In May of 2018 there was a significant change to net privacy law in the European Union. The GDPR was approved by the EU Parliament in April 2016 and the regulation is now being enforced. Organizations to be found in non-compliance, both inside and outside of the EU, may face heavy fines – enterprises found to be in violation of the provisions of the GDPR can be fined up to 4% of annual global revenue or 20 Million Euros, whichever is greater.

The GDPR regulates the gathering and storage of personally identifiable information (PII). PII is broadly defined as any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. Examples of PII include, but are not limited to:

• • ID / Passport details: names, postal addresses, race, origin, biometric data;
  • Contact information: email addresses, telephone numbers;
  • Digital media data: photographs and videos;
  • Fiscal data: financial and payment information;
  • HR records: current and former employee details, trade/union memberships;
  • Tech/background data: IP Address, Mobile device ID;
  • Demographic data: Race, political opinions, religion, sexual orientation

Consent to gather PII must now be given in an intelligible, unambiguous, and easily accessible form, using plain language free of ‘fine print’ or legalese. The intent of the information gathering must also be clearly declared. Consent must be as easy to revoke as it was to give and consent must be explicit “Opt In” when related to sensitive PII – including most or all of the above examples.

Who is Affected?

The GDPR not only applies to organizations located within the EU but it also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. Collecting any regulated data from any EU data subject will invoke the GDPR, regardless of your enterprise’s country of origin or size. Fundamentally, if you or your company has a presence on the internet in the form of a website and if your company acquires personal data from individuals who reside or visit the EU (either physically or virtually though the use of EU servers) while or after accessing your website, then your company is subject to the provisions of the GDPR.

As a hedge against liability, this essentially means the GDPR applies to every publicly available website. The GDPR Requires strict compliance across broad areas, including:

• • Consent – acquisition & maintenance
  • Breach Notification
  • Right to Access
  • Right to be Forgotten
  • Data Portability
  • Privacy by Design
  • Data Protection Officer Implementation

For full details of GDPR visit the official GDPR website.

GDPR Audits

As an integral part of our clients’ digital marketing and web teams, Shore Digital provides an auditing service designed to determine an organization’s level of compliance in this key area of its website. While the GDPR is a broad and overreaching regulation that covers all aspects of your business operations, our audit will provide your compliance officer with actionable information focused on your website compliance.

In our Audit, we examine several key areas of Compliance, including:

• Consent – Processing personal data is generally forbidden if it is not expressly allowed by law, or the impacted persons have not consented to processing these data. The basic requirements for the effectiveness of valid legal consent are defined in Art. 7 of the GDPR and specified further in recital 32.
• Privacy by Design – The term “Privacy by Design” means nothing more than “data protection through technology design.” Behind this is the thought that data protection in data processing procedures is best adhered to when it is already integrated in the technology when created.
• Order Processing – Order processing is the gathering, processing or use of personal data by an order processor in accordance with the instructions of those responsible for the data processing based on a contract.

Tangible items we check, include:

• Google Analytics
• Website Forms and Data Gathering Modalities
• Website Privacy & Terms of Service Statements
• CMS Compliance

Contact Shore Digital today for a complimentary consultation.