The General Data Protection Regulation (GDPR) is one such legal framework that sets guidelines for the acquiring and processing of personal information from people who are residing in the European Union (EU).
However, irrespective of where the website is based, this regulation applies equally. Thus, it must be taken care of by all the sites that get European visitors, even if they don’t Market or promote their products and services to EU residents.
Under the GDPR, it is mandatory that the EU visitors must have a number of disclosures in terms of data. The site must also take some steps to streamline EU consumer rights with a periodic notification in case there is any breach of the personal data. Although GDPR was adopted in April 2016; however, it came into complete effect in May 2018.
Under the GDPR rule, visitors must get the notification of data that the website is collecting from them. Not just that, but the visitors must also give their consent for the use of data, by clicking on the Agree button or any other action provided by the website.
Talk to our investment specialist
This requirement specifically explains the universal presence of disclosures that websites collect “cookies” – which are the small files holding personal information of visitors, such as their preferences, site settings and more.
Moreover, websites must also let the visitors know periodically in case the personal data, held on the website, has been breached. These requirements for the EU could be more stringent than those requirements by the jurisdiction wherein the website is located.
Also, the GDPR mandates the assessment of the data security and whether an individual Data Protection Officer (DPO) must be hired or whether the existing staff of the website is capable of handling this function.
The websites must also include the information that lets the visitors know about how they can contact the DPO or other staffers so that the visitors can easily exercise their EU data rights, which also comprises the accessibility to complete erase their presence on the website.
Furthermore, for the protection of visitors and consumers, the GDPR also calls for Personally Identifiable Information (PII) that the website collects to either pseudonymized (replacing the identity of the customer with a pseudonym) or anonymized (keeping the identity anonymous).