What is GDPR? – Why You Should be Compliant With It

The General Data Protection Regulation (GDPR) is aimed at defining and influencing the way data privacy and protection should be standardized worldwide. In addition, this applies not only to EU member states, businesses, and organizations but to all organizations outside of the EU that collect or process the personal data of EU residents.

GDPR requires you to be more thoughtful about the sites and services you build, more transparent about the ways you collect and use data, more considerate of your users and more thorough in your development and documentation processes.

As a result, web developers, among a number of others, have a major role to play in a successful data protection practice. Due to this fact, a healthy data protection policy is just as much about the development side – code, data, and security – as it is about the business side – process, information, and strategy.

The GDPR entered into force in 2016 after passing European Parliament, and as of May 25, 2018, all organizations were required to be compliant.

Scope, penalties, and key definitions

The GDPR applies to you regardless of whether you are located within or outside the European Union. If you process personal data of EU citizens or residents, or if you offer goods or services to them, the GDPR applies.

A non-compliance can also result in heavy penalties: up to €20 million in fines or 4 percent of the company’s global annual revenue, whichever is higher, plus the right to seek damages from affected individuals.

The GDPR defines a number of legal terms that are pertinent to this article. The following are a few of the most significant ones:

Personal data – Any information relating to an individual can be directly or indirectly identified as personal information. Names and email addresses are, for example, personal information. Information concerning one’s location, ethnicity, gender, biometric information, religious beliefs, web cookies, and political views may also be considered personal data. Pseudonymous information is also considered personal information if it can reasonably be used to identify someone from it.

Data processing – This includes any action performed on data, automated or manual. Examples cited in the text include gathering, recording, organizing, structuring, storing, using, erasing.. essentially anything involving data.

Data subject – The person whose data is processed. These are your customers or site visitors.

Data controller – The individual or organization with ultimate responsibility for determining why and how personal data will be processed. If you are an owner or employee of your organization that handles data, you are the ‘data controller’.

Data processor – A third-party company that processes personal data on behalf of a data controller. This third-party company is subject to special GDPR rules, which may include cloud servers like Tresorit or email service providers like Proton Mail.

How to be Compliant

By offering a range of services and solutions, Gigya enables you to establish your organization as a reliable and compliant organization. As part of their new Privacy by Design Program, they are preparing your organization for the GDPR. The Privacy by Design Program, for example, provides organizations with an understanding of how user data is processed and stored. Some of the items that Privacy by Design addresses include:

Consent Management

• Verifying that the consent of the user is recorded for specific versions of the Terms of Service (TOS)
• Ability to re-grant consent if TOS is changed
• Detecting the age of the customer for legal age of consent compliance, including parental consent

Customer Data Control

Providing complete control to consumers over their personal data, by allowing them to view, freeze, download or delete their information at their convenience.

Data Localization

Data Localization laws, such as the Russian Federation’s Personal Data Protection Act, require that businesses that collect personal data from that country process and store the data there. With data centers in North America, Europe, Russia, China, and Australia, Gigya makes it easy to address these issues.

Social Compliance

• Gigya manages TOS for over 25 social networks
• Real-time synchronization of personal data between profiles and social networks
• The deletion of non-public data is based on the permissions of the customer

Data Privacy Regulations

Anti-Spam

• Allows businesses to provide default support for Registration-as-a-Service (RaaS) for easy and quick opt-in and opt-out functionality.
• Allows businesses to develop and modify custom rules that are specific to the laws and regulations of a particular country

Children’s Privacy

The ability to specify age restrictions and legal consent age options specific to each country while eliminating records of individuals under the age of consent automatically

Accessibility Compliance

In addition to providing solutions that are out-of-the-box to those that are visually impaired, Gigya provides accessibility tools that enable users to navigate online properties using their keyboards. The software complies with WCAG standards and the Americans with Disabilities Act (ADA).

Disclaimer: Please note that this information is not intended as legal advice for your organization. Instead, this information is intended to provide a basic understanding of the regulations for your organization. You should consult your legal representation on specific compliance requirements for your organization.