The GDPR (General Data Protection Regulation) is a new regulation that aims to protect the personal data and privacy of European Union citizens for transactions that occur inside and outside of EU member states.
It governs how data is gathered and stored, and gives EU citizens control over their personal data. Any and all companies that collect data on citizens in European Union countries will need to comply with strict new rules around protecting customer data by May 25, 2018. Sanctions for non-compliance can be as high as 20,000,000 Euros, or up to 4% of an organization's annual worldwide turnover (from preceding financial year), whichever is the greater.
Who is at risk?
If an organization collects and stores information from any individuals within the EU, they are at risk. It doesn’t matter if the organization is based outside of the EU. It doesn’t matter if the data is gathered unintentionally.
Consent. Organizations must be asking for, gaining, recording and managing consent to collect personal data in ways that meet GDPR regulations.
Storage. An organization must ensure that personal data is stored as described in consent statements. Data cannot be stored or used otherwise.
Access. An organization’s data subjects must have easy access to and must be able to amend and/or purge their data, with the ability to opt-out or withdraw consent easily.
Security. Organizations must ensure that data protection is built ‘by design and by default’ into every aspect of the site.
Key Changes for Site Compliance
There are 99 articles that lay out the rights of individuals and obligations placed on organizations covered by the regulation. These include allowing people to have easier access to the data companies hold on them, and a clear responsibility for organizations to obtain the consent of people they collect information about. Specific to website compliance, organizations will need to pay attention to a number of key changes and make updates where needed.
Changes to the definition of personal data. Anything that contributes or links to identifying an individual is now included in the regulation, which can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Stricter guidelines on gaining consent. Explicit consent must be obtained before personal data is submitted whenever the data provided will be stored beyond the scope of the current transaction. Under GDPR, visitors must be presented with a statement (inline or linked) specifying the nature of data that’s being collected, and the details of the decision and its effects, and they must affirm the decision with an action. Legal jargon cannot be used to request consent on web forms and the like. Consent now must be clear and distinguishable, and provided in an intelligible and easily accessible form, using clear and plain language.
Updates to individual rights and conditions for consent. These include rights of access, to withdraw consent, to be 'forgotten', and to data portability. Websites must clearly communicate these rights to individuals they collect data from. This includes letting data subjects know if / how long data will be stored for, if data will be transferred to other parties / countries, and how they can access, amend, or delete their data. It must be as easy to withdraw consent as it is to give it. Organizations must also be able to prove they have been given explicit consent to hold the data, and they must be ready to prove the deletion of personal data as well.
Websites forms that collect and store personal information for purposes outside the current transaction (e.g. marketing emails) must have an "opt-in" option and this option must by unchecked by default. The 'opt-in' option must have clear language on what their data will be used for. Organizations must also provide an easy way to 'opt-out' if a data subject changes his/her mind.