What Is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).
Is my website impacted?
Yes. Your website is impacted.
Individuals, organizations, and companies that control or process personal data are covered by GDPR. GDPR applies regardless of where websites are based. It must be heeded by all websites visited by European visitors.
Compliance and accountability
Businesses covered by GDPR are accountable for how they handle people’s personal information. This includes having data protection policies, and relevant documents indicating how data is processed.
In recent years, there have been massive data breaches. They have even affected large corporations like Yahoo, LinkedIn, and MySpace. Under GDPR, the “destruction, loss, alteration, unauthorized disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator where it could have a detrimental impact on those who it is about. This can include, but not limited to, financial loss, confidentiality breaches, damage to reputation and more.
For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.
Companies that have “regular and systematic monitoring” of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organizations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers.
There’s also a requirement for businesses to obtain consent to process data in some situations. When an organization is relying on consent to lawfully use a person’s information they have to clearly explain that consent is being given and there has to be a “positive opt-in”.
Failure to comply to GDPR
Regulators have the ability to find businesses that don’t comply with GDPR. If an organization doesn’t process an individual’s data in the correct way, it can be fined. If it requires and doesn’t have a data protection officer, it can be fined. If there’s a security breach, it can be fined.