The General Data Protection Regulation/Protection of Personal Information (GDPR/POPI) is a EU-wide regulation that controls how companies and other organizations handle personal data. It is the most significant initiative on data protection in 20 years and has major implications for any organization in the world, serving individuals from the European Union.
To give people control over how their data is used and to protect "fundamental rights and freedoms of natural persons", the legislation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
Any organization must keep record of and monitor personal data processing activities
As data controller, any organization must keep record of and monitor personal data processing activities. This includes personal data handled within the organization, but also by third parties - so called data processors.
Data processors can be anything from Software-as-a-Service providers to embedded third party services, tracking and profiling visitors on the organization’s website.
Both data controllers and processors must be able to account for what kind of data is being processed, the purpose of the processing and to which countries and third parties the data is transmitted. Data may only transfer to other GDPR compliant organizations, or those within jurisdictions deemed 'adequate'.
All consents must be recorded as evidence that consent has been given
No processing of sensitive personal data is allowed without a person’s explicit consent. For non-sensitive data, implied consent will do. In either case the consent must be freely given on basis of clear and specific information about data types and purpose – and always before any processing takes place, also known as ‘prior’ consent. All consents must be recorded as evidence that consent has been given.
Individuals now have the "right of data portability", the "right of data access" along with the "right to be forgotten" and can withdraw their consent whenever they want. In such case the data controller must delete the individual’s personal data if it's no longer necessary to the purpose for which it was collected.
In case of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.
Furthermore, GDPR imposes an obligation on public authorities, organizations with more than 250 employees and companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO). The DPO must take measures to ensure GDPR compliance throughout the organization.
In relation to Brexit, the UK Government plans to implement equivalent legislation that will largely follow the GDPR.
What do we do to get your webiste GDPR compliant?There are two aspects to getting the website compliant namely:
1. Website Cookies
There are two types of cookies: session cookies and persistent cookies. Session cookies are created temporarily in your browser's subfolder while you are visiting a website. Once you leave the site, the session cookie is deleted. On the other hand, persistent cookie files remain in your browser's subfolder and are activated again once you visit the website that created that particular cookie. A persistent cookie remains in the browser's subfolder for the duration period set within the cookie's file.
2. Website Forms
Any contact form that requires one to fill in information: Name, Surname, Tel Number, Email address etc. A web form or HTML form on a web page allows a user to enter data that is sent to a server for processing. Forms can resemble paper or database forms because web users fill out the forms using checkboxes, radio buttons, or text fields. For example, forms can be used to enter shipping or credit card data to order a product, or can be used to retrieve search results from a search engine. Because the website captures the end users information we have to ask for consent from the end user to re-use this information and disclose how the website owners wish to use this information.