What is GDPR?
Under the EU law on data protection and privacy, General Data Protection Regulation (GDPR) states that all the citizens of the European Union (EU) and the European Economic Area (EEA) should have control over their personal data. No company can store or use the personal data of a citizen of EU/EEA prior to taking their consent.
As stated in the EU law on data protection, companies within the following criteria need to comply with GDPR:
- Companies that have 250+ employees, with or without a presence in any of the EU countries
- Companies with less than 250 employees, with or without a presence in any of the EU countries, but processes data from EU resident
Who will ensure GDPR compliance?
GDPR states the following roles that are responsible for ensuring compliance:
- Data Controller: One who defines how personal data is processed and its purpose.
- Data Processor: One who handles and processes personal data.
- Data Processing Officer: One who oversees data security strategy and GDPR compliance.
Companies that process or store large amounts of EU citizen data must hire a Data Processing Officer (DPO) to ensure proper GDPR compliance.
What penalties will you have for non-compliance?
You will not be subjected to any fines/penalties if you do not store and process any personal data of EU citizens.
Whereas for the companies that deal with the personal data of any EU citizen, not complying will lead to warnings followed by fines/penalties.
Compared to the Data Protection Directive, the violation of GDPR costs more to its violators.
As GDPR sets a standard for all the companies that handle EU citizens’ personal data, the supervising authorities hold investigative and corrective powers to issue warnings and audits for non-compliance.
Companies that do not comply with GDPR may face hefty fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater).
What personal data is protected under GDPR?
The GDPR comprises eleven chapters regarding topics like general provisions, principles, rights of the owner of the data, responsibilities of data controllers & processors, personal data transfer to non-EU countries, powers of the supervisory authorities, solutions, liability or penalties for breach of rights.
Some of the important data that fall under GDPR compliance are:
- Basic personal identity information like name and address
- Web data such as IP address, cookie data and location
- Sexual orientation
- Health and genetic data
- Racial or ethnic data
- Political opinions
Read more at GDPR Chapters
What are the most important aspects of GDPR?
Companies need to take prior consent from their users before saving and using personal data. Using data of any EU citizen without their consent will lead to warnings and alerts followed by a ban to use any data from EU citizens or penalties we talked about earlier.
For Example, you cannot send promotional emails or messages to someone who shared their contact information with you. Not until they opt-in to receive those emails and messages.
User has the right to download and remove his/her personal data from your website. You need to provide the users with options for the same and remove their data as per their request.
This falls under GDPR compliance as well. You need to provide information about where and how their personal data is used/stored.
According to the GDPR, companies must report data breaches within 72 hours to the relevant authorities.
However, in the case of high-risk breaches, the company MUST inform both the individual and authorities without any delay.
Public companies or companies that process large amounts of personal information must appoint a data protection officer to oversee the data security strategy and GDPR compliance for GDPR compliance.
Data Protection Officer looks after the data security for GDPR compliance, creates and executive security strategies with the data processors and data controllers.
To conclude, GDPR prevents businesses or companies to spam EU citizens and ensures the protection and control of their personal data. GDPR allows users to control how their data is stored and used. Users can remove and download their data anytime or revoke authorisation to use their personal data.
The list of things required to comply with GDPR is eternal.
You need to
- Create a pop-up for taking consent
- Control cookies and trackers
- Control how data is stored
- Give control to the data owners, to download or delete their data
- Ensure security of the stored personal data.
To comply with the GDPR, you need to optimize your website, talk to us for assistance on your GDPR compliance.