GDPR Requirements in layman's language

Last Update: May 20, 2018

GDPR requirements, step-by-step explanation

The GPDR (General Data Protection Regulation) law and how it impacts you

"Law GDPR May 25th 2018 in operation"

The European Union has approved a new privacy law for its citizens. The GDPR. Everyone who wants to do business inside the borders of the EU has to inform their EU visitors in what way they are placing cookies and tracking data.

The consequences of the GDPR are complex. For that reason, I have divided the steps to be taken into three different groups. Each group once again consists of areas where a company must have an answer to, to be able to live up to the demands arising from the GDPR.

Organizational measures

The GDPR requires organizations that process personal data to take measures that significantly reduce the risk of a data breach. You must also be able to show which measures you have taken. The measures include

  • Privacy Impact Assessments
  • Audits
  • Follow-up policy rules
  • Logging of activities
  • The appointment of a Data Protection Officer (DPO)

The GDPR requires certain organizations to appoint a Data Protection Officer.

This can be an existing employee or an external consultant who bears the responsibility.

For example, if your organization manages a large customer base, you will have to appoint a Data Protection Officer. The GDPR expects from the national authority that they provide assistance in determining the job requirements.

The designated officer is responsible for testing the GDPR how the organization deals with data, issuing advice about the measures to be taken and when and how a Privacy Impact Assessment should be carried out. In addition, the officer is the first contact person to the Data Protection Authority on behalf of the organization.

One stop-shop

The concept of a one-stop shop ensures that an organization with several branches in the EU has only one Personal Data Authority.

Processes, procedures, and policies

The GDPR defines a data leak as "a leak of security that results in unintentional or unlawful destruction, loss, modification, unauthorized release of or access to personal data that has been sent, stored or otherwise processed".

This is a more comprehensive definition than before and makes no difference whether a data leak harms the individual or not. Every organization is obliged to inform the Authority for Personal Data of the data leak within 72 hours after discovery.

Organizations are exempt from reporting the leak to data subjects, provided sufficient technical and organizational measures have been taken to protect the personal data, such as encryption.

Privacy by Design

Complying with the GDPR means implementing privacy by design in the development of new processes and products in which the collection or processing of personal data plays a role. Where this was previously a best practice, privacy by design is now a requirement.

Privacy Impact Assessment

A Privacy Impact Assessment aims to test the technical and organizational measures taken by an organization in favor of the GDPR requirements.

According to the GDPR, a PIA is a formal requirement; the controller must ensure that a PIA has been executed before it starts a process or activity with a high privacy risk.

International Data Exchange

Internationally operating organizations should, where necessary, tighten the policy and processes for exchanging data with non-EU countries. The rules for the processing or exchange of data by organizations to jurisdictions that are not recognized by the European Commission have been considerably tightened.

Awareness of data protection

Internal staff

There is still plenty of time, but start quickly creating awareness about the GDPR and the stricter guidelines throughout the organization. The transparent processing of personal data and the adjusted rights of the individual may require adjustments that can have a significant impact on the financial and IT processes. The training of staff can contribute to the awareness.

Responsibility - technical measures

Technical

The GDPR obliges the responsible person to demonstrate that the organization complies with the data security principles. It is important for an organization that it pursues a clear policy with which the required standards are met. The requirements include monitoring, reviewing and testing data processing procedures, ensuring processes and ensuring that employees are trained to handle personal data with care. An organization must at all times be able to submit the measures taken when requested by the European Data Protection Authority.

Data Leak - Technical Measures

Within 72 hours after discovering a data breach, this must be reported to the Data Protection Authority. Good preparation for a possible data leak includes drawing up clear policy measures and regularly testing procedures.

Failure to report a leak within the set term may result in a fine in addition to a possible fine for the data leak itself.

More rights for those involved - technically

The GDPR strengthens the rights of data subjects, for example by adding the right to allow a person to view, have modified, or even delete the data that is processed about himself.

Access for data subject

One of the main goals of the GDPR is to protect the rights of the individual. For an organization, this results in adapting or adding procedures for processing access requests to the personal data of data subjects.

In most cases, an organization will not be able to request compensation for providing access to the data and must be able to comply with this request within one month.

The right to be forgotten (The right to delete information)

This right gives individuals the possibility to request the controller and any processors to delete personal data without undue delay. This request must be granted in situations where there are questions about the execution of the processing or when an individual withdraws consent from processing.

