What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation related to the “processing of personal data and on the free movement of such data“. The GDPR mandates can be grouped into four categories: Data Collection, Data Storage, Data Transfer and Internal & External Oversight. There are four main components that impact your website(s):
- Consumer notification
- Collection and enforcement of consent
- Prevention of unauthorized data collection
- Collection of an audit trail for compliance
Who must comply?
- Businesses located in the EU
- Firms not located in the EU, offering free or paid goods or services to EU residents or monitor the behavior of EU residents
The General Data Protection Regulation (GDPR) Legislation
Notification, consent and enforcement
- Under the GDPR mandates, a business within the EU (European Union) must enforce that data is not collected until notification is given and explicit consent is received. Inaction cannot be considered consent. In addition, a website visitor must be provided with the ability to change or revoke their consent
Unauthorized data collection
- A business is responsible for any data collection that occurs within their digital properties. Websites rely on third-party vendors to deliver critical functionality but often those vendors invoke additional tags in a process called piggybacking. A business must be able to identify and block unauthorized data collection
Compliance audit and analysis
- Organizations must be able to prove compliance when audited by a Supervisory Authority (SA) which includes the ability to prove that consent was received for collected information at an event-level audit log to prove compliance