Regulations & Frameworks
General Data Protection Regulation (GDPR)
Effective May 25, 2018, The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that replaces the Directive 95/46/EC and governs the current data protection framework in Europe.
The law has a broad scope that impacts organizations that process the personal data of EU residents, wherever they are located in the world. The regulation is meant to harmonize the EU data protection landscape and protect the rights and freedoms of EU individuals.
Organizations that do not comply with GDPR face heavy fines and penalties. Some violations are subject to up to 4% of the organization’s global annual turnover.
Last Updated: March 12, 2020
What Is GDPR?
The General Data Protection Regulation (GDPR) is one of the first data privacy regulations dedicated to online consumer protections in the world that went into effect in May of 2018. It is a far more comprehensive replacement for Directive 95/46/EC, a 1995 directive established to impose restrictions on the processing and movement of personal data. It’s a comprehensive regulation that intends to protect the European Union (EU) residents by providing full transparency into how their personal information is gathered and processed.
The focus of the regulation is on both data privacy and data protection. Keeping data safe from potential hackers and breaches, while also letting users make the choice about what personal data they are willing to share.
Companies that handle large amounts of sensitive personal data, public authorities, and organizations with more than 250 employees must employ a data protection officer (DPO) who must ensure GDPR compliance across the organization.
The GDPR imposes heavy penalty fines on organizations that do not comply with the requirements. Some violations are subject to up to 4% of the organization’s annual revenue.
What Is the Definition of Personal Data Under the GDPR?
There are two key people responsible for adhering to and maintaining records for the GDPR— the data processor and the data controller. These terms are defined in Article 4.
Data controller: “(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”
Data processor: “(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”
The data controller is the person responsible for managing consent, enabling the data subject’s right to access their personal information, and keeping the records of all requests from data subjects. The data controller will manage the requests, and the data processor is then responsible for removing the data from their servers.
The data controller is responsible for selecting only processors that operate with appropriate technical measures that protect the data in a manner that meets the requirements of the GDPR.
The data processor is also responsible for maintaining records and compliance certifications or be subject to fines and penalties themselves. They are also required to only process the data requested from the data controller and in the case of a breach, they must make the data controller aware as soon as possible.
A data processor is required to keep records of data processing activities if they employ 250 people, process data that could post a risk to the rights of data subjects, process special categories of data, and process data related to the conviction of criminals. In the case of a data breach, the processor is also required to notify the supervisory authority in the EU and any affected individuals within a 72-hour period.
Who Is Protected Under the GDPR?
Recital 14 of the GDPR outlines who is protected under the regulation. It applies to “natural persons whatever their nationality or place of residence, in relation to the processing of their personal data.” If a product or service is exchanged with any user in the EU, then the processing of the personal data associated must comply with the GDPR.
The persons protected under the GDPR are also referred to as “data subjects”. Data subjects have a list of rights outlined in the GDPR.
What Are Data Subject’s Rights Under the GDPR?
The data subject has specific rights as outlined in the GDPR. These rights apply to individuals outlined in Recital 14 of the regulation.
Right to be Informed
The requirement for transparency from all organizations to inform EU citizens about what personal data is being collected at the time of collection, as well as disclosing the purpose of the collection of the data. The information given to the citizen is required to be concise, transparent, and easily accessible.
Right of Access
Also known as subject access, this right gives citizens or “data subjects” the ability to obtain a copy of any information that an organization holds about them. They should be able to make the request on the website and the organization must respond to all data subject requests.
The organization must provide the data subject with:
- The purpose behind the processing
- The categories of personal data they have collected
- The retention period for storing the data
- Source of the information or where the information was gathered.
Right to Rectification
In Article 16 of the GDPR, the right to rectification is given to individuals so they have the right to request that their data be modified including updating incomplete or inaccurate information to correct errors.
Right to Erasure
The GDPR outlines the right of the individual to request that their personal data be erased in Article 17.
Individuals can request the deletion of their data under these circumstances:
- The personal data is no longer necessary for the purpose the organization originally outlined.
- The individual withdraws consent from an organization who relies on consent.
- The organization is processing data for direct marketing efforts.
- The data has been processed unlawfully.
- The data of a child has been processed.
Right to Restrict Processing
Individuals have the right to restrict the processing of their personal data under Article 18 of the GDPR. If consumers choose to exercise this right, businesses can continue to store the data if they do not further use or process the data.
Individuals can exercise their right in these circumstances:
- Their data has been unlawfully processed.
- The organization no longer needs the data, but they need the organization to keep it for a legal claim.
- The company is verifying the accuracy of the data.
Right to Data Portability
Individuals have the right to obtain and transfer their data to a different controller or service. Individuals can exercise this right if the processing of the information is consent or for the performance of a contract or the processing is being carried out by an automated method.
Right to Object
Individuals have the right to object to the processing of their personal data at any time under certain circumstances but always if the purpose is for direct marketing.
Individuals have this right if the processing is for a task carried out in the public interest, the exercise of official authority, or of legitimate interest.
GDPR Cookie Consent
In the GDPR, all consent must be gathered and recorded from data subjects. Additionally, the Court Justice of the European Union rules that the only valid consent model for the gathering of personal data is explicit consent. Explicit consent must be given by the user on a website’s consent banner. The consent banner cannot have pre-checked boxes giving consent on categories of cookies except for those deemed strictly necessary.
The consent that the individual gives must be able to be withdrawn if the user chooses. Additionally, the data controller must delete any personal data of individuals when it’s not necessary for the original stated purpose.
GDPR Cookie Compliance
To remain compliant with the GDPR, if an organization provides services or collects personal data of any user in the EU, they must obtain prior consent.
Prior consent involves describing the extent and purpose of the data processing in easy-to-understand language to the user, before gathering any personal data from the user.
The visitor must be able to find what types of personal data are collected on them on the website at any time. It must also be just as easy for the user to find and change or withdraw the previously given consent.
Following the rights given to individuals under the GDPR, there is a lot of nuance with how to comply with cookie requirements. Websites must know all the cookies that are present on their website, categorize them, and understand what data the cookies collect.
At a high level, here are the top requirements to obtain cookie compliance through the lens of GDPR and how CookiePro can meet all these requirements—
- Inform and allow visitors to opt-out of the collection of their personal data. Scan your website to identify and categorize cookies and tracking technologies on your website.
- Build a GDPR-specific web form for data subject requests. Centralize any visitor’s requests for the deletion or updating of their personal information.
- Set deadlines for fulfilling requests to comply with the GDPR-required time frame of one calendar month.
- Verify the data subject’s identity and connect throughout the request intake and workflow process through internal systems.
- Create a preference center for visitors to opt-out of the processing of their personal data and comply with the GDPR requirement to provide the user with an easy-to-find place to choose their consent preference.