Third parties who have insight or access to the personal data of data subjects must also comply with this request.

Automated profiling

The GDPR defines profiling as "any form of automated processing of personal data used to evaluate personal aspects, in particular with which it is analyzed and/or with which predictions are made that have to do with performance at work, the economic situation, health, personal preferences, interests, reliability, behavior, location, and movement within an area. "Nevertheless, there is some ambiguity about the way in which an individual can challenge the right to automatic decision-making based on profiling.

Data transferability

The GDPR introduces a new right to data transferability, which means that an individual can request the automatically processed personal data. The processor will have to provide this information in a machine-ready format.

Right of resistance

As part of strengthening the rights of the individual, the European Commission has agreed to restrict the processing of personal data for marketing purposes. This also includes limiting profiling activities with a marketing goal.

If an individual objects to an organization, it will immediately have to stop processing personal data. In addition, the contact details of the individual must be kept on an internal list.

Organizations are obliged to inform individuals about their rights to the processing of personal data.

Communicate privacy info

Permission

Obtaining approval from individuals on the processing of his or her personal data should be as simple for an individual as the withdrawal of the approval. Approval or withdrawal cannot be derived from silence, pre-ticked boxes or inactivity.

Parental permission

As part of strengthening the rights of the individual, the European Commission has agreed to restrict the processing of personal data for marketing purposes. This also includes limiting profiling activities with a marketing goal.

The GDPR requires that organizations receive permission from parents before they can process personal data of minors. If an individual objects to an organization, it will immediately have to stop processing personal data. In addition, the contact details of the individual must be kept on an internal list.

Notification of processing

The introduction of the GDPR means for many organizations that they will have to share more information with individuals where they process personal data. Information that must be shared includes, among other things, the legal basis for the processing of the data, the retention period and the right of the individual to make reports to the European Data Protection Authority, provided there are problems with the processing of personal data. The GDPR requires concise and clear language in the communication to the owners of the personal data.

Data security (integrity and confidentiality)

The GDPR uses data security principles similar to those in the current directive, such as honesty, regularity, and transparency; limiting the goal; data minimization; data quality; security, integrity, and confidentiality.

You must ensure that personal data are processed in a manner that ensures security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage: "The organization and service provider that processes personal data on behalf of the organization takes appropriate technical and organizational measures that guarantee a minimum level of security appropriate to the risks ".

The GDPR proposes a number of security measures that can be used to ensure the protection of data, including pseudonymization and encryption of personal data; ensure continuity in ensuring confidentiality, integrity, availability and resilience of systems and services with which personal data are processed; the ability to timely restore the availability of and access to data in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the proper processing of personal data.

Encryption

The GDPR specifies encryption as a solution that can help to ensure compliance with some of its obligations. The regulation says the following about this:

Article 32 - Security of processing

"1. Taking into account the implementation and implementation of the implementation of the controller and the processor. appropriate technical and organizational measures to ensure a level of security for the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of personal data [...] "

Article 34 - Communication of a personal data leak to the data subject

"3. The communication to the data subject should be in accordance with the following conditions: (a) controller has implemented appropriate technical and organizational protection measures. the data leak, in particular, those that render the personal data unintelligible to anyone who is not authorized to access it, such as encryption [...] "

What does this mean for you?

A few questions:

  • Is your website accessible to European visitors?
  • Does your website track data?
  • Does your website place cookies?

That is 3x YES

The Internet doesn't stop at the border of the European Union

Your website is tracking data

  • Google Analytics is tracking data
  • Google Adsense is tracking data
  • Almost all plugins are tracking data
  • Autoresponders, like Aweber, and MailChimp are tracking data

Yes, your website is placing cookies

  • Wealthy Affiliate is placing cookies
  • Your affiliate programs are placing cookies

Your responsibility according to the GDPR Requirements

Inform your visitors of which data you are tracking, and that you are placing cookies

There are GDPR plugins you can activate to help you meat the GDPR Requirements

WordPress guide for editing your privacy policy

GDPR Cookie Policy Generator (ToLiNoLi)

EU Cookie Law Plugin For The GDPR Settings

Google Analytics GDPR Acceptance Walk Through

StefanoV suggested: https://www.cookiebot.com/en/

Stuur me een PM als je een Nederlandse GDPR privacy polis nodig hebt! (Translation: Please PM me if you need a Dutch GDPR privacy policy)

