Book a personal demo and see how to make your website compliant today. Book a Demo now
The General Data Protection Regulation is the latest European data privacy law that aims at changing the way EU citizens’ personal data is collected, processed and stored, transferring the power over personal data from companies to data subjects.
The General Data Protection Regulation is the latest European data privacy law that aims at changing the way EU citizens’ personal data is collected, processed and stored, transferring the power over personal data from companies to data subjects.
A person’s identity is no longer just a set of randomly floating data; the new law provides power, control and consent over the shared data.
According to the GDPR, consent must be obtained from data subjects before companies can collect any personal identifying information. It also brings a new perspective on consent management, in which the liberty to withdraw consent must be granted at any moment.
Even though the first step towards GDPR compliance is awareness and a thorough understanding of what changes the regulation has brought, acknowledging its impact over your organisation is the starting point towards compliance.
| Issue | CCPA | GDPR |
|---|---|---|
| Who Does The Regulation Apply To? | For-profit entities that process personal data of California residents and either: 1) Earn more than $25 million in annual revenues 2) Collect and process personal data of more than 50,000 consumers 3) Derives at least 50% of its revenues from “selling” personal data | Any organization (for-profit, non-profit and governmental) that processes personal data of European citizens and residents, regardless of the organization’s location |
| Basis For Consent | Opt-out (data can be collected as long as a consumer can withdraw their consent) | Opt-in (no data can be collected without affirmative consent from a consumer) |
| Penalties | Up to $7,500 (or actual damages) for each violation if enforced by the Attorney General Up to $750 (or actual damages) for each violation if enforced by an individual | The greater of 4% of annual revenues or €20 million |
| Individual Rights Granted | Right to request information Right to data portability Right to opt-out Right to access data Right of disclosure Right to deletion Right to restrict sale of personal information | Right to be informed Right of access Right to rectification Right to erasure Right to restrict processing Right to data portability Right to object to processing Rights in relation to automated decision making and profiling |
According to the GDPR, data subjects have the following rights:
Data subjects have the right to obtain confirmation as to whether or not personal data concerning them is processed, and where that is the case they have the right to request and get access to that personal data.
Officially called the “Right to Erasure”. In certain cases, data subjects have the right to obtain the erasure of their personal data.
Data subjects have the right to receive their personal data from data controllers in structured format and they have the right to (let) transmit such personal data to another controller.
Under GDPR, data subjects have the right to obtain the restriction of processing, applicable for a certain period and/or for certain situations.
In certain cases, data subjects have the right to object to processing of their personal data, including with regards to profiling. They have the right to object to further processing of their personal data in so far as such data has been collected for direct marketing purposes.
Data subjects have the right to obtain the rectification of inaccurate personal data and they have the right to provide additional personal data to complete any incomplete personal data.
Data subjects have the right to not be subject to a decision based solely on automated processing.
This legislative shift puts customers in the driving seat, something which holds a range of implications for companies with large banks of customer data. Today, companies need to be more transparent with the data they collect and they need to obtain explicit consent from the people they collect information from, or face big fines. GDPR obliges companies to confirm where data is being held, if they have deleted data, and what they will do with it. Previously it was often held in unsecured places and companies presumed that it was fine to simply take data.
Additionally, the GDPR requires companies to correct or erase a customer’s personal data upon request, according to their rights. Individuals can also stop an organization from processing their data after a certain amount of time, or for certain situations. Furthermore, businesses must comply if an individual files a complaint about the way their data is being used, or if they object to having their personal data processed for any other purpose than those originally stated at the time of consent.
Under the GDPR, companies also have less time to respond to data subject requests – one month instead of 40 calendar days. Failure to do so could result in a hefty fine of up to 4% of annual global revenue, or €20 million, depending on which figure is higher.
Inform your users about any personal data collection activity you may perform and collect their consent for doing so in an unambiguous, informed and free way.
Let them know what categories of personal information you are collecting about them, why you are collecting it, how it will be used, for how long, and what other processors you are sharing this information with.
Don’t load any cookies or third party content on the website before obtaining your users’ explicit consent.
Under the General Data Protection Regulation, data subjects have seven fundamental rights.
As a data processor or controller, you have the obligation to inform them about these rights, set up a mechanism for allowing users to exercise their rights, as well as to address these requests in a serious and timely manner.
Under GDPR, companies are required to make the name and contact details of their Data Protection Officer as well as their company contact details publicly available to allow data subjects to easily contact them for inquiries.
One of the most challenging aspects of GDPR compliance is getting started: it seems like an insurmountable challenge! Clym can help with guidance, a vast library of content and most importantly, a scalable, flexible and cost-effective platform to help your privacy protocols grow with your business. Check out our GDPR Compliance Checklist at the link below to get started on your data privacy compliance journey.
Processing of personal data is only possible if you have a lawful basis, which means that you must determine and document yours before collecting any PII data.
As a data controller and processor, you have the legal obligation to identity and map the personal information collect, what is the legal base and processing purpose for doing so and what data processors have access to it.
Make sure you update your Terms, Policies, Agreements & Procedures to include information regarding all processes related to personal data, explaining the reason why it is processed, who else has access to it, and what measures you are taking for ensuring its security.
Clym can help you make your website fully compliant with CCPA, GDPR, and LGPD and prepare you for upcoming privacy laws. Schedule a complimentary demo with one of our consultants and see how Clym can support your compliance journey.
Let our experts show you how to make your website GDPR, CCPA and LGPD compliant in a 1:1 demo
Control over personal data is shifting back to data subjects, as the GDPR puts a great emphasis on data subject rights and requests.
Configuring your third party services to load only after obtaining consent got a lot easier with Clym. We’ve integrated over
New consent guidelines from the European Data Protection Board (“EDPB”) state that these cookie walls are a violation of the GDPR.
A Compliance solution that your legal and marketing teams will love!
