May 2016, we received the final text of the new European Union’s General Data Protection Regulation (GDPR). It will become enforceable in all EU member states on 25 May 2018.
This regulation wants to address the new ways of exploiting personal data through the internet and cloud technology. It also wants to give businesses a clearer legal environment in which to operate throughout the EU.
The GDPR introduces new accountability obligations, stronger rights and restrictions on international data flows. It gives people more say over what companies can do with their data.
The data that is protected by this regulation is all information about an identified or identifiable person. This can be his name, address, e-mail, but also a cookie, photo or ip-address. When you can use the data to find out who the person is, it is personal data and therefor protected by the GDPR.
When you want to store this data you need to have demonstrable permission from the person to collect his data and he needs to have the ability to view his stored data, adapt, remove and transfer it.
Controllers and processors
Not only the ‘controller’ needs to abide by the GDPR, but also the ‘processor’. A processor is doing the actual data processing and could be an IT firm. The controller is the organisation that collects the data. Even if controllers and processors are based outside the EU, but keep track of data belonging to EU citizens, they need to follow the rules defined by the GDPR.
It’s the controller’s responsibility to ensure their processor follows the regulation and it’s the processors responsibility to maintain records of their processing activities. Controllers must ensure the personal data is processed lawfully, transparently and for a specific purpose. Once this purpose is fulfilled and the data is no longer required, the data should be deleted.
They need to keep a record of how and when a person gave his consent and need to give individuals the possibility to withdraw their consent whenever they want.
Individuals can ask access at “reasonable intervals” to view, adapt, remove or transfer there personal data. It’s the controllers obligation to respond within one month.
The controller should implement measures which meet the principles of data protection by design and data protection by defaults and it’s the processors responsible to implement these protections. What if there is a data breach that puts the rights and freedoms of individuals at risk? The controller is responsible to notify a data protection authority within 72 hours after they became aware of it and they also need to notify the persons whose data has been leaked.
The regulation requires that controllers and processors are transparent about how they collect data, what they do with it, and how they process it. They need to be clear, using plain language, in explaining this to people.
What a website owner needs to know
Any Cookie or other identifier uniquely attributed to a device and therefore capable of identifying an individual or treating them as unique, is personal data, and falls under the GDPR, even if it’s a third party based plugin planting this identifier.
This means that lots of web analytics cookies, advertising and target cookies and quite a few functional services like survey and chat tools store personal data.
A few actionable steps:
- Get rid of cookie boxes: Information like “By using this site, you accept cookies” won’t qualify as consent for storing visitors’data.
- Your visitors should be able to accept/decline the trace: It needs to be a manual action and visitors need to be able to opt-out at ANY time.
- Don’t just collect data because it’s possible: You need to be able to justify and describe every purpose of usage of the personal data you collect.