Join the Discussion
Write something…
Recent messages
ChristinaAsh Premium
Should we be using the one listed in eu cookie plug in fit gdpr setting or the gdpr cookie policy generator or does with work or do we need both . Sorry but I’m just confused . I got most the other stuff out the way tonight but these confuse me
Reply
Loes Premium
As EU citizen you need both, the Gdpr is automating your log files and is required for everybody, the EU cookie law plugin is giving a pop-up warning, that your website is using cookies and that is obliged in the Eu, and adviced outside the eu
Reply
ChristinaAsh Premium
Thanks so much.
Reply
Dunvant Premium
I am still so confused about what we as WA members what we have to do

Privacy Policy - Do we wait for Kyle and Carson to do the revised Privacy Policy and then add to our website??

GDPR - Do we get the plugin that has been recommended and put it on our website?

I know loads of questions and answers have been done but I am still confused after reading them
Reply
Loes Premium
I understand, there is a Privacy policy guide on the WP dashboard in the latest version, very handy guide I would start with that, when it's not on top it's under settings>privacy to find
Reply
Dunvant Premium
Thank you, you are so knowledgeable
Reply
mrschippy Premium
This was so SUPER helpful Loes, big thank you. As I understand it, the new rules extend to comments as well, since comments are stored on your website and qualify as personal data.

However, if you update to the latest edition of Wordpress, it seems to have a new feature built in which covers this, as there is now a checkbox, which user has to select to agree to name, email and website being saved...

What a palaver....!
Reply
Loes Premium
You will find a WordPress guide in your tools, which you can use to edit your privacy policy:)
Reply
ChrisTowers Premium
Hi Loes.. what exactly is it that needs to be incorporated into our privacy policies?

Is it all this information above? Maybe place a link to it within our privacy policy .. and copy and paste your information here into a new page and make it No Index?

Am I on the right track?

Thanks

Chris
Reply
Loes Premium
Yes, you are heading towards it. But this info doesn't cover it. When you use the cookie generator Tilinoli (Stefan) is supplying to edit your privacy policy or add a GDPR page and use the Cookie law plugin I believe, that you are on the right way doing that.
Reply
ChrisTowers Premium
OK yes... I have activated this plugin .. it is in place... but need to know what info to incorporate into the privacy policy
Reply
Loes Premium
When you check the appropriate boxes in this generator https://cookiepolicygenerator.com/
You get exactly the parts which are missing on your current policy.
Like as, when you are using Adsense, it should be mentioned
Reply
ChrisTowers Premium
Ok great thanks Loes :)
Reply
ChrisTowers Premium
OK .. Last one :) .. I think I have put this in place correctly Loes... do you mind to take a look ... 10 seconds only .. and let me know if I am all in place?

The Normal Privacy Policy is in place in the footer menu with an internal link to the GDRP page ... The GDRP is also in the footer...

They are both no indexed ..

Am I sorted?

My website is on my WA profile ... the Rhodes one :)

Thanks Loes

Chris
Reply
Loes Premium
You GDPR policy and privacy policy are looking alright, but you forget to link to the GDPR in the cookie "more info"

Here you can find the text I use
You may copy it, it's on my test website
Replace the link
http://theperfectwebsite.siterubix.com/hello-world
I link here to the GDPR requirements, and the Decline Cookies link redirect people from my website to Google
Reply
ChrisTowers Premium
OK thanks Loes... I think I am in place now... I think lol

Chris
Reply
Loes Premium
Your cookie warning doesn´t show, it should popup when I enter your url in incognito mode
Reply
ChrisTowers Premium
hhmmm I dont know .. it is working for me
Reply
Loes Premium
I'll try mobile
Reply
Loes Premium
Yes it's working on my phone, your link to the GDPR is wrong
https://theislandofrhodes.com/”https:/theislandofrhodes.com
Reply
ChrisTowers Premium
OK done .. thanks so much for your help today Loes... greatly appreciated :) x x
Reply
Loes Premium
My pleasure Chris:))
Reply
Wealth2018 Premium
Hi Loes. I don't profess to understand all this so at the risk of sounding ignorant, does this only affect businesses and organizations that have a WEBSITE? For example, what if you conduct all your business through social media only, ie Twitter, FB, YouTube, email marketing, etc but don't have a website. Would these laws still affect those individuals?

