You’ve probably seen plenty of cookie notices and consent emails since the General Data Protection Regulation (GDPR) went into effect in May 2018. While a simple code snippet may seem to do the trick, the true regulation is a lot more nuanced when it comes to handling personal data.
Let’s take a look at what the GDPR is, who needs to comply, how to comply, and how to test compliance.
What Is the GDPR?
The General Data Protection Regulation, or GDPR, is a law that’s designed to protect the data and the privacy of all individual citizens of the European Union. In particular, the regulations introduce technical and organizational requirements designed to ensure the proper disclosures of data collection and the proper protection of any personal data collected.
The goal of the regulation is to give individuals control over their personal data and to simplify regulatory requirements for businesses serving European users. In practice, you’ve probably noticed many websites have put up GDPR pop-up notices and sent emails to their existing subscribers notifying them of various data collection services.
In the event of a data breach, the law also requires companies to notify data protection authorities and affected individuals within 72 hours. The goal is to empower individuals to make any changes they need to make following a data breach to ensure the safety and security of their personal information elsewhere across the Internet.
Who Needs to Comply
The GDPR affects every business serving individuals in the EU — not just tech companies and data brokers. For example, an Austrian retailer was fined about US$6,000 for operating a video surveillance system that covered public streets and parking lots without adequate signage about CCTV recordings taking place.
Download our free GDPR compliance checklist to ensure that your business is on the right side of the law.
That said, the most obvious targets of the new law are technology firms, marketing firms, and the data brokers that connect them. For example, Facebook launched a number of tools designed to let users access their information, as well as download and delete specific data on the site. The company also required users to accept new terms of service.
The fine for non-compliance can be severe — up to €20 million or 4 percent of a company's annual turnover (whichever is more). While most fines levied to date have been much smaller, there’s no guarantee that these fines will not increase in the future. Businesses of all sizes should be sure that they are complying with GDPR best practices in order to avoid costly fines and penalties.
How to Be Compliant
The GDPR was written in intentionally vague terms that leave a lot open to interpretation, to give both regulators and businesses more flexibility. Following the rules too tightly could result in high implementation costs and customer churn, but following the rules too loosely could result in fines and penalties. Many companies have taken a middle ground that balances the potentially high costs with the intent of the law.
There are a few key points to consider:
Consent: Users must consent to their data being collected and/or processed by your company and its affiliates. This consent should be an active affirmative action rather than a passive acceptance of a disclaimer. You can’t hide it in the fine print!
Records: You must keep a record of how and when an individual gave consent and provide a way for them to access and withdraw their consent at any time. If you don’t have these capabilities, you should stop collecting data.
Portability: Users have the right to access their data at any time and move the data elsewhere within four weeks using common data formats, such as CSV files, so other service providers can easily read it.
Responsibility: Companies with over 250 employees must appoint a data protection officer to oversee these efforts. This person’s responsibility is to inform and advise the organization on meeting GDPR compliance and to monitor that compliance.
The easiest way for small to mid-sized businesses to get up to speed is to hire GDPR compliance consulting firms, which offer expertise without the cost of hiring dedicated staff. These consulting firms may provide a simple assessment for a fixed fee and/or provide ongoing consulting services to help your business actually move into compliance.
Testing GDPR Compliance
There are many different requirements for GDPR compliance, but one of the most challenging is that that websites must obtain valid consent to collect data about visitors.
Don’t forget to download our free GDPR compliance checklist to ensure that your business is on the right side of the law.
Valid consent means describing the purpose of data processing in plain language to the visitor and getting their approval prior to processing any data. You can’t track the visitor with Google, Facebook, HubSpot or other tools and then request consent — you must request the consent beforehand. These requirements impose unique technical hurdles.
There are many free online tests, such as Cookiebot, that check for GDPR compliance by visiting your website and detecting any trackers and cookies. If there’s nothing in place to block them, your website is deemed non-compliant and may require some effort to block these cookies in advance.
Many companies also operate location-specific websites. For example, they may detect location at a DNS level — without ever collecting the IP address — and direct traffic to different servers depending on the location. You can test GDPR compliance on these global servers using proxy servers, like the ones available from WonderProxy, and testing automation tools.
The Bottom Line
GDPR compliance is necessary for most online businesses — especially those that collect and process personal data. With the right tools, you can ensure that you’re compliant with the regulations without breaking the bank. Automated tests can help ensure that this compliance is always-on and you’re not at risk of accidental violations at any point in time.
Sign up for WonderProxy today to ensure that your GDPR compliance is working properly around the world using automated testing and a global network of proxy servers.