Magnifying glass analysing the CMP banners from a GDPR point of view on mobile and desktop

Why was the GDPR created?

To give people control over how their data is used and to protect the “fundamental rights and freedoms of natural persons”. The regulation sets out strict requirements on data handling procedures, transparency, documentation and user consent for organizations processing personal data in the European Union.

Organizations must have a valid legal basis for, keep records of, and monitor personal data processing activities.

As the data controller, any organization must have a legal basis for, keep record of, and monitor personal data processing activities. This includes personal data handled within the organization, but also by data processors, third parties processing personal data for the data controller.

Data processors can be any entity from Software-as-a-Service (SaaS) providers to embedded third-party services that track and profile visitors on the organization’s website.

Both data controllers and processors must be able to account for what kind of data is being processed, the purpose of the processing, and to which countries and third parties the data is transmitted.

If personal data is being sent to organizations or regions beyond the jurisdiction of the GDPR or that are not deemed ‘adequate’ for data privacy by the GDPR, users must be specifically informed about this and any risks involved.   

All consents must be recorded and securely stored as evidence