What Does GDPR Stand For?
The EU GDPR (General Data Protection Regulation) is the most significant change in data protection for decades since the ePrivacy Directive. This cookie law requires businesses to protect the personal data and privacy of EU citizens. It introduces tougher fines for non-compliance and breaches and gives people more say over what companies can do with personal data. Any company that does businesses in Europe needs to be GDPR compliant.
Why GDPR?
The overall objective of the General Data Protection Regulation (GDPR) is to give citizens back control of their personal data and to simplify the regulatory environments for international business by unifying data and privacy regulations. GDPR replaced the EU ePrivacy Directive (the Data Protection Directive ) with the main aim of adopting this cookie law being the need to unify data protection and privacy regulation in the EU to reduce administration and inconsistencies among local laws. Essentially, with a directive, unlike a data protection regulation, each member state has discretion as to the implementation of data protection regulations, and can thus differ from country to country.
Who does GDPR apply to?
While the General Data Protection Regulation (GDPR) originates from the EU, it applies to companies outside EU offering goods and services (paid or free), or those who monitor the behavior of individuals in the region.
Under the former Data Protection Directive, a business was subject to the data protection regulation only if it was located in an EU country or used equipment in an EU country to process personal data.
However, the new cookie law also applies to any business that offers goods or services to individuals in the EU or monitors such individuals’ behavior. This is a broad expansion of the general data protection requirements that will affect many more organizations across the globe.
What are the penalties?
The GDPR penalties can reach a maximum of EUR 20 million or 4 percent of the annual revenue (whichever is greatest) of the organization, depending on the facts and circumstances of non-compliance with GDPR requirements.
Furthermore, for the first time, class action litigation is also allowed, resulting in exposure to both regulatory enforcement and private litigation for a company’s failure to be compliant with GDPR.
What is personal data?
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected by different types of cookies that together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of the EU GDPR.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data under GDPR requirements. For data to be truly anonymized, the anonymization must be irreversible.
Examples of personal data include name, surname, an email address such as name.surname@company.com, a home address, ID card number, cookie ID, Internet Protocol (IP).
Examples of data not considered personal data include a company registration number, an email address such as info@company.com and anonymized data.
Transferring data outside the EU
Personal data can flow from European Economic Area (EEA), which includes all EU countries and non-EU countries Iceland, Liechtenstein, and Norway to third party countries without any further safeguard when the European Commission has acknowledged the country to have adequate data protection. Countries recognized to have adequate protection are Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection. Talks are ongoing with Japan and South Korea.
Who enforces GDPR?
The enforcement of this EU cookie law is done through Data Protection Authorities (DPA’s) who provide expert advice on data protection issues and handle complaints against violations of GDPR guidelines. There is one in each EU Member State.
The main contact point for questions on data protection is the DPA in the EU Member State where your company/organization is based. However, if your company/organization processes data in different EU Member States or is part of a group of companies established in different EU Member States, that main contact point may be a DPA in another EU Member State.
Do we need a Data Protection Officer?
The GDPR is not specific on when it comes to the appointment of a DPO. However, This is necessary if you are a controller, a processor, or if your core activities involve the processing of sensitive data on a large scale, or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behavior of data subjects includes all forms of tracking such as the use of third party cookies and profiling on the internet, including for the purposes of behavioral advertising.
The DPO may be a staff member of your organization or may be contracted externally on the basis of a service contract. A DPO can be an individual or an organization.
It is worth mentioning that the General Data Protection Regulation is based on a risk-based approach and organizations are encouraged to implement protective measures corresponding to the level of risk of their data processing activities to comply with GDPR.
Does GDPR apply to Small & Medium-Sized Businesses?
Yes, the application of this data protection regulation depends not on the size of your company/organization but the nature of your activities. Activities that present high risks for the individuals’ rights and freedoms, whether they are carried out by an SME or by a large corporation, trigger the application of more stringent rules. However, some of the regulations GDPR espouses may not apply to all SMEs.
For instance, companies with fewer than 250 employees don’t need to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.
Similarly, SMEs will only have to appoint a Data Protection Officer if the processing is their main business and it poses specific threats to the individuals’ rights and freedoms (such as monitoring of individuals or processing of sensitive data or criminal records) in particular because it’s done on a large scale.
What should we do in case of a data breach?
A data breach occurs when the data for which your company/organization is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, your company/organization has to notify the supervisory authority without undue delay and at the latest within 72 hours after having become aware of the breach. If your company/organization is a data processor it must notify every data breach to the data controller.
How can I make our organization GDPR compliant?
The General Data Protection Regulation (GDPR) cookie law is based on the risk-based approach. Companies/organizations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Therefore, the obligations on a company processing a lot of data to make its website GDPR compliant are more onerous than on a company processing a small amount of data.
For example, the probability of hiring a data protection officer for a company/organization processing a lot of data is higher than for a company/organization processing a small amount of data. At the same time, the nature of the personal data and the impact of the envisaged processing also play a role. Processing a small amount of data, but which is of a sensitive nature, for example, health data, would require implementing more stringent measures to comply with GDPR.
Is our website affected by GDPR?
If your organization/business interacts or does business with EU citizens, such as selling products/services or monitor individual behavior online, then you are applicable to GDPR.
