How do we implement GDPR on the website / blog / online store and what GDPR must contain

Let's see how we implement GDPR on an online store or website following the directive European Union which started to make waves among the owners of websites, blogs and especially among the companies that own online shops or other platforms that involve collect, storage si data manipulation cu personal character / confidential user.

What is and how do we implement GDPR (General Data Protection Regulation)?

introduction GDPR (General Data Protection Regulation) from 25 to 2018, implies major changes in terms of the storage of personal data and its handling by organizations and companies. By all accounts, the new regulation requires strict rules for companies and individuals who store personal data of customers, users or business partners, etc. people interacting. The law applies both online and "offline", offering more transparency and control from people whose data is stored and processed.
With the introduction of GDPR, any person has the right to know if a company processes their personal data, the purpose for which they are used si how to secure these data in order not to reach third parties or entities. At the same time, people are given access to stored information with the possibility modification thereof or even deletion.

GDPR: Consent on data storage and the purposes for which it will be used

According to GDPR, people need to be well informed when they give their consent to data processing. The processor has to inform the person both the data that will be stored and the consent for each data sphere. A best example is the consent form sent by Orange Romania to the company's clients. Is required the agreement is out of place if personal data can be used in marketing purposes, for sending offers from the company, sending offers from partners and collaborators, market studies, etc.

How we implement GDPR
How we implement GDPR

Before the GDPR, things were completely different. A simple tick put by default they allowed the processor to use our personal data for whatever purposes it wanted without being held accountable.
If you have been in a situation to be contacted by N firms health insurance or other types of insurance after you have open account with a bank, this will not happen after GDPR's entry into force unless you specifically specify that you want offers from the bank's collaborators and partners. If you have given your consent and after a while you have changed your mind, the processor must provide support by which you can withdraw it very easily at any time.
In the next period, banks will also have to send notifications to all clients asking them to store and process their personal carriage data.

Same Consent must also be obtained from online stores, websites that store personal information, forums, or other online platforms that involve the storage of user data.
If we take the case online, first and foremost, even if you do not own the online store, you will be informed from the first time about your stored data. Types of HTTP cookies retained by website, codes tracking online behavior of you (Google Analytics, Google AdSense, Facebook, etc.), logs in which your IP and other information about everything related to your online identity is stored.
When choosing to order a product, the company that owns the online store will not ask for it more personal data than needed to process your order and will not use your email address or phone number in marketing purposes if you do not get your consent for these practices. If you created an account when you made an order, you have the right to access your personal account information at any time, modify it or delete it.
Subscribe to newsletters it will be done only with the explicit consent of the user, with the option of unsubscribing at any time.
Another important requirement of GDPR is the period during which personal data can be stored. It can no longer be stored indefinitely as it used to be, but over an exact period of time.

GDPR: Security of personal data

GDPR places great emphasis on privacy of users' privacy. The company must ensure high security standards based on the sensitivity of stored data. Pseudonymization, encryption and clear appointment of staff who will have access to personal data. The company will notify the authorities of the persons designated to process and manipulate personal data. also, preudonimizarea involves the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical measures and the organization to ensure the non-attribution of the respective personal data to an identified or identifiable natural person.
In the case of a security breaches, the company will announce within 72 hours both the authorized authorities and the persons affected by this information leak. An Impact Report will also be carried out assessing the risks and damages to persons whose information has been stolen / evaded to third parties.

DPO - Data Protection Officer

As many girls have known so far, "DPO" no longer means "Days Past Ovulation" but "Data Protection Officer." The name sounds very pompous, but all companies must designate one DPO which will make sure the data is correctly collected, stored, used for the purposes for which the consent was obtained and that they are kept safe. Basically, this DPO must ensure that the organization that contracted it agrees with the norms imposed by GDPR. He will also be the liaison between the organization and the state control authorities.

