What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU-wide regulation that controls how companies and other organisations handle persona data. It is the most significant initiative on data protection in 20 years and has major implications for any organisation in the world, serving individuals from European Union.
To give people control over how their data is used and to protect “fundamental rights and freedoms of natural persons”, the legislation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
Any organisation must keep record of and monitor personal data processing activities.
As data controller, any organization must keep record of and monior personal data processing activities. This includes personal data handled within the organisation, but also third parties – so called data processors.
Data processors can be anything from software-as-a-service (SAAS) providers to embedded third party services, tracking and profiling visitors on the organization’s website.
Both data controllers and processors must be able to account for what kind of data is being processed, the purpose of the processing and to which countries and third parties the data is transmitted.
If personal data is being sent to an organizations and jurisdictions beyond the reach of the GDPR or that are not deemed “adequate” by the GDPR, one must inform the user specifically about this and the risks involved.
All consents must be recorded as evidence that consent has been given.
GDPR Checklist:
1. Create a comprehensive Privacy Policy
- Ensure it is easy to read, find and understand for the average user.
- Inform about e.g lifespan of each cookie and whether third parties may have access to those cookies.
- Implementation: make the information available in a Privacy Banner when the user visits your site (a CMP ensures you have all neccessary information included).
2. Let users know you are using cookies or other tracking technologies
- Ensure you inform users of your intentions at or before the point you start collecting data.
- Include this information in your Privacy Policy
3. Explain what your cookies are doing and why
- Inform the users about the purpose of each cookie seperately to ensure you obtain specific consent for each cookie objective (=granularity)
- It should be stated in the Privacy Policy. Check with national data protection rules for further details e.g: Denmark requires a granular selection to be included in the first layer of the Privacy Banner.
4. Obtain your users valid consent to store a cookie on their device
- Explicit: active acceptance e.g ticking a box or clicking a link.
- Informed: who, wht, why, how long?
- Documented: you have the burden of proof in the case of an audit.
- In advance: No data is to be collected before opt-in, i.e cookies cannot be set on your website before the user has consent to them.
- Granular: Individual consent for individual purpose, i.e consent cannot be bundled with other purposes or activities.
- Freely given: “Accept” and “Reject” button.
- Easy to withdraw: opt-out on the same layer as opt-in
5. Give users access to your service even if they do not consent to cookies
- In case a user refuses data processing, no unessential cookies must be set. Essential cookies will be set regardless if the user accepts or refuses.
- Nevertheless, ensure users are still allowed to access your service even if they refuse to allow the use of certain cookies/technologies.
6. Collect and process data only after obtaining valid consent
- Ensure that cookies are not loaded until user has given his consent.
- Once you have indeed obtained valid consent, you are free to collect and process personal data for the purposes you informed your user before.
7. Document and store consent received from users
- Comply with your documentation obligation to ensure you are able to verify the users’ consent in case of an audit by data protection authorities (DPA).
8. Offer a simple opt-out, as simple as the opt-in
- Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place. Easy in, easy out.
- External links to a third page for opt-out are not sufficient.
- Make sure that the options for accepting and rejecting are designed in a similar way e.g on the same level and in the same format witht he same degree of simplicity.
9. After opt-out ensure that no further data is collected or forwarded
Ensure that the moment of the objection on, no further data is collected or forwarded.
Source: Usercentrics