GDPR compliance: An overview and check list

gdpr compliance

Most active websites on the internet are running on cookies and chances are that the website where you have found this article has already set a few cookies on your browser.

Though some cookies are essential for making a website function properly, most of them are statistic and marketing cookies that are utilized for their business development qualities.

On May 25th, 2018, the most significant data privacy law in 20 years was enforced: The General Data Protection Regulation (GDPR). The GDPR was created to give individuals control over how their data is used and to protect their rights. In addition, it was also created to set strict regulations for how website owners handle personal information collected from their visitors. Keep reading for a short introduction to cookies, the GDPR, and how to become compliant.

What are cookies?

Cookies are a type of tracking technology designed to collect information about website users. Cookies were developed in the early 90’s and their name were inspired by fortune cookies, as both types of cookies share a similar concept: They are both structures that contain a message.

Cookies can be separated into four categories: Necessary cookies, preference cookies, statistic cookies, and marketing cookies. Necessary cookies enable basic functionalities and are thus essential for a website to operate. Preference cookies enable websites to remember your preferred settings, e.g., language. Statistic cookies collect and report user data anonymously. Their purpose is to help website owners analyze and understand how their visitors engage with websites. Lastly, marketing cookies are used to track end-users across websites. The purpose of this is to perform targeted advertising through relevant ads.

Cookies can collect everything from seemingly trivial information such as technical specifications of a device to very sensitive information such as sexual orientation. Despite this, cookies are not an evil technology, as they are nothing but small text files that collect bits of data. It is what you can do with the data that is up for moral discussion.

What is the GDPR?

The General Data Protection Regulation (abbreviated to GDPR) is a data privacy law that regulates how companies and organizations manage personal data. The purpose of the GDPR is to give end-users control over how their data is used and to hold companies and organizations accountable for their data handling procedures.

As such, the GDPR sets strict conditions for transparency, documentation, and user consent. The GDPR applies to every website that has visitors from the EU – the organization behind the website does not to be physically located within the borders of the EU.

If the GDPR applies to your organization and you fail to become compliant, then you risk hefty fines of up to €20 million or 4% of your organization’s global yearly turnover. The GDPR was enforced on May 25th, 2018.

How do I become compliant?

If your website falls under the regulations of the GDPR, you should immediately take action to become compliant. By protecting your users’ privacy, you also protect your own business from fines and a bad reputation. The following 6 steps describe the actions that must be taken in order to become GDPR compliant.

Step 1: Get prepared

Present stakeholders across your organization with the requirements of the GDPR. Create principles for cyber security and privacy design. If your organization employs 250+ people, you are obligated to assign a Data Protection Officer (DPO).

Step 2: Assess your data

Get an overview of where all your data is including who has access to it and on which devices. Find out where personal information is processed, including third party processors. Write down reasons for lawful data processing and update your privacy policy with this information.

Step 3: Assess service providers

Ensure that service partners are also compliant with the GDPR. You are not only responsible for your own organization being GDPR compliant but must also make sure that partners follow the regulations of the GDPR.

Step 4: Get consent from users

Install methods for obtaining and recording consent, e.g., via an automated cookie consent popup. You must always provide options to revoke or change a consent.

Step 5: Formulate procedures for responding to data rights

Establish procedures to enable your organization to handle privacy inquiries, e.g., data deletion, from both customers and employees.

Step 6: Formulate a plan for data breaches

Establish procedures to detect, investigate and report on data breaches to meet the GDPR’s 72 hour-deadline for notification.