A directive a European Union has started to make waves among website owners, bloggers and especially among companies that own online shops or other platforms that involve collect, storage si data manipulation cu personal character / confidential user.
What is GDPR (General Data Protection Regulation)?
introduction GDPR (General Data Protection Regulation) from 25 to 2018, implies major changes in terms of the storage of personal data and its handling by organizations and companies. By all accounts, the new regulation requires strict rules for companies and individuals who store personal data of customers, users or business partners, etc. people interacting. The law applies both online and "offline", offering more transparency and control from people whose data is stored and processed.
With the introduction of GDPR, any person has the right to know if a company processes their personal data, the purpose for which they are used si how to secure these data in order not to reach third parties or entities. At the same time, people are given access to stored information with the possibility modification thereof or even deletion.
GDPR: Consent on data storage and the purposes for which it will be used
According to GDPR, people need to be well informed when they give their consent to data processing. The processor has to inform the person both the data that will be stored and the consent for each data sphere. A best example is the consent form sent by Orange Romania to the company's clients. Is required the agreement is out of place if personal data can be used in marketing purposes, for sending offers from the company, sending offers from partners and collaborators, market studies, etc.
Before the GDPR, things were completely different. A simple tick put by default they allowed the processor to use our personal data for whatever purposes it wanted without being held accountable.
If you have been in a situation to be contacted by N firms health insurance or other types of insurance after you have open account with a bank, this will not happen after GDPR's entry into force unless you specifically specify that you want offers from the bank's collaborators and partners. If you have given your consent and after a while you have changed your mind, the processor must provide support by which you can withdraw it very easily at any time.
In the next period, banks will also have to send notifications to all clients asking them to store and process their personal carriage data.
Same Consent must also be obtained from online stores, websites that store personal information, forums, or other online platforms that involve the storage of user data.
If we take the case online, first and foremost, even if you do not own the online store, you will be informed from the first time about your stored data. Types of HTTP cookies retained by website, codes tracking online behavior (Google Analytics, Google AdSense, Facebook, etc.) logs in which your IP is stored and other information about everything related to your identity online.
When choosing to order a product, the company that owns the online store will not ask for it more personal data than needed to process your order and will not use your email address or phone number in marketing purposes if you do not get your consent for these practices. If you created an account when you made an order, you have the right to access your personal account information at any time, modify it or delete it.
Subscribe to newsletters it will be done only with the explicit consent of the user, with the option of unsubscribing at any time.
Another important requirement of GDPR is the period during which personal data can be stored. It can no longer be stored indefinitely as it used to be, but over an exact period of time.
GDPR: Security of personal data
GDPR places great emphasis on privacy of users' privacy. The company must ensure high security standards based on the sensitivity of stored data. Pseudonymization, encryption and clear appointment of staff who will have access to personal data. The company will notify the authorities of the persons designated to process and manipulate personal data. also, preudonimizarea involves the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical measures and the organization to ensure the non-attribution of the respective personal data to an identified or identifiable natural person.
In the case of a security breaches, the company will announce within 72 hours both the authorized authorities and the persons affected by this information leak. An Impact Report will also be carried out assessing the risks and damages to persons whose information has been stolen / evaded to third parties.
DPO - Data Protection Officer
As many girls have known so far, "DPO" no longer means "Days Past Ovulation" but "Data Protection Officer." The name sounds very pompous, but all companies must designate one DPO which will make sure the data is correctly collected, stored, used for the purposes for which the consent was obtained and that they are kept safe. Basically, this DPO must ensure that the organization that contracted it agrees with the norms imposed by GDPR. He will also be the liaison between the organization and the state control authorities.
Who can be DPO? Well, from what we understand, the DPO can not be a person inside the company because it is a conflict of interest. I need to have a person outside the company, to have a thorough knowledge of European legislation, internal legislation and IT data storage techniques. He may be an IT lawyer or a server administrator who learns legislation.
Regarding DPO / GDPR, many companies "specialized" in this legislation appeared online overnight. Some with "experience" for years in implementing regulations that did not even exist until 2016.
Greater attention should be given to companies that receive such offers from these firms or people who recommend them as GDPR and DPO experts. Most are just created to speculate this new regulation for revenue-enhancing purposes. So beware if you represent a company and you have received such offers.
Sanctions in case of non-compliance with GDPR regulations
Sanctions apply equally to all countries within the European Union area by the competent administrations of each country. These sanctions will be applied gradually depending on the severity and impact of non-compliance with the GDPR regulation. As far as we can see, these sanctions can go up to 4% of your turnover of the company targeted by the sanction. Sanctions may be appealed and may be the subject of legal proceedings.
GDPR online - Blogs, Online Stores or other websites
- Who owns the website or the online store
- What personal data are collected and why they are collected
- Cookies - the cookies used by the web site are listed, including those of the social and analysis networks. (Facebook, Google Analytics, Twitter, etc.)
- Who are the third parties who have access to personal data and for what purposes?
- The contact details of the company owning the web site / online store
- The amount of time that personal data is stored
- Simple methods for users to delete or export their personal data on the site
- How is personal data stored?
- Rights and obligations of users
Regulation (EU) 2016 / 679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95 / 46 / CE (General Regulation on data protection) (Text with EEA relevance) - EUR-LEX.EU.
What are personal data
Any information by which a natural person becomes identifiable, such as: name, phone number, e-mail address, location, computer / smartphone / tablet IP address, network card MAC address, physical, physiological, genetic elements , mental, economic, cultural, social, political and others.
If you have any further questions or concerns about GDPR, you can leave us comments.