Thanks,
Mary Ann
Reply
Loes Premium
The collection of this data is done on and by Facebook, after which this data is made available to the advertiser. For that reason, Facebook is responsible for obtaining permission. As a social advertising specialist, you can continue to use this opportunity with peace of mind.
Reply
Wealth2018 Premium
Thanks :)
Reply
Stella2 Premium
Thanks for all of your efforts with this Loes. I really appreciate it! :-)

I have some parts implemented, but need to finish it on all of my sites.

It may just be EU now, but with recent events, I'm sure things will become tighter everywhere.

You are right, borders are not as fixed when it comes to the Internet. Things are becoming more and more global, for sure.
Reply
Loes Premium
Yes, it's globalizing fast. I have to adjust 7 websites for this matter
Reply
Memorylaneuk Premium
It’s still all as clear as mud to me except for the last bit. As a U.K website I already have a banner that tell people I collect cookies which they can click on to accept or find out more info.
Do you think I need anything else.?
With Grace and Gratitude
Karen
Reply
ToLiNoLi Premium
Are you having people signing up for a newsletter? if yes, you need..., same for selling anything...
Reply
Loes Premium
Yes, you do tracking too, and perhaps collect email addresses, so you have to add that
Here is a policy generator
Reply
Memorylaneuk Premium
Going to use this. Do I just add it as a page like my privacy policy or perhaps add it to my original privacy policy?
Reply
Memorylaneuk Premium
I’m going to use the generator that you recommended. Just need to know if I need to create a new page for it, or add it to my original privacy policy?
Reply
ToLiNoLi Premium
I have a privacy and cookie policy, do not forget your cookie warning must pop up or be there good visible, when an EU visitor lands on your website.
Reply
Memorylaneuk Premium
I’ve had that for ages.
Reply
ToLiNoLi Premium
You had? Where did it go?
Reply
sukumarth Premium
Thanks for this post, Loes. This answers some of the confusion I have been having. I have updated it just now as you will see from the screenshot I have attached here. Now let me update other details like organisation info, etc. Looks like I have to create a Google+ account for my brand and add it there in the 360 Suite. But how do we create a separate brand account? Well, let me look into it properly.
Reply
Loes Premium
Accepting the GA terms of services has to do with their policy according to the GDPR, and has nothing to do with your responsibility for your website, you have to take action for yourself, and inform your public about which data you are collecting and whether or not you are placing cookies.
Reply
sukumarth Premium
Noted, Loes. Thanks!
Reply
GailLowe Premium
Thanks for this Loes. I really appreciate your help and time putting this together. Is there a plug in you recommend at all?
I already have the one which advises about the site using cookies in the EU.
Also, do you know if this just apply to companies or to sole traders like myself too?
Thanks. Gail.
Reply
Loes Premium
I am planning to adjust the text of the EU cookie las plugin and my privacy policy
Reply
GailLowe Premium
OK thank you. Just to say I really appreciate this Loes. It must have taken a long time to trawl through. You're amazing! :)
Reply
Ongchannel Premium
Thanks Loes, for taking for time to put together the kind of stuffs we know are there but not too sure how and it's implications on us as individual entity and non corporate.

Perhaps someone in out midst can sort of generously taking the time to put a checklist of sorts that goes something like this :

If u are ......(affiliate marketer).
This is what u must do, should do , ..etc

I would venture to guess most applicable Here ..but of. Course there folks here running successful company..

If u are... A body corporate...

It is beyond me at this stage so I can only contribute this much at this juncture :)

Thanks for reading
Steve
Reply
Loes Premium
The checklist is on the bottom.

Is your website accessible to European visitors?
Does your website track data?
Does your website place cookies?
That is 3x YES

What should you do
Inform your visitors of which data you are tracking, and that you are placing cookies

There are GDPR plugins you can activate to help you meat the GDPR Requirements
Reply
Ongchannel Premium
I am wondering the severity of the infringement ,non compliance
Reply
Loes Premium
For personal websites that do not have a webshop and do not have a cookie and tracking warning, the fines will not be as high, as for companies, this can run into millions.
I, myself, wouldn't risk a fine of a couple of hundred dollars
Reply