GDPR and ePrivacyThe implications for you and your website
The General Data Protection Regulation (GDPR) and the ePrivacy Regulation (ePR) come into effect 25th May 2018. These two new EU regulations are intended to better protect the personal data and privacy of EU individuals. They apply to any website owner with customers residing in any of the EU member countries.
The GDPR and ePR seek to address mounting concerns about the use and privacy of personal data online by increasing the rights of individuals, giving individuals greater control over the use of their personal data, and by expecting companies, organisations and website owners to adhere to strict requirements. The new regulations mean that it is no longer necessary to understand and comply with the different privacy laws of 28 different EU countries. Now, there are just one set of regulations covering all member states.
What is the definition of personal data?
Under the new regulations, personal data is any information which can be used to identify a unique individual. Online, this can include information generated by cookies and other trackers (including information generated by embedded third party services such as Google or Facebook), as well as an individual’s own computer IP address. Website owners are required to provide the same level of protection for this information as for name, address, bank details and social security number. Critically, even if anonymised, this information is still classed as personal data if the individual can be identified through ‘reverse engineering’ methods.
What are the requirements for website owners?
The requirements are numerous and cannot be documented in full on this website. However, as a website owner you must:
- be fully aware of all tracking technology on your website/s and its purpose
- obtain user consent prior to any data processing taking place
- record evidence of consent
- ensure your website offers the option to withdraw consent
- know what data your website shares with third parties and where, globally, the data is sent
What if my website doesn’t comply?
There are large fines for non-compliance. Businesses can be fined 4% of their global turnover or up to €20 million, whichever is greater.
Following Brexit, the UK Government intends to implement equivalent legislation similar in content to the GDPR and ePR