GDPR or General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). GDPR helps protect user’s data by asking user’s consent before setting cookies, ensuring the user privacy and honoring their rights.
Cookies used by almost all websites store information of the user. This information is stored within small text or script files called cookies. These cookies perform many functions, like recognizing the user, targetting advertisements, etc.
This information can be misused and shared without the user’s consent. GDPR prevents websites from using cookies to track your data and activities over the web without your knowledge and consent.
GDPR imposes certain rules on any organization that serves the citizens of the EU, the following is the summation of the same.
- Without acquiring the fully accepted and freely given consent of the user, the personal information of the user should not be accessed, collected or used in any manner.
- Users must have access to their personal information shared and be able to edit, delete and review it.
- The data shared by the user must be recorded in a safe place and proper protection and security must be given to it.
- The privacy policies must be explained in simple and clear language to the users.
GDPR is of utmost importance today and it has become mandatory to follow its rules, non-compliance of which can lead to fines and penalties. There are two types of penalties that you can be compiled to:
Up to €10 million, or 2% annual global turnover – whichever is higher;
This type of fine is applicable in case of any of the below-mentioned non-compliance.
- If any information of a child, who is under the age of 16 years is collected, without any parental consent.
- If any authority fails to follow basic privacy by design protocols.
- If the user's data is shared with more than one part without the user’s consent.
- Hiding the usage of third-party involvement in privacy policies.
- Not keeping records of personal information taken from the users.
- Not informing the security department of any kind of data breach that occurs within 72 hours of its occurrence.
- Not performing a data protection impact assessment and putting the users at risk of data misuse.
- Not appointing a data protection officer to guide by all the rules and keep track that everyone follows it.
Up to €20 million, or 4% annual global turnover – whichever is higher.
This type of fine is applicable in the following cases.
- If any data provided by the user is processed in any illegitimate, fraudulent or corrupt way.
- Without informing or the consent of the user, if any data or personal information of the user is processed, except by law.
- Sharing of any sensitive personal data of the user without any consent of the user is punishable.
- Not informing the user that they can opt out of the cookies and the procedures of an opt-out method.
- Not providing the users a copy of the information held about them.
- Not providing the user's access to the information they shared or not giving them the privilege to edit, update or review it.
- Transferring personal data of users through international borders without any proper protocols.
- Not complying to any order authorized by a GDPR superior authority.
These are the fines and the actions that will make you liable to them. There are of course certain factors that are considered during the imposition of penalties, like the negligence of intentional factor of the violation. The fines and penalties are designed to be fair and appropriate to one and all.