What is GDPR?
GDPR stands for General Data Protection Regulation and it is a new data protection law in the EU, which comes into force in May 2018.
The aim of the GDPR is to give citizens of the EU control over their personal data, and change the approach of organizations across the world towards data privacy.
The GDPR provides much stronger rules than existing laws and is much more restrictive than the “EU cookie law.”
The GDPR law applies to data collected about EU citizens from anywhere in the world. As a consequence, a website with any EU visitors or customers must comply with the GDPR, which means that virtually all websites and businesses must comply.
To better understand the regulation, take a look at the publication of the regulations HERE
Should GDPR be taken seriously?
Webmasters have time until May 2018 to comply with the regulations set by the GDPR. The penalty for non compliance can be 4% of annual global turnover, up to a maximum of €20 million.
There are various slabs of penalties according to the seriousness of the breach, which have been described in the FAQ section of the GDPR portal.
Supervisory Authorities (SA) of different member states are going to be set up, with the full support of the law. Each member state may have multiple SAs, depending on the constitutional, administrative and organizational structures. There are various powers that SAs will have:
- carry out audits on websites,
- issue warnings for non-compliance,
- issue corrective measures to be followed with deadlines.
SAs have both investigative and corrective powers to check compliance with the law and suggest changes to be compliant.
The majority of the firms had taken up the GDPR guidelines as their top data protection priority, with 76% of them prepared to spend in excess of $1 million on GDPR. This shows that owning to a substantial presence in the EU, large corporations are taking up the GDPR compliance seriously.
So What Counts as Personal Data?
Any data that can be used to identify a living person directly or indirectly is classed as personal data.
- Email address
- Social security number
- Location data
- IP address
What Is Sensitive Personal Data?
Sensitive personal data is a special class of personal data that has to be even more carefully handled. It includes factors such as:
- Health status
- Sexual orientation
- Religious beliefs
- Political beliefs
What Rights Do Data Subjects Have Under GDPR?
As explained by the ICO, data subjects have the following rights concerning their personal data:
- Restrictions on processing
- Data portability
- Revision of automated decisions or profiling
If you are a webmaster you must look for:
(a) Breach notification
Under the GDPR compliance, if your website is experiencing a data breach of any kind, that breach needs to be communicated to your users.
A data breach may result in a risk for the rights and freedoms of individuals, due to which notifying users in a timely manner becomes necessary. Under the GDPR, a notification must be sent within 72 hours of first becoming aware of a breach. Data processors are also required to notify users as well as the data controllers, immediately after first becoming aware of a data breach.
(b) Data collection, processing and storage
Three elements of this: Right to Access, Right to Be Forgotten and Data Portability.
The right to access provides users with complete transparency in data processing and storage – what data points are being collected, where are these data points being processed and stored, and the reason behind the collection, processing and storage of the data. Users will also have to be provided a copy of their data free of cost within 40 days.
The right to be forgotten gives users an option to erase personal data, and stop further collection and processing of the data. This process involves the user withdrawing consent for their personal data to be used.
The data portability clause of the GDPR provides users a right to download their personal data, for which they have previously given consent, and further transmit that data to a different controller.
As a website owner, you first need to publish a detailed policy on which personal data points you’re using, how they are being processed and stored.
it may be wise to avoid data storage altogether in certain cases. For instance, contact forms could be set up to directly forward all communication to your email address instead of storing them anywhere on the web server.
(c) If you are a WordpPress site owner/webmaster Use of plugins – implications of WordPress GDPR compliance
Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.
In a nutshell:
- Tell the user who you are, why you collect the data, for how long, and who receives it.
- Get a clear consent [when required] before collecting any data.
- Let users access their data, and take it with them.
- Let users delete their data.
- Let users know if data breaches occur.
Disclaimer. This post is not legal advice. I am not a lawyer!