Overall panic. New rules are coming! Big and small companies must adjust their privacy policies and the way they process and store personal data based on GDPR, new legal rules. Fines value from €20 million to 4% of annual turnover; indeed putting some pressure on CEO’s all over EU. Or rather in the world.
Every company or each person that is active online with a site or shop and in some way collects data, no matter how innocent or evil, has to apply to the new rules within the European Union. Also companies from outside who want to reach out to the EU market and are active there, should comply.
We give you a short, but strong advice of what you should keep in mind and implement already now in order to not get in a trouble as from May 2018. This article is just a source and not a legal advice. We only try to help and make you scare aware.
First, what does this abbreviation mean, GDPR? General Data Protection Regulation. We have no idea who won the prize for most bureaucratic name ever, but this person really did a great job. Here are some tips.
Explicit Consent Requirement for Data Collection
- Think about all the websites you own, which could gather information from users in EU and outside. Maybe you own some domains but didn’t use them for a while. Make sure you adjust them all based on these new legal rules.
- Think clearly about your data collection. Based on new rules the purpose should be very specific and minimized. Carefully consider what kind of data you are collecting and why. There is also a legal basis. You cannot just process personal data because you want to without having a clear reason. You should have a legal purpose why, which you can explain to a user. Retention period should be also as short as possible (“storage limitation”).
- There are certain rights users obtain, that you have to be aware of.
- “Right to Access”. You should store and organize the data and be ready to provide them with information they request. One should have a means for users to request access and view the data you have collected on them. Data has to be provided free of cost in electronic format within a period of 40 days. User can request if data is or not being collected on them, the purpose of collection and the use.
- “Right to Be Forgotten”. Every user has to be able to erase all the data and his profile himself with no help of administrator.
- “Right to object”. A user can prohibit certain data uses.
- “Right to rectification”. Users can request that incomplete data be completed or that incorrect data be corrected.
- “Right of portability”. Users can request that their personal data held by one organization be transported to another organization.
- “Breach notification”. You have to immediately send notification to the users within next 72 hours in case of unauthorized access of personal information and warn them what happened.
You are wondering in which ways your site might collect personal data?
Some usual ways in which a standard website might collect personal data:
- Registrations of users
- Comments left by users
- Contact form entries
- Security tools and plugins.
- Other logging tools and plugins
Do you need any help with implementation of GDRP? Contact iizt for further advise.
You’re always welcome at Prinseneiland. Call us and reserve time for a first date. 020-6933131 or mail firstname.lastname@example.org