On May 25th, 2018, the most significant data protection initiative in 20 years was enforced: The General Data Protection Regulation (GDPR). The GDPR sets strict regulation for how businesses and organizations handle personal data of users from within the borders of the EU. As such, cookie compliance is no longer a buzzword but a requirement that website owners must comply with. Keep reading for a short introduction to the essentials of becoming compliant with the GDPR.
What are cookies?
Cookies are small text files that are placed on a user’s browser when they first visit a website. Cookies collect and contain information about the user such as preferred language, currency, location, IP address, device specifications etc.
Some cookies are necessary for enabling basic functions on a website, while other cookies are used for cross domain tracking to make display ads “follow” the user around on the internet. Cookies can therefore be divided into four categories: Necessary cookies, preference cookies, statistics cookies, and marketing cookies.
Though cookies tend to carry the negative connotation of being an evil technology, cookies in themselves do nothing more but collect and contain data. Cookies cannot be used to hack information from users, nor do they carry malware. The real ethical dilemma lies in the damage one can potentially do with the data within the cookies.
What is the GDPR?
The GDPR is an EU-wide data privacy law that sets strict regulations for how businesses and organizations handle personal information. The GDPR demands transparency about and documentation of what type of information is collected, how it is collected, and why it is collected. In addition, before any kind of data processing can begin, valid consent must be obtained and recorded. Furthermore, the GDPR demands that website owners hand over control to end users, giving individuals the final say in how their data is used.
Failure to become compliant can result in heavy fines of up to €20 million or 4% of the yearly turnover, whichever is higher.
How do I become GDPR and cookie compliant?
To become compliant with the GDPR, follow the 6 steps below.
- Get prepared. Involve stakeholders in and outside your organization to the demands of the GDPR. Establish training sessions in online security and data privacy. If your organization employs 250+ people, then you are required to appoint a Data Protection Officer.
- Evaluate your service partners. Ensure that service partners, i.e., third party services, are also GDPR compliant.
- Get valid consent. Install means to obtain and document user consent. Keep records of what each user has consented to and offer options to change a consent.
- React to data subject rights. Establish procedures for answering queries about data rights. Document the procedures in the context for both customers and employees.
- Prepare for data breaches. Establish procedures for detecting, investigating, and reporting data breaches. The GDPR has a 72 hour-deadline notification for data breaches.