What is the GDPR? (General Data Protection Regulation)
The General Data Protection Regulation (GDPR) is an EU-wide regulation that controls how companies and other organizations handle personal data. It is the most significant initiative on data protection in 20 years and has major implications for any organization in the world, serving individuals from the European Union.
To give people control over how their data is used and to protect “fundamental rights and freedoms of natural persons”, the legislation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
Any organization must keep a record of and monitor personal data processing activities.
As a data controller, any organization must keep a record of and monitor personal data processing activities. This includes personal data handled within the organization, but also by third parties so-called data processors.
Data processors can be anything from Software-as-a-Service providers to embedded third party services, tracking and profiling visitors on the organization’s website.
Both data controllers and processors must be able to account for what kind of data is being processed, the purpose of the processing and to which countries and third parties the data is transmitted.
If personal data is being sent to organizations or jurisdictions beyond the reach of the GDPR or that are not deemed ‘adequate’ by the GDPR, one must inform the user specifically about this and the risks involved.
All consents must be recorded as evidence that consent has been given.
No processing of sensitive personal data is allowed without a person’s explicit consent. For non-sensitive data, implied consent will do. In either case, the consent must be freely given on the basis of clear and specific information about data types and purpose – and always before any processing takes place, also known as ‘prior’ consent. All consents must be recorded as evidence that consent has been given.
Individuals now have the “right of data portability”, the “right of data access” along with the “right to be forgotten” and can withdraw their consent whenever they want. In such case, the data controller must delete the individual’s personal data if it’s no longer necessary to the purpose for which it was collected.
In case of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.
Furthermore, GDPR imposes an obligation on public authorities, organizations with more than 250 employees and companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO). The DPO must take measures to ensure GDPR compliance throughout the organization.
In relation to Brexit, the UK Government plans to implement equivalent legislation that will largely follow the GDPR.
What does the GDPR mean for my website?
If your website is serving individuals from the EU and you – or embedded third-party services like Google and Facebook – are processing any kind of personal data, you need to obtain prior consent from the visitor.
To obtain valid consent, you need to describe the extent and purpose of your data processing in plain language to the visitor, prior to processing any personal data.
All consents must be logged as proof and all tracking of personal data, also by embedded third party services, must be documented, hereunder to which countries data is transmitted.
Check out the EU-info page on the reform of the data protection laws.
See also their infographic Data Protection – Better rules for small business