Most of the websites that are active on the internet are running on cookies, and it is very likely that the website where you found this article has placed some cookies on your browser.
While some cookies are necessary to make a website work properly, most of them are statistical and marketing cookies used for the quality of their business development.
On May 25NSIn 2018, the most important data privacy law in 20 years was implemented: the General Data Protection Regulation (GDPR). GDPR was created to give individuals control over how their data is used and to protect their rights. In addition, it was also created to set out strict regulations on how website owners handle personal information collected from their visitors. Keep reading for a short introduction to cookies, GDPR, and compliance.
What are cookies?
Cookies are a type of tracking technology designed to collect information about website users. Cookies were developed in the early 90s and their name is inspired by fortune cookies, as both types of cookies share the same concept: Both are structures containing a message.
Cookies can be divided into four categories: Essential cookies, preference cookies, statistics cookies and marketing cookies. Essential cookies enable basic functions and are therefore essential for a website to function. Preference cookies allow websites to remember your preferred settings, e.g. language. Statistical cookies collect and report user data anonymously. Their purpose is to help website owners analyze and understand how their visitors interact with websites. Finally, marketing cookies are used to track end users across websites. The purpose of this is to carry out targeted advertising through relevant ads.
Cookies can collect everything from seemingly trivial information like the specifications of a device to highly sensitive information like sexual orientation. Even so, cookies are not a bad technology, as they are nothing more than small text files that collect bits of data. That’s what you can do with data for ethical discussion.
What is GDPR?
The General Data Protection Regulation (GDPR for short) is a data privacy law that regulates how companies and organizations manage personal data. The purpose of GDPR is to give end users control over how their data is used and to hold companies and organizations accountable for their data processing processes.
As a result, GDPR places strict conditions on transparency, documentation, and user consent. GDPR applies to any website that has visitors from the European Union – the organization behind the site is not actually within the borders of the European Union.
If GDPR applies to your organization and you don’t comply, then you risk a hefty fine of up to €20 million or 4% of your organization’s global annual revenue. GDPR to be implemented on May 25NS, 2018.
How do I become compliant?
If your website is subject to GDPR regulations, you should take immediate action to comply. By protecting user privacy, you also protect your business from fines and bad reputation. The following 6 steps describe the actions that must be taken to comply with GDPR.
Step 1: Prepare
Present your organization’s stakeholders to the requirements of the GDPR. Create principles for cybersecurity and privacy design. If your organization employs more than 250 people, you are obligated to appoint a Data Protection Officer (DPO).
Step 2: Evaluate your data
Get an overview of where all your data is, including who has access to it and on what devices. Find out where personal information is processed, including by third-party processors. Write down your legitimate data processing reasons and update your privacy policy with this information.
Step 3: Evaluate service providers
Ensure that service partners are also GDPR compliant. Not only are you responsible for your organization’s compliance with the GDPR, but you are also responsible for ensuring that partners comply with GDPR regulations.
Step 4: Get consent from users
Set up methods for obtaining and recording consent, e.g. through an automated device cookie consent pop-up. You should always provide options to revoke or change consent.
Step 5: Build a data rights response process
Establish procedures to enable your organization to handle privacy inquiries, e.g. data deletion, from both customers and employees.
Step 6: Make a plan to handle data breaches
Establish procedures to detect, investigate, and report data breaches to meet the GDPR’s 72-hour notification deadline.
