to subscribe to the online newsletter that allows you to process all the data on their interests to build a profile of what articles they consult. One year on, they inform you that they no longer wish to receive the online newsletter. You must delete all personal data relating to that person collected in the context of the newsletter subscription from your database, including the profile(s) relating to that person.
Have you named the 3rd party plugins that process data?
Your privacy banners must clearly identify each party for which the consent is being granted. It isn’t enough to state the category name, such as analytics, but should include the identity of the organization, e.g. Google, which processes the data.
How can visitors and customers contact you for personal data?
Individuals may contact your company/organization to exercise their rights under the GDPR (rights of access, rectification, erasure, portability, etc.). Where personal data is processed by electronic means, your company/organization should provide means for requests to be made electronically. Your company/organization must reply to their request without undue delay, and in principle within 1 month of the receipt of the request.
It can ask them for additional information in order to confirm the identity of the person making the request.
If your company/organization rejects the request then it has to inform the person of the reasons for doing so and of their right to file a complaint with the Data Protection Authority and to seek a judicial remedy.
Do you have evidence of valid consent?
GDPR requires you to keep evidence of consent – who, when, how, and what you told people. Good practice would be to document both consents given and rejected for visitors and customers when you process their personal data.
Have you updated your data and privacy policies?
You will need to update your associated policies e.g. a data protection policy. It is important for businesses to have documented policies in place to enable your staff to have a clear understanding of what is required of them.
These policies can include information such as training policy, information security policy, retention of records procedure, subject access request form and procedure, privacy procedure, international data transfer procedure, data portability procedure and complaints procedure.
Have you cleaned up your mailing lists?
Make sure to clean up your email databases. If your database of subscribers were not collected according to GDPR standards, then you will need to validate that you have received the necessary consent. This could include sending them a re-permission email so that they can choose to re-opt in. This will provide proof of consent and make your business GDPR compliant.
Are you collecting too much information?
GDPR introduces the concept of data minimization, which mandates you to only collect as much data as is required to successfully accomplish a given task. So, while it may be easy to add an extra field to collect information about phone number, gender, and location, you have to evaluate whether you need it to process the request. Additionally, data collected for one purpose cannot be repurposed without further consent.