Who can be DPO? Well, from what we understand, the DPO can not be a person inside the company because it is a conflict of interest. I need to have a person outside the company, to have a thorough knowledge of European legislation, domestic legislation and IT data storage techniques. It can be an IT savvy lawyer or a administrator servers to learn legislation.
Regarding the DPO / GDPR, many companies "specialized" in this legislation appeared online overnight. Some with years of "experience" in implementing regulations that didn't even exist until 2016. It's useful to see how we implement GDPR on a website.
Greater attention should be given to companies that receive such offers from these firms or people who recommend them as GDPR and DPO experts. Most are just created to speculate this new regulation for revenue-enhancing purposes. So beware if you represent a company and you have received such offers.

Sanctions in case of non-compliance with GDPR regulations

If we do not know how to implement the GDPR on a website, the sanctions are applied equally for all countries in the European Union by the competent administrations in each country. These sanctions will be applied gradually depending on the severity and impact of non-compliance with the GDPR regulation. From what we understand, these sanctions can reach up to 4% of your turnover of the company targeted by the sanction. Sanctions may be appealed and may be the subject of legal proceedings.

GDPR online - Blogs, Online Stores or other websites

Un update recently of WordPress aimed at legalizing all those who use this platform for online presence. Every website that stores personal data must have a page of "Terms and conditions”And a“Privacy policy”In which to inform the following users:

  1. Who owns the website or the online store
  2. What personal data are collected and why they are collected
  3. Cookies - the cookies used by the web site are listed, including those of the social and analysis networks. (Facebook, Google Analytics, Twitter, etc.)
  4. Who are the third parties who have access to personal data and for what purposes?
  5. The contact details of the company owning the web site / online store
  6. The amount of time that personal data is stored
  7. Simple methods for users to delete or export their personal data on the site
  8. How is personal data stored?
  9. Rights and obligations of users

All these points above should be owned by each web site in the section "Privacy policy".

Regulation (EU) 2016 / 679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95 / 46 / CE (General Regulation on data protection) (Text with EEA relevance) - EUR-LEX.EU.

What are personal data

Any information by which a natural person becomes identifiable, such as: name, phone number, e-mail address, location, computer / smartphone / tablet IP address, address MAC of the network card, physical, physiological, genetic, mental, economic, cultural, social, political and other elements.

If you have any additions or concerns about how we implement GDPR, you can leave us comments.

Passionate about technology, I enjoy writing on StealthSettings.com since 2006. I have a rich experience in operating systems: macOS, Windows, and Linux, as well as in programming languages and blogging platforms (WordPress) and for online stores (WooCommerce, Magento, PrestaShop).

How to » Internet » How do we implement GDPR on the website / blog / online store and what GDPR must contain

2 thoughts on "How do we implement GDPR on the website / blog / online store and what GDPR must contain"

  1. It is, however, very unclear who and to what extent is responsible for a simple blog hosted on such platforms. wordpress. com, blogspot. com (or even blogspot. ro, for a while) etc.
    Keep in mind:
    - the site is wordpress. com (for example - which is ONLY American)
    - any_name.wordpress.com IS A SUBDOMAIN !!!
    Wordpress makes progress but, on top of that, gives the "owner" of the blog the IP address of a commenter !!! (as, by the way, you see mine too). Even the email address - what do you need to do?

    So what is it?

    Reply
    • Hello! I do not think WordPress provides the IP address of the users, but the server. the code WordPress it does nothing but remove a query from the server.
      Obviously, a user can not access a website if there is no interaction between his computer and the host server. Interaction based on IP addresses.
      I didn't quite understand what the idea was wordpress.com and subdomains but I will answer your question about the e-mail address and why it is necessary for the IP to be visible to the "owner".
      1. The email address is required for a conversation. If you did not enter your email address, you were no longer notified that I was responding. As long as I do not sell, I do not send newsletters, I do not disclose to a third party the e-mail address, I do not see to be a problem.
      We will update our privacy policies soon.
      2. The IP address automatically appears in server logs for all visitors, whether human visitors or robots / boots.
      It is very useful to limit access to bad people or malicious software and to determine the source of unwanted incidents.
      PS. No one requires you to use a personal email or real-life email address on your sites.
      PS2. I think someone needs to respond if they violate codes of practice and anti-spam policy. :)

      Reply
Leave a Comment