While browsing the website, we have a tendency to accept cookies. Have you ever thought, what are these cookies? Cookies are small pieces of text files that a website sends to your browser on your device. These are processed and stored by the website you visit. Cookies are harmless and can be easily viewed and deleted.
Websites focus more on asking a user to accept cookies because of a data privacy protection law that governs online data tracking and transparency. This data privacy protection law was enacted by the European Union, known as General Data Protection Regulation (GDPR).
What is General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is the European Union law that entered into effect on May 25, 2018. It is one of the most rigorous privacy and security law in the World and imposes obligations on every organization related to data collecting of the European Union (EU) people. GDPR compliance demonstrates an organization’s commitment to privacy and data security. It incorporated the new data protection act and established European Data Protection Board (EDPB) which represents all the EU member states, and ICO is the United Kingdom’s representative body.
The General Data Protection Regulation (GDPR) not only focuses on information security but aims to protect user’s privacy and individual rights. It establishes rules for data collecting and processing organization and encourages free movement of data within the European Union.
The General Data Protection Regulation (GDPR) Requirements
The GDPR compliance improves an organization’s data protection mechanisms and offers better privacy and information security for employees, interested parties and customers in the EU. The GDPR requirements are as follows:
- Legal bases for data processing – Article 6 of the GDPR sets out the requirements for processing data lawfully and defines six legal bases, at least one of them must be followed. These six legal bases are:
- Consent was taken from the data subject for the data processing.
- Data processing is essential for the performance of a contract.
- Data processing is necessary for compliance with legal obligations.
- It is necessary to safeguard the interest of the data subject.
- Performing particular tasks in the public interest.
- Data processing is necessary for legitimate interests.
- Consent – Consent is one of the most significant parts of GDPR compliance and aims to protect privacy and individual right. The GDPR outlines that the data subject must give consent freely for processing the data. It requires an organization to present the consent information in easily accessible, clear and plain language. Consent for children must be verifiable consent from their parent/guardian and mandates an organization to ensure the person giving authority holds the parental responsibility for the child. It also simplifies the mechanism for a data subject to withdraw consent.
- Data subject rights – The GDPR aims to protect data subject’s rights and freedom. It outlines the obligation for data controllers to respond to the data subject’s rights request within one month. The checklist of data subject rights offered by GDPR is:
- Right to be Informed
- Right to Access
- Right to Rectification
- Right to be Forgotten
- Right to Restrictions of Processing
- Right to Data portability
- Right to Object
- Right to not be Subject to a Decision Based Solely on Automated Processing
- International data transfer – Article 44 sets out the conditions for transferring personal data outside the European Union. The GDPR outlines the conditions for data processors and data controllers to transfer data outside the EU if:
- The transfer is done as per the European Commission adequacy decision.
- Article 44 states that the transfer is subject to appropriate safeguards, such as:
- Standard contractual clauses
- Codes of conduct
- Approved certification mechanisms
- The transfer is subject to Binding Corporate Rules (BCRs)
- It relies on derogation.
- Supervisory authority – · Article 57 outlines the responsibilities of the supervisory authority. A supervisory authority monitors and implements the application of the General Data Protection Regulation (GDPR). It requires an organization to establish an independent and competent supervisory authority body to check GDPR compliance.
General Data Protection Regulation (GDPR) Compliance Checklist
Organizations associated with data collecting and processing can apply for General Data Protection Regulation (GDPR). The GDPR compliance checklist is as follows:
- Determining an action plan using the seven principles of the General Data Protection Regulation.
- Article 30 mandates organizations to create a record of processing activities.
- Implementing privacy by design and processes for performing Data Protection Impact Assessments.
- Developing a framework for consent management.
- Understanding the requirements for cookie consent based on the countries where it operates.
- Creating a request portal for data subjects to ensure data subject’s rights.
- Review risks from data processors.
- Conducting an incident management plan.
- Mechanisms to review internal data transfers.
- Rolling out GDPR training programs.
- Appointment of a Data Protection Officer (DPO) (Where needed).
The General Data Protection Regulation (GDPR) specifies the requirements for an organization to ensure information security. There are other ISO standards that aim to secure information, including ISO 27001 Certification, ISO 27701 Certification and ISO 27002 Certification. The ISO/IEC 27001 and ISO/IEC 27701 focus on datasets structured in Information Technology assets, while the GDPR also includes unstructured datasets stored in file cabinets. The cost of acquiring the GDPR Certification bodies differs from organization to organization depending on its size, number of branches, number of employees and the certification body selected by the organization.