GDPR: General Data Protection Regulation

The European Union’s General Data Protection Regulation on data privacy came into effect on May 25, 2018.

This new regulation policy applies to the data of all EU citizens, regardless of where your business is located (within or outside of the EU).

It was the major update to the European data protection law, for over 20 years.

What is GDPR?

  • It applies to anyone who collects, records, organizes, stores, processes, analyses, or performs any operations on data.
  • It has very strict laws about what companies can do with people’s data.
  • It forces companies to justify everything that they do with this data.
  • It gives organizations guidelines on what they can and can’t do with personal data.
  • It also gives users more clarity over the kind of data being used and how companies will use it.
  • It gets you more control over, how your data is collected, used, and processed.

What is considered personal data under GDPR?

  • Any personal data that could be used to identify a person like a name, email address, phone number, DOB, username, your IP or location, etc.
  • Any sensitive information like Sexual Orientation, Health Data, Political opinions, etc.
  • Any data specific to their Physical, Physiological, Genetic, Mental, Economic, Cultural or Social Identity.

Failing to compliant with GDPR leads an organization to pay for the penalty: 20 Million Euros or 4% of annual global turnover (whichever is greater)

GDPR Advantages

  • New law promotes data transparency and accountability.
  • It gives individuals more control over their data so users have the right to request information about their data.
    • You can ask what information the company is having about you so the company will have to supply what information they are having about you. The company has to provide this information within 1 month and free of charge.
    • You can ask the company to delete your data, they have to delete that.

Data processing principles

  • Personal data must be processed fairly, lawfully, and in a transparent manner.
  • It must be collected for specified, explicit, and legitimate purposes.
  • Only collect adequate data that is relevant and limited to what is necessary. So don’t keep data unnecessarily.
  • It should be accurate and where necessary, kept up to date.
  • It should be retained only for as long as necessary.
  • Make sure data is secure and no-one could access the information. It should be processed in an appropriate manner to maintain security.

Data security is an important part of GDPR compliance

  • Organization must implement appropriate and proportionate technical and organizational measures to protect personal data.

Checklist to get your website GDPR ready

  1. Cookie notification
    • No more implied consent
    • Allow people to positively opt-in or acknowledge/accept for storing their data.
    • Have a link to the cookie policy.
  2. Cookie policy
    • what and why
    • have third-party providers links
  3. Privacy policy
    • It must be up to date
    • what you do with data
    • how you collect and store it
    • access to own data
    • right to remove data
  4. SSL
    • Secure the data
    • Best practice
    • Heightened security
  5. Lead Capture
    • Avoid storing data
    • If you have to, encrypt the data
    • The email service provider should also have the GDPR policy.
    • No pre-ticked boxes
    • Option to opt-out
  6. Payments
    • Make sure the payment gateways privacy policy covers GDPR
    • Add their reference links in your privacy policy in Obligations.
  7. Website chat
    • Chat provider policies should cover GDPR
    • Add their references to your policy.

Click to see what a Privacy policy should cover.