General Data Protection Regulation (GDPR)

As you may of all seen in the news etc. GDPR was adopted on 14th April 2016, and became enforceable on the 25th May 2018. Now because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.

What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of individuals (formally called data subjects in the GDPR) inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area. Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymization or full anonymization, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.

A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, how long data is being retained, and if it is being shared with any third-parties or outside of the EU. Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.

What about the UK and Brexit?
With the UK scheduled to leave the EU in 2019, the UK granted royal assent to the Data Protection Act 2018 on 23rd May 2018, which contains equivalent regulations and protections.

If this is something that may affect you, you can read more Here!

There is also an interesting article produced by the ICO HERE (PDF File) which is an overview of the GDPR

Want an easy way to get your site GDPR ready?
Go visit the people at Cookiebot. They have a really simple process to check your website and then give you the tools for visitors consent. They will surely get you on your way but as websites differ so much you may need to check if any additional checks, policies etc. are required
Click HERE to visit Cookiebot’s Website

Address Book