FAQ: your GDPR questions answered
What is the GDPR?
The General Data Protection Regulation (GDPR) is a set of European laws that govern how the user data of a company is collected and used. These laws prevent businesses from accidentally or intentionally misusing the data of their users (cue the Mark Zuckerberg case where millions of Facebook users in the US had their data stolen by political consultancy firm, Cambridge Analytica — awkward).
What is user data?
User data is information that is collected about a user of a website, application or service. This data can be collected in a number of ways, including through cookies, web beacons, log files and other tracking technologies. It can be used to personalize a user’s experience, track their behavior or advertisements they have interacted with.
GDPR and cookies
One of the key changes the GDPR brings is the requirement for businesses to obtain explicit consent from individuals before collecting, using or sharing their personal data. This means that companies must now provide greater transparency about how they use cookies and other tracking technologies to collect user data.
Under the GDPR, cookies can be classified as either “session” or “persistent” cookies. Session cookies are temporary and only exist for the duration of a user’s browsing session. Persistent cookies, on the other hand, remain on a user’s device for a set period of time after the browsing session has ended.
Businesses, regardless of size, must obtain explicit consent from users before collecting, using or sharing their personal data. This means that companies must now provide greater transparency about how they use cookies and other tracking technologies to collect user data.
Who wants access to user data?
User data can get personal, real personal. Especially when it involves your bank details, medical information or computer IP address. The worst part? Once data is leaked, there is no way to get this data back. Now you are probably asking yourself, “who could benefit from such data?”. Valuable user data can be sold on the dark web for a large price. Usually a “broker” will purchase this data and sell it onto a “carder”. The “carder” then uses the credentials to buy gift cards to stores like Amazon.com — essentially anything that cannot be traced. These gift cards are then used to purchase items such as electronics which are resold on eBay or the dark web.
Who is affected by the GDPR?
We’ve heard it out of the mouths of various business owners “the GDPR doesn’t affect me because I don’t work in Europe”. There’s something that these business owners should know though. If you have an office, offer goods and services, or monitor behaviour of individuals in the EU, you’ll need to update your privacy policy. It’s no surprise that the country most affected by the GDPR is the US. If you think about it, some of the world’s largest data organisations were founded in the US — Facebook, Google, Snapchat, Twitter and LinkedIn, just to name a few. With large corporations like these being affected, it’s safe to assume that similar laws could be introduced here in the near future. If you want your business to remain ahead of the curve, it’s important to be mindful of any GDPR related issues.
Is GDPR applicable in Australia?
If your Australian business has clients in Europe, then yes, GDPR may apply to you. There are also similarities between the GDPR and the Australian Privacy Principles (APPs), which regulate how personal information must be handled by organisations operating in Australia. Check out our privacy deep dive, Understanding data privacy for your business website, to get to grips with the legal and ethical obligations for your business.
Why should businesses comply with the GDPR?
Non-compliance with the GDPR can result in hefty fines for large corporations. The kind of fines that send these companies bankrupt. GDPR fines can go up to 20 million Euros or 4% of your annual global turnover, whichever is highest. Small businesses are no exception and will receive the same fines for any type of data breach.
How do I protect my company from GDPR fines?
- Cookie consent: you need to allow an individual to make their own privacy decisions and consent on any data collection. That means adding a cookie consent banner that allows users to select what data they allow you to collect.
- Use privacy-focused analytics to avoid collecting user data via your analytics software.
- Audit your systems to be sure you aren’t unintentionally collecting user data.
- Get some website help to update your systems in favor of privacy-friendly tech.
- Ensure anything added to your site does not introduce third-party tracking of your user data.
- Get legal advice specific to your business to be sure you are protected.
So, what data is your website collecting?
So that’s the GDPR in a nutshell. To read more about privacy and what to include in your privacy policy, we highly recommend this website: https://www.oaic.gov.au/privacy/privacy-for-organisations
The GDPR is not a law to be taken lightly and data breach is some real serious stuff. Make sure you update your privacy policy if you plan on doing business with the EU — but even if you don’t, your users deserve to know where their data can potentially end up.
The 2022 Google privacy violations further underline the increasing importance of protecting the data of your website visitors. Learn more in our Privacy Deep Dive.
References
https://www.cnbc.com/2018/04/04/mark-zuckerberg-facebook-user-privacy-issues-my-mistake.html
http://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know
https://www.i-scoop.eu/gdpr/gdpr-fines-guidelines-application-penalties/
https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-data