WHAT IS GDPR?
The General Data Protection Regulation (GDPR) is an EU law that controls how companies and other organizations handle personal data. This is the most significant data protection initiative of the last 20 years, with significant implications for any organization in the world that targets EU entities. To give subjects control over how data is used and to “protect the fundamental rights and freedoms of natural persons”, the legislation establishes strict requirements regarding data handling procedures, transparency, documentation and consent of the user. Every organization must keep a record and monitor the personal data processing activities
As a data controller, every organization must maintain a record and monitor the personal data processing activities. This category includes personal data managed within the organization, but also by third parties, or so-called data processors.
Data processors may include software-level service providers (SaaS) up to integrated third-party visitor tracking and profiling services on the organization's website.
Both data controllers and data processors must be able to demonstrate which data is processed, the purpose of the processing and to which countries and third parties the data is transmitted. Data may only be transferred to other GDPR compliant organisations, or within jurisdictions deemed appropriate.
All consents must be recorded as proof that consent has been given
The processing of personal data is not permitted without prior consent. This means that consent must be given before any processing takes place, based on clear and specific information regarding the type of data and the purposes for which it was collected. For sensitive personal data, consent must be explicit, which underlines the importance of consent when processing sensitive personal data.
Natural persons now have the “right to data portability” and the “right to access data”, as well as the “right to be forgotten”, and can withdraw their consent at any time. In this case, the data controller must delete the personal data of the natural person if they are no longer necessary for the purpose for which they were collected.
In the event of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.
Furthermore, the GDPR imposes an obligation on public authorities or companies that process sensitive personal data on a large scale to employ or train a data protection officer. The data protection officer must take steps to ensure that the organization is compliant with the GDPR.
In relation to Brexit, the UK government plans to implement equivalent legislation that will broadly follow the GDPR.
WHAT DOES THE GDPR IMPLY FOR YOUR WEBSITE?
If your site serves natural persons from the EU and you collect data through information request forms, registration forms, etc. or integrated third-party services, such as Google (data collection for access statistics) or links to social networks such as eg. Facebook, process any type of personal data, prior consent must be obtained from the visitor. To obtain valid consent, it is necessary to describe to the visitor to what extent and for what purpose the data is processed, using simple language, before proceeding with the processing of any personal data.
All consents must be documented as proof, and all traces of personal data, including by integrated third-party services, must be documented, including which countries the data is transmitted to.
SSL SECURITY CERTIFICATE
the server that hosts your website will be equipped with the SSL (Secure Socket Layer) network protocol for secure data transmission. SSL certificates basically encrypt the data exchanged and transmitted during navigation to prevent any unauthorized access by third parties. All of this is essential if we think of the sensitive data that travels on company sites and especially e-commerce sites, such as passwords, data of users who access your information request forms, etc. The SSL certification, in addition to the evidence in the URL, is demonstrated by the green padlock symbol which more directly refers to the concept of protection.
It is an annual renewal service, the certificates must be renewed annually.
WHAT IS THE DEFINITION OF PERSONAL DATA?
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social.”
Online identifiers, such as IP addresses, are now considered personal data, unless it is anonymised. Pseudonymised personal data is also subject to the GDPR if reverse engineering can identify who owns the data.
DATE OF APPLICATION OF THE GDPR: 25 May 2018
The data protection reform was adopted by the European Parliament and the European Council on 27 April 2016. The Data Protection Regulation applies from 25 May 2018 and replaces the Data Protection Directive.
GDPR FINES AND SANCTIONS
Non-compliant organizations face hefty fines of up to €20 million, or 4% of the organization's global annual turnover, whichever is higher.