Explained for you: what is GDPR?
Did you notice? Meta, the mother company responsible for Facebook and Instagram, among others, has been fined billions for years of violating GDPR rules. Just the proof that you need to be very careful when it comes to the privacy of who visits your website(s). But then, of course, you first need to know what GDPR means.
What does the initials GDPR stand for?
Let's start at the beginning. On the European Commission's website, we read that the GDPR acronym stands for the General Data Protection Regulation. More specifically, it is a European privacy law that has been in force since May 25, 2018. The main purpose of the GDPR is to protect the privacy and personal data of individuals within the European Union.
After all, that is one of our fundamental rights. The EU Charter of Fundamental Rights states that EU citizens have the right to protection of their personal data.
GDPR according to the European Commission:
"The GDPR strengthens the fundamental rights of citizens in the digital age and facilitates trade by clarifying the rules for businesses in the digital single market. This common set of rules has eliminated the fragmentation that resulted from divergent national systems, and avoids red tape."
GDPR and AVG
GDPR (General Data Protection Regulation) and AVG (Algemene Verordening Gegevensbescherming) are actually the same law, but the terms are often used interchangeably because the law is used at both the European and national levels. GDPR is merely the English-language abbreviation for the same law. You hear this term more often in English-speaking countries and in an international context. In Dutch-speaking countries, they use the term AVG, although GDPR is also widely used as a term there.
DPA and AP
More abbreviations? True! We can't even promise they will be the last in the context of privacy policies. The Data Protection Authority (DPA) is responsible for monitoring and enforcing the GDPR in Belgium. The DPA is an independent authority established to protect the privacy rights of individuals and ensure compliance with privacy laws. Thus, if necessary, this authority also hands out fines. You can read more about how the DPA works on its official website.
The Personal Data Authority (PDA) is its counterpart from the Netherlands. So AP takes care of the supervision of the GDPR at our northern neighbors. This authority also has its own website full of useful information.
Like the Belgian Data Protection Authority, the Personal Data Authority has specific duties and powers.
European privacy regulators are responsible for:
- handling complaints.
- investigating possible violations of privacy laws.
- imposing fines on those who effectively violate the (new) GDPR rules.
- publishing guidelines and opinions on the General Data Protection Regulation.
Key GDPR terms in a nutshell
- Personal data: information that can be used directly or indirectly to identify an individual, such as names, addresses, e-mail addresses, phone numbers, ID numbers ...
- Processing personal data: any act or action you take to collect, store, modify, access, share and/or delete personal data.
- Controller: an organization or entity that makes decisions about the purpose and means of processing personal data, and bears responsibility for compliance with privacy laws. In other words, you as the business owner or owner of an application that processes person data.
- Processor: a company or organization that processes personal information on behalf of another company or organization, the processing controller. Think of a Payment Service Provider (PSP). The processor has the responsibility to process the data securely and according to the controller's instructions.
- Consent: agreeing to have your personal data used for a specific purpose. It is important that the individual is well informed and can decide to withdraw that consent at any time. A cookie banner for example is designed to do this.
GDPR meaning of this strict law
The GDPR applies to all organizations, both inside and outside the EU, that process personal data of EU citizens. It is a legal framework that establishes rules and regulations for the collection, processing and storage of personal data.
Do you leave your personal data at the bakery to participate in the annual lottery? If so, that processing is subject to the rules of the General Data Protection Regulation. Although of course you hear a lot more about AVG or GDPR when it comes to websites and webshops. After all, in the online world you very often have to leave your personal data.
Why is GDPR important?
This law is very important because it gives ordinary mortals more control and protection over their personal data. This was not the case at all before. The GDPR requires organizations to be transparent about how they collect and use personal data, and that they can only process personal data if they have a valid reason to do so.
Are you an entrepreneur, do you have your own website? Then the law requires you to take adequate security measures to protect personal data from loss, theft or unauthorized access.
Install an SSL certificate on your website. This gives users the assurance that all communication between your website and their connection is in encrypted form. That secure HTTPS connection keeps data out of the hands of Internet fraudsters. Note: GDPR requires the SSL certificate if you process customer data!
Key objectives GDPR
This European privacy law has some key objectives. University of Antwerp (UA) talks about basic principles (foundations GDPR). These basic principles contain the rights and responsibilities of the controller, the processor and the individual concerned.
The objectives or basic principles of the GDPR regulation focus mainly on transparency, correctness, right of access, correction and deletion of personal data, security and responsibility.
Beware of GDPR fines and penalties
You better follow the GDPR regulations strictly. If not, you risk hefty fines. If you think that only Mark Zuckerberg has to pay heavy fines in faraway America, you are wrong. Closer to home, NMBS and DPG Media have also already been fined. After all, GDPR is a legal obligation.
Simply to give you an idea: on average, GDPR fines in Belgium run to 25,000 euros. They all have to do with violation of the General Data Protection Regulation (GDPR). On a European level, we are talking about over 1.5 billion euros in GDPR fines!
The responsible data protection authority in each country can issue two levels of effective fines. That level is determined based on the specific violation.
Under level one come violations such as processing personal data of minors without parental consent, failing to report a data breach, cooperating with a processor that does not provide sufficient guarantees in terms of required data security ...
Here, fines can be as high as 10 million euros or, in the case of a firm, up to 2% of your total annual worldwide turnover for the previous fiscal year.
Level two applies if you commit fundamental violations. For example, not complying with data processing principles or if an organization cannot prove that the data subject (e.g. your customer) has actually given consent for the data processing.
If you get caught, you risk a maximum fine of - wow - 20 million euros. Or up to 4% of your company's worldwide turnover.
In addition to fines, the national data protection authority can also impose other sanctions. These can range from warnings and reprimands to the temporary (and sometimes even permanent) cessation of data processing.