If you use third-party tools such as Google Analytics from Google, for example, which collect personal data, then you need to collect valid GDPR cookie consent before placing cookies or any other form of tracking technology on the visitors’ computer. One of the ways you can accomplish this is through using cookie consent tools/cookie consent plugin.
If you have contact forms or newsletters collecting data from EU citizens then you need to be compliant with GDPR and need to ensure you do lawful processing of their personal data.
Are you aware of what trackers you have on your website?
Many websites use tracking technologies, including cookies, pixels and tags, to advertise, collect statistics and perform marketing campaigns. To ensure your website is GDPR compliant, you are required to provide a cookie notice/GDPR cookie consent banner and obtain user consent for each one of these technologies. Make sure to do a web audit of your website and see what trackers you have enabled and running.
If you are unsure what trackers you have on your website, then use our GDPR cookie consent plugin tool. It is free and will provide you a result within 5 minutes or less. Our tool identifies the cookies and tracking on your website, and our cookie script blocks them into groups determined by their function
Are you gathering consent the right way?
There are specific requirements for how to obtain valid consent when it comes to GDPR and cookies. Primarily, GDPR cookie consent must be informed, unambiguous, explicit, freely given, specific and have the right to withdraw written in plain language that is clearly visible in your cookie banner. For consent to be informed, both the GDPR and ePrivacy Directive, state that an individual must receive at least the following information from your cookie consent notice:
- the identity of the organization processing data;
- the purposes for which the data is being processed;
- the type of data that will be processed;
- the possibility to withdraw the given consent (for example, an unsubscribe link at the end of an email)
- if the consent is related to an international transfer, the possible risks of data transfers to third countries.
Below is one of the GDPR cookie consent banner examples you can use to communicate different cookie preferences and receive a valid consent:
- Consent should be affirmative, specific and unambiguous
- Details of recipients and data controller
- Purpose of processing and notification of profiling
- Duration
- Withdraw consent
- Link to complain, correct and transfer data
- Can decline
Are your privacy banners affirmative?
The standard text phrase that is included in most cookie consent banners, “by using this site, you accept cookies,” will not be sufficient under GDPR cookie compliance requirements, as it only suggests implied consent, which is ambiguous and generic. You will now need granular levels of control with separate consents for tracking, analytics, and other cookie categories, as well as mechanisms to signal customer consent. They need to make an affirmative action to guarantee GDPR compliant cookie consent.
Have you made it easy to withdraw consent?
It should be as easy to withdraw as to give consent. Furthermore, you need to inform your users how they can exercise this with the help of a GDPR compliant cookie banner. If user consent is withdrawn your company/organization can no longer process the data. Once consent has been withdrawn, your company/organization needs to ensure that the data is deleted unless it can be processed on another legal ground (for example storage requirements or as far as it is a necessity to fulfill the contract).
If the data was being processed for several purposes your company/organization can’t use the personal data for the part of the processing for which consent has been withdrawn or for any of the purposes, depending on the nature of the withdrawal of consent.
Example: You’re providing an online newsletter. Your client gives their consent to subscribe to the online newsletter that allows you to process all the data on their interests to build a profile of what articles they consult. One year on, they inform you that they no longer wish to receive the online newsletter. You must delete all personal data relating to that person collected in the context of the newsletter subscription from your database, including the profile(s) relating to that person.
Have you named the 3rd party plugins that process data?
Your cookie consent notice must clearly identify each party for which user consent is being granted. It isn’t enough to state the category name, such as analytics, but should include the identity of the organization, e.g. Google, which processes the data for your business to be considered as having a GDPR compliant cookie policy.
How can visitors and customers contact you for personal data?
Individuals may contact your company/organization to exercise their rights under the GDPR (rights of access, rectification, erasure, portability, etc.). Where personal data is processed by electronic means, your company/organization should provide means for requests to be made electronically. Your company/organization must reply to their request without undue delay, and in principle within 1 month of the receipt of the request.
It can ask them for additional information in order to confirm the identity of the person making the request.
If your company/organization rejects the request then it has to inform the person of the reasons for doing so and of their right to file a complaint with the Data Protection Authority and to seek a judicial remedy.
Do you have evidence of valid consent?
The General Data Protection Regulation requires you to keep evidence of consent – who, when, how, and what you told people. Good practice would be to document both the GDPR compliant cookie consent given and withdrawn by visitors and customers when you process their personal data.
Have you updated your data and privacy policies?
You will need to update your associated policies e.g. a data protection policy or GDPR cookie policy. It is important for businesses to have documented policies in place to enable your staff to have a clear understanding of what is required of them.
These policies can include information such as training policy, information security policy, retention of records procedure, subject access request form and procedure, privacy procedure, international data transfer procedure, data portability procedure and complaints procedure.
Have you cleaned up your mailing lists?
Make sure to clean up your email databases. If your database of subscribers were not collected according to GDPR and ePrivacy Directive standards, then you will need to justify that you have received valid consent. This could include sending them a re-permission email so that they can choose to re-opt in. This will provide proof of user consent and make your business GDPR compliant.
Are you collecting too much information?
GDPR introduces the concept of data minimization, which mandates you to only collect as much data as is required to successfully accomplish a given task. So, while it may be easy to add an extra field to collect information about phone number, gender, and location, you have to evaluate whether you need it to process the request. Additionally, data collected for one purpose cannot be repurposed without further user consent.