Any website that collects data from its visitors will have to be in full compliance with the new rules on General Data Protection Regulation (GDPR), or 'Algemene Verordening Gegevensbescherming' (AVG) in Dutch, from the end of May 2018. This is quite a mouthful, but what exactly does the term mean and what does the new regulation mean? We will provide a word of explanation, because you will have to be the rule anyway in order to avoid potential sample fines (up to 20 million euros or 4% of the annual worldwide turnover!).
GDPR is actually the successor to the data protection directive, which dates back to 1995. More than 20 years ago, the European Union adopted a set of rules on the protection of individuals' online data, but given the steep developments in Internet technology over the last two decades, its update was urgently needed. With all these new technologies and elements such as the cloud and social media, personal data is now at the centre of attention and its protection must also be guaranteed.
According to the new GDPR legislation, data protection must be 'ingrained' in the design of business processes. By default, all privacy settings must be strict. Organisations must therefore be able to demonstrate that they have taken appropriate technical and operational measures to adequately protect all personal data they store and process, depending on the risk involved. This includes issues such as access control, anonymisation and pseudonymisation, encryption, risk analysis and so on.
In summary, the GDPR legislation means the following:
The new GDPR legislation has far-reaching implications for any kind of data collection, as you already know. But how do these rules express themselves in concrete terms? We would like to list a few practical examples:
- Applicants: e-mailing CVs to colleagues for inspection is no longer allowed, unless you anonymise the CV in such a way that the identity of the person can no longer be inferred from it. Assuming that the candidate has not been withheld, you may not keep his or her details unless he or she explicitly consents to this (on paper or otherwise). Any form of CV (in a mailbox, stored locally on a laptop, printed out, ...) must be destroyed, according to the 'right to be forgotten' principle.
- Promotional actions: in the case of a promotional action, you collect your name, address, e-mail ... Unless explicitly approved by the participant, this data may no longer be used outside the framework of the action and must be irrevocably deleted.
- Existing databases: files of former employees, former members and the like may no longer be kept, unless all these persons give their explicit permission or if there is a well-founded and demonstrable reason to keep these data without explicit permission.
- Minors: in the case of data from minors (in this case younger than 16 years of age), parental consent is always required! As a data collector, you are obliged to make 'reasonable efforts' (for the time being, this is a grey area, without explicit delimitation) to find out the age, depending on the context.
- E-commerce: in the case of anonymous purchases, the personal data must be deleted after the reflection period has expired. Only items relating to invoicing may be kept. If a database leak with information from payment cards shows that the company and/or webshop is not GDPR-compliant, the company - and possibly also the technical partner - will pay for the entire damage.
- Obtaining/purchasing databases: when purchasing or otherwise obtaining data, you must notify everyone within 30 days stating your source ('data obtained from X'), unless those involved already know this or the effort is too great (this is another grey area).
As a web agency that always attaches great importance to security, it is our duty to help our customers to be in line with GDPR. Indeed, failure to comply with GDPR rules results in high fines being imposed on website owners, but Calibrate, as a web agency, can also be held responsible for this. Our intention, therefore, is to implement the new GDPR legislation correctly, together with our customers, so that any chance of fines being imposed is ruled out.
You see, the new GDPR legislation is not just a small change to the rules, and will require a lot of adjustments for some websites. One thing is certain: not following these changes is certainly not an option. After all, if any irregularities are found after 25 May 2018, serious fines can be imposed. The maximum fine could be up to EUR 20 million or 4% of the annual worldwide turnover, whichever is higher.