Technical solutions regarding the new GDPR Regulation for your website and business

  •   595 times
  • Rate this item
    (1 Vote)

General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 entered into force on May 25, 2017, being generally binding for all companies operating across the European Union. Any legal entity of any size falls under the new GDPR regulation. As is also apparent from the name of the regulations the main aspect to be considered is the protection of personal data, including: name, address, email address, phone number, date of birth, IP address, political views , religious views, etc.

The fundamental principle of the regulation is transparency. All personal data processor must adopt the appropriate protection of such data. Another important principle is the express agreement by the person whose personal data is being processed, thus avoiding unsolicited commercial communications.

Fines for non-compliance with GDPR may reach up to 20 million euros or up to 4% of the global annual turnover of the previous Financial exercise, (the highest value)

The General Data Protection Regulation (GDPR) introduces a series of rights for individuals concerned with the processing of their personal data such as:
  • right to data access;
  • right to rectify the data;
  • right to delete the data (the right to be forgotten);
  • right to restrict data;
  • right to data portability;
  • right to opposition
  • right not to be subject to a decision based solely on automatic processing, including profiling;
  • right to address the National Authority for Personal Data Processing and Justice;

What does the GDPR rule mean for your website?

The vast majority of websites collect personal data directly by registering / authenticating customer accounts, personalized product listings, contact forms, etc. or indirectly through cookies for statistics or analysis. In the latter case, site owners often ignore the fact that these statistics collect personal data. The most common example is Google Analytics, which collects many personal data like: location, address, age, gender, etc. Analysis systems can be set to anonymize personal data.

The main obligations for website owners processing personal data are:
  • Inform users about the contact details of the processor;
  • Inform users about the type of personal data that is collected;
  • Inform users about how they collect personal data
  • Inform users about the purpose and the grounds for collecting personal data;
  • informing about the period for which personal data is stored;
  • Inform users regarding the transfer of personal data to third parties
  • Inform users about countries where personal data is stored or transferred
  • Inform users about the security of their data
  • Inform Visitors / Customers about the rights they have;
  • Inform users about any security breach that compromises the protection of their personal data;
  • Receiving consent to process personal data, for commercial communications via e-mail / phone / text message / etc .;

Specifically, website owners must display on their website the Privacy Policy, the Cookie and Similar Technologies Policy, and the Terms and Conditions in some cases. Also, website owners must install a module / script / plug-in / web application that asks for consent before placing cookies on the visitor / user terminal, and so that the visitor / user can change this option at any time. Another option should be adding checkboxes for accepting commercial communications or accepting the Privacy Policy before submitting personal data. The visitor / user must have the possibility to download their personal data in a common format (.xls, .xlsx, .csv), have the possibility to delete all their personal data and transfer them to a third party. We recommend implementing a centralized system for managing personal data and keeping logs with the actions related to them. In terms of security, site owners must purchase and use appropriate protection systems such as HTTPS technology with TSL 1.2 encryption and notify users / visitors in the event of security breaches.

What does the GDPR rule mean for your company?

The GDPR Regulation will require all companies to implement technical and organizational measures to ensure that GDPR requirements are met - "confidentiality by design" and "confidentiality by default". Companies must take into account data protection requirements from the incipient phase of any new technology, product or service that involves the processing of personal data (deliberately) and the application of appropriate data processing measures (confidentiality by default). GDPR calls for a number of measures that can help companies achieve these goals noting: the minimization of personal data processing, data encryption or anonymization, transparency in their functions and processing, allowing subjects to monitor how data is managed. These measures must be up to date.

The regulation requires organizations of all sizes to adopt a new set of processes and policies designed to give individuals greater control over their personal data records. Much of this provision will involve writing new processes and manuals, training staff and updating systems to adapt to these new procedures. Other steps involve practical steps, such as the use of encryption if data is exposed to any risk. A lost or stolen laptop or USB stick should not lead to a penalty if it has been encrypted with a validated product. One of the key principles of GDPR, as provided in Article 5, is to ensure the proper security of personal data. and, as mentioned in Article 32 - called Security of Processing - encryption is a suitable technical measure to achieve this. If encryption is used as a technical measure, it must provide the possibility of restoring data immediately after an incident, and the records must be kept to show that the systems are safe and recoverable. Also, the GDPR Regulation requires enterprises to notify the competent authority (and the data subjects, under certain conditions) of all data breaches, without undue delay, within 72 hours, unless it is unlikely that the data breach leads to a risk for individually targeted persons.

Objectives to be taken by companies:
  • Data security stored within the organization - the ability to encrypt files, folders, and mobile storage media in a standard way to ensure data security at the endpoint or server level.
  • Safe transit data - Full encryption option for removable drives and storage media, USB sticks and optical media to ensure data security in motion.
  • Securing mobile data in home-based work practices - Portable encryption on any USB storage device.
  • Secure data transfer between locations - Outlook plug-in, clipboard encryption that is compatible with all mail clients, including webmail, as well as attachment-level encryption for any system. Encryption of optical media systems allows safe transfer of data stored on CDs or DVDs.
  • Blocking / limiting access to specific data - implementing and managing encryption for teams and complex workgroups
  • Allowing access to secure data when needed - remote management for users through a secure internet connection.
  • Safe storage of personal data - encryption standards, industry-standard, trustworthy, approved and secured methods
More information can be found by accessing the links below:

For any questions or quotes regarding the technical implementation of the General Data Protection Regulation (GDPR), please contact us using the Contact Form

Last modified on Thursday, 05 July 2018 17:33
More in this category: « Live stream
Login to post comments