The GDPR regulation, which entered into force in 2018, has permanently revolutionized data protection, the collection of user data and the use of cookies. GDPR ie General Data Protection Regulation is a data protection law that regulates the processing of personal data, as well as their collection.
In practice, the GDPR reform enables better protection of your personal data and broader opportunities to manage the processing of your own data. With the reform, companies' responsibility for keeping personal data confidential also increased significantly.
GDPR law and regulation
The new data protection regulation entered into force in May 2018. Since it is a regulation of the European Union, it applies to all companies operating in the EU region.
The goal of the GDPR reform is to reduce the additional collection of visitor data, make the use of user data transparent, answer new data protection issues and promote the development of the digital market.
According to the regulation, every organization must demonstrate that their site and data collection is GDPR compliant.
Effects of the data protection reform
According to the GDPR, companies are obliged to inform more transparently about the collection of personal data. When you open the website, a small pop-up notice appears asking for permission to use cookies and collect data.
According to the regulation, data collection must be justified, and the individual must have the option to refuse data collection. Individuals also have the right to see what information the company has collected about them and, if they wish, to ask the company to correct or delete incorrect or redundant information.
Since individuals can go through several organizations or companies, larger organizations must appoint a data protection officer who takes care of the proper management and utilization of personal data.
A data protection officer must be appointed if the company uses large amounts of personal data continuously, or its business is based on information technology. If personal data is used only occasionally, it is not necessary to appoint a data protection officer.
Personal data subject to GDPR - What companies know about you
Within the framework of the GDPR, companies can collect various personal data from you, which they can use, among other things in segmentation and marketing targeting.
All information related to a strongly identifiable person is considered personal data.
Personal data subject to the GDPR includes, among other things
- The name of the person
- Contact information (phone number, address, e-mail address)
- Identity card number
- IP address
- Patient information and history
- Car registration number
- Location information
According to the GDPR, companies may not collect, among other things
- Information related to ethnicity
- Political beliefs or opinions
- What religion does the person belong to?
- Health or genetic information
- Criminal records
- Sexual orientation
Individual data protection rights
One of the main points of the data protection regulation is the improvement of an individual's data protection rights. According to the GDPR, every person has the right to see what information the company has collected about him. The regulation obliges companies to delete and correct collected data if the customer so requests.
An individual has a right
- Find out what information the company has collected about him
- Find out the purpose of use of personal data
- Demand deletion and correction of personal data
- Transfers information to another organization
If you want to find out what the company knows about you, you can contact them. The company has the obligation to either confirm that the person is not in the data register, or to send the information collected about the person in electronic form.
GDPR and cookies
The GDPR regulation also defines the exact framework for the use of cookies. Cookies are small pieces of code that companies can use to collect information about customers that can be used in marketing.
According to the GDPR, the company is obliged
- To request strong consent for the use of cookies in accordance with the GDPR. According to the Data Protection Directive, consent must be individualized, informed and completely voluntary. According to the GDPR regulation, the person must clearly understand what they are agreeing to.
- To inform the customer of the purpose of using cookies and what the collected information is used for
- To enable the use of cookies and the prohibition of data processing by the customer
- To make sure that denying cookies does not cause any harm
Although the use of cookies always requires a strong permission, the use of mandatory cookies does not require a separate permission. Mandatory cookies are important for the functionality of the website. An example of a mandatory cookie is an online store's shopping cart, where the site remembers your choices even if you move from one page to another.
GDPR violations
Violation of the European Union's data protection regulation can lead to significant sanctions. A gross violation of the GDPR can lead to fines of up to 20 million euros or 4 percent of the company's turnover. The penalty may also be the termination of data collection and processing ordered by the data protection authority.
If you doubt whether your website complies with the GDPR regulation, it is worth consulting a lawyer. By doing the right thing and playing it safe, you will avoid GDPR violations that will be expensive for your company.
Author: Jere Rautiainen / Muutos Digital