GDPR Overview, Best Practices, and Compliance

The Internet has been changing every day and so are the ways we use it. The biggest change the internet has encountered considering its data protection in the past 20 years is GDPR.

General Data Protection Regulation or GDPR as it is often abbreviated to, was implemented on May 25th, 2018. It is a set of rules that applies to websites and organizations, about how the personal data of the subjects should be handled.

Most websites use cookies or forms to collect personal information of the users, without really specifying that it is being collected or what happens to that data. GDPR makes sure that the website asks the consent of the user before any type of data is collected from them and inform them of any cookies set of the website.

GDPR applies to citizens who reside in the European Union or organizations that deal with controlling, processing or transferring the data of EU data subjects. It places stricter policies regarding how user data is handled by the organizations.

GDPR gives us a better understanding of the different types of data that fall under the category of personal data. The name, address, email, etc. that can directly identify with an individual. The IP address, location, etc. can indirectly relate to an individual. And then comes the sensitive data like medical records, genetic information, etc. Under GDPR all these data must be safeguarded by the organizations or they will be held accountable for the same.

When users are providing their personal information to the websites, they need to be aware of their rights. GDPR intends to make sure all websites honor these rights of the user, which are as follows:

The Right To Be Informed

Under this right, the website needs to let its users know what type of data is processed, why the website need those data, how long will it be stored, would the data be shared anywhere and what the data subjects rights are.

The Right To Access

GDPR allows users to ask for access to their personal information shared on any website. The users should know the purpose of their data being processed and of any third parties with whom the data may be shared by the website.

The Right To Rectification

The website must allow the users to make changes to the data submitted by them in the case of incompletion or change of data. The data collected must be up to date and the data subjects must be able to rectify it when needed.

The Right To Erasure

This right is also called the right to be forgotten. When the user no longer wants to be part of a website. The website, must comply with their wishes and erase all data and stop any processing of the same with an immediate effect.

However, depending on certain circumstances the website has the power to decline the request of the user.

The Right To Restrict Processing

The users can restrict the processing of their data and usage of the same if they intend to do so. The data can remain in the records but still remain unused.

The Right To Data Portability

Under this right, the users can transfer data from one service to another. The website must honor this right of the user and let them do so if they intend to.

The Right To Object

Similar to the right of users to restrict processing, users can object to the usage of their personal information in various circumstances, especially in the case of direct marketing. As soon as such a request is received any ongoing processing will be withheld and the user’s data won’t be used anywhere. This right is to be made clear to the users before any collection of data is subjected.

The Right To Object To Automated Decision Making

Automated processing of data of users can be carried out only when needed by law. In any other case, the user must be informed immediately, they need to informed of simple ways to challenge the decision.

Read the rights of data subjects in GDPR to know more about each right.

Legal Basis for Processing of Data in GDPR

The processing of data is lawful only under the following conditions:

  • The data subject has given their consent for the processing of their data for one or more specific purposes.
  • The data subject is subjected to follow a contract which allows the process of their personal data.
  • The processing of the data subject’s personal data is necessary for compliance with the legal obligation to which controller is subject.
  • The processing of data subject’s data is necessary to protect the vital interests of the data subject or of another related subject.
  • The processing of data subject’s personal data is important for the performance of a task in public interest.
  • The processing of the data subject’s data is necessary for the purposes of the legitimate interests pursued by the controller or by the third party. However, exceptions can be made when such interests override with fundamental rights of the data subject which require protection, mostly when the subject is a child.

How to Know Your Website is GDPR Compliant?

We have discussed the rights the user subjects have, every website should honor these rights and make sure the following points are taken care of:

Acquiring Consent

The terms and conditions specified on the website must be clear and written in simple words. The users must understand what’s written and explicitly given their consent, with the choice to freely withdraw from it any time.

Notifications in Case of Data Breach

The users must be notified within 72 hours of data loss or breach, failing which can lead to fines.

Providing User’s Their Data

The users can request to get their data as they have the right to do so. The website must provide them with a fully detailed and free e-copy of the same. The website must also mention how their data is being used.

Data Deletion

The users can request to delete their data from the website as per their rights if they wish to no longer be a part of the website.

Privacy by Design

The website needs to have a design that s safe and have security protocols in place. The privacy of all its users should be the top priority of the design.

If your website doesn’t comply with GDPR rules and deviate from providing users their privacy, you can get penalized. Failure to comply with GDPR can result in fines that will range from €20million or up to 4 percent of the offending organization’s annual revenue — whichever is greater. You can learn more about the fines on  What are the Fines for Not Complying with GDPR.

Hence we can see that GDPR brings about a new level of data transparency. All websites need to be less secretive and more open about their process. GDPR may be a complex topic but it sure is important. It not only protects the users but also the organization from overstepping their boundaries.

Make Your Website GDPR Compliant With CookieYes

CookieYes is a new and easy solution to make your website comply with the GDPR Cookie Law from Cookie Law Info. Join the 400,000+ website using our solutions now!

Share this post