The GDPR (General Data Protection Regulation) is a European wide regulation that came into effect on 25 May, 2018.

The GDPR implements regulation that protects the rights of EU citizens to control their personal data. It protects “natural persons” who are citizens of the EU. It regulates data processors and controllers, businesses either based in or with an establishment in the EU, businesses based outside the EU that track the actions of EU citizens. It does not apply to online operations that are of a personal, non-commercial nature.

GDPR provides protection for personal data that is:

• Identity information, e.g., name, address and ID’s
• Web data, e.g., location, IP address and cookie data
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation

What does this mean for website owners?

The areas that matter are:

1. The analytics, where web data is collected
2. Contact forms/webshop purchases, where visitor identity information is collected

Google Analytics has updated their systems to conform with the GDPR by providing functionality that allows for setting time limits on the retention of data collected on website visits.

On every website Blensis will implement a data consent button as well as a Privacy Policy page that conforms to GDPR requirements. This includes functionality that allows visitors to access and delete any identity information that you may be holding on them within the website.

Important aspects of the GDPR are:

• Consent
  • “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
• Right of access
  • “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
• Right to be forgotten (Right of erasure)
  • “A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation.”
• Record keeping
  • Record keeping of personal data must include the purpose, the categories and the time limits of retention of such data.

There are many more articles to the GDPR that you can read here.