In this case, you may temporarily or permanently stop processing personal data through your organization. For example, because you have repeatedly committed criminal offenses. Another possible GDPR sanction is the payment of damages to users who filed a justified complaint.
Does your site or shop comply with GDPR rules? Do the test!
Do the iubenda compliance scan and find out immediately if your website complies with the right GDPR rules.
Be aware of your users rights
So let's do everything, but really everything, to avoid those penalties. That's why it's important to be aware of your customers and users rights. Moreover, those rules also apply to you, dear reader. This knowledge is useful anyway. So we'll go into it in more detail.
The thing is, the GDPR introduced a number of important rights for individuals. Such as the right to access their personal data, the right to have data corrected or deleted, and the right to object to the processing of their data.
What does the GDPR law mean in terms of data subjects rights?
- The right of access
The right of access means that you have the right to view and access personal data processed about you.
- The right to rectification
Rectification is a synonym for correction. Thus, the right to rectification gives you the right to make changes and additions to the personal data that an organization processes about you to ensure that it is processed correctly.
- The right to oblivion
"Don't you forget about me" ... We sure do! The right to oblivion is the right to be "forgotten". An organization is then obliged to erase personal data. If there are legal obligations involved, you cannot invoke this right.
- The right to restriction of processing
This right allows you, as a data subject, to limit the processing of your personal data, meaning that you may ask for less data to be processed.
- The right to data portability
Also known as data portability. This right means that you have the right to transfer your personal data to another organization.
- The right to object
The right to object means that you have the right to object to the processing of your personal data, for example when your data is used for marketing purposes. You can exercise this right because of specific personal reasons.
- The right not to be subject to automated decision making
You have the right not to be subjected to fully automated decision-making that could have significant effects on you or legal consequences, without human intervention. An example of automated processing is a credit rating system that will fully automatically determine your eligibility for a loan.
Also read: the right not to be subjected to automated decision-making explained in detail.
- The right to information.
This means that an organization must give you clear information about the collection and processing of your personal data. An organization must be able to state what data they process and why (GDPR bases).
How to comply with GDPR?
True, there is quite a bit involved in complying with the GDPR rules. As such, it is a complex piece of legislation. Fortunately, there are several steps you can follow to make sure you're complying with the rules. We recommend taking these 12 steps:
1. Make online privacy a top priority
As a business owner, familiarize yourself with the GDRP rules or seek advice from legal experts. That way, you'll find out what rules your company needs to comply with. Fortunately, the Belgian and Dutch authorities are helping you on your way. For example, the GBA (responsible for General Data Protection Regulation Belgium) developed a toolbox (in Dutch) with tools related to GDPR.
2. Identify which personal data you process
Create a processing register in which you list which data you keep, where they come from and with which parties you share this information. Also take into account the storage periods. GDPR states that you must be transparent about this as well.
4. Check the rights of the data subject
Check whether the current procedures in your organization respect all the rights a data subject can invoke. Check carefully how personal data can be deleted or how data will be communicated electronically.
5. Identify the legal basis for processing personal data
6. Work out the process around consent
Don't have a cookie banner or policy? Get to work on it! While you're at it, evaluate the current way you request, obtain and record consent.
7. Ask permission for data processing of minors
For example, is your webshop focused on children? Then implement a tool that verifies the age of the data subject and asks the parent(s) or guardian(s) for permission to process children's data. Several companies tend to forget this.
8. Be prepared for data breaches
Work out watertight procedures to prevent, detect, report and investigate data breaches. Don't forget: you are required to report a data breach to the appropriate authority.
9. Check the international picture
Check which supervisory authority you fall under if your company or organization operates internationally.
10. Review existing contracts
Remember we talked about a "processor"? A company or organization that processes personal information on your behalf. Take a close look at your current partnerships and check whether they comply with the privacy rules that you and the GDPR require!
11. Work out the process for access requests
Does someone want to see their data or have it changed? Don't fall out of the sky and work out in advance a procedure for dealing with such requests. In most cases, you have to inform the person concerned about their access request, free of charge and within 30 days.
12. If necessary, designate a Data Protection Officer (FG)
A Data Protection Officer (DPO) oversees compliance with the GDPR within your organization. A DPO is mandatory in some cases. For example, for governments and public organizations and if you process "special personal data" on a large scale. Your DPO can, for example, advise on a Data Protection Impact Assessment. The European Commission provides additional information about this.
This really handy tool will make your site GDPR compliant
It should be obvious that GDPR involves a lot of laws and regulations. Drafting all those documents and conditions yourself is no walk in the park. In fact, chances are you'll get lost in it. Maybe you are considering outsourcing that (digital) paper mill. That's not a bad idea! Several specialized lawyers or law firms are at your service. That costs quite a bit, of course.Consider using online compliance software such as iubenda. The tool might be just what you need!
This is how iubenda makes your website GDPR-proof:
- iubenda generates for you all the necessary documents and tools, and they automatically stay in line with everything GDPR related.
- With iubenda you can create a cookie banner (mandatory under GDPR rules) in your own style to ask your visitors' permission.
- With iubenda you store and manage your consents in your own kind of processing register. Thanks to the integration with your forms, synchronization with your legal documents and a handy dashboard with a complete overview of the various consents.
- The iubenda legal team ensures that your documents remain in line with (GDPR) law changes.
Iubenda is part of our hosting group. Combell ensures flawless integration with the rest of your services. This means that you can count on the same service.
You can start small and expand later to useful extras. Thanks to the handy plugins, you can install iubenda on your website in minutes. We have plugins for WordPress, Joomla and Magento. You can also easily add it to SiteBuilder, by easily embedding a simple code (found in the iuebenda tool) into the website.