What is GDPR
The General Data Protection Regulation (AVG) has been applicable since 25 May 2018. This means that the same privacy legislation applies throughout the European Union (EU). The Personal Data Protection Act (WBP) no longer applies.
The AVG is also known under the English name: General Data Protection Regulation (GDPR). A number of things have changed since 25 May 2018. The AVG has ensured, among other things:
- Strengthening and extending privacy rights
- More responsibility for organization
Strengthening and extending privacy rights
With the new GDPR legislation, everyone has the opportunity to stand up for themselves when processing your data. Organizations must get valid permission from people to process their personal data. The organization must also be able to clearly demonstrate how this valid permission was obtained. In addition, you must also be able to easily withdraw permission if you have given it before.
More responsibilities for organization
With the advent of the GDRP legislation, organizations have been given more obligations. In particular when processing personal data. The new GDPR legislation places more responsibility on the organizations to demonstrate that the legislation is also being complied with.
What does this mean for your website
Every website must be AVG proof, especially if your website contains forms or where people have the possibility to log in. Hereby you collect personal data that is stored in the database of your website. Below are 10 steps that every organization must go through to comply with the GDPR:
1. Indicate what will happen with personal data.
Make a list of the personal data that you collect for your website and company. Personal data of website visitors, relations, employees. It is important to state here that data from companies or organizations are not counted as personal data. In addition, you must map what you do with the personal data, also the processing of data. Examples of processing data are:
- sending e-mails with the name of customers in it;
- backup of IP data from website visitors;
- remove registered people from the newsletter list.
If you have a WordPress website, you may have collected the following personal data:
- Newsletters; name and e-mail address is collected
- Website statistics; by tools such as Google Analytics
- Google Maps; visitor geolocation
- E-commerce shops; credit card details and customer addresses
- Social media pixels; visitor tracking on social media
- Contact forms; data is stored in a database
- Backup plugins; data stored on your server, important to think about how long this will be stored
- Photos; photos of people on the website. Photos are also personal data. It must be indicated that these people are voluntarily on your website. If it is about stock photos, then it’s a different story.
2. Processing register.
In the processing register you write down what you do with the personal data. This serves as documentation to demonstrate that you comply with the GDPR law, and it is your accountability as an organization. These are documents that you can save internally. If your government request this document, you can share it. This information does not have to be published online.
Describe in a word document
- What is the purpose of the processing
- Which personal data are processed
- Why is it necessary to collect this personal data
- Describe the third parties who have access to this data
- How long this personal data is stored
- How this personal data is protected (SSL certificate on your website)
3. Provide a clear privacy statement.
After creating a processing register, the next step is to indicate transparently which personal data you have collected and processed in the privacy statement. In short, this is the information that you have collected in the processing register. You can hereby inform the visitors of your website via the privacy statement. You publish this on the website and you can put it in the header (top) and / or footer (bottom) of your website.
If you have a WordPress website, there is already an existing privacy statement template. You can find this in your WordPress Dashboard at settings and then privacy. You can read this document and supplement it to your situation.
The moment you place cookies on your website, you need explicit permission from the visitor before you collect the visitor’s data. A standard cookie banner where you indicate that cookies are being collected where the visitor must agree to continue is no longer sufficient.
The visitor must be able to check in the cookie settings which cookies he does or does not want. There must also be a list where it is indicated
- which cookies are collected
- which category the cookie falls into
- which cookie belongs to which platform
- the validity of cookie
The visitor can then save the settings and click accept.
4. Ensure that people can view, modify and delete their data.
Visitors to your website must have the opportunity to view their personal data that is being stored. As stated earlier, it can then be an IP address, e-mail address, login information. In addition to being able to view this data, they must also be able to modify, download, send or delete it if they wish.
5. Provide security.
Make sure that not everyone can access your website and that it is well protected. For example, use a two-step authenticator to ensure that only you can access your website.
6. Processor agreements.
If you are dealing with third parties that process or store personal data, you must conclude processing agreements. Large companies including Google for Google Analytics have partially automated this process. The only thing you have to do is put a checkmark.
Companies that operate outside of Europe, including Google and Facebook, meet the Privacy Shield. This is an agreement with Europe that they comply with legislation and handle the data with care. You then process this in the privacy statement.
7. Report data leaks and stay up-to-date.
Then continue to check whether you are not collecting any new personal data that must be processed in the processing register. If you have a data leak, this must be reported to the Authority.
What happens if I do not comply with the AVG legislation.
The GDPR legislation is fairly simple. Everyone must stick to it. If you do not comply with these points from 25 May 2018, you are punishable. With the introduction of the GDPR legislation, companies were hit on their fingers if they did not comply with the law and received a warning. Nowadays, in 2019, companies receive fines.
Two categories are used in the event of a violation:
- Violation of fundamental obligations
- Violation of administratively oriented obligations
Violations of the first category can amount to a maximum of € 20,000,000, in short 4% of the worldwide turnover. Category two violations can amount to a maximum of € 10,000,000, 2% of the worldwide turnover.