You may have heard about the new General Data Protection Regulation (GDPR) that took effect May 25, 2018.
The General Data Protection Regulation (GDPR) imposes new rules on organizations in the European Union (EU) and European Economic Area (EEA) as well as those that offer goods and services to people in the EU/EEA, or that collect and analyze data tied to people in the EU/EEA, no matter where the organizations are located.
The European Union’s General Data Protection Regulation expands individuals’ rights over their data, extends the role and enforcement powers of data protection authorities, and creates a framework for data controllers to be transparent and accountable. GDPR aims to give more control of personal data to individuals, as well as simplify the regulations around data collection and privacy.
What is personal data?
- The GDPR applies to the processing of personal data that is:
- wholly or partly by automated means; or
- the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
- Personal data only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
- Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
- Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
- If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.
- Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.
- Information about companies or public authorities is not personal data.
- However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.
What are identifiers and related factors?
- An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.
- A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context.
- A combination of identifiers may be needed to identify an individual.
- The GDPR provides a non-exhaustive list of identifiers, including:
- identification number;
- location data; and
- an online identifier.
- ‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data.
- Other factors can identify an individual.
What should I do for my website?
- Inform your visitors and get their consent. Whenever you need to collect data from a user, make sure to clearly state, among other things, why you need it, what you plan to use the data for, whether it may be shared and with whom, and the lawful basis on which you are relying to collect such data. For example, if you have a newsletter or mailing list, make sure that the purpose of your sign up form is very obvious so they know what they are signing up for.
- Evaluate third-party apps and vendors for compliance. If you are using any third-party services to gather or process customer data, you will need to check with those companies to verify they are GDPR compliant and will assist you with, among other things, users’ data removal and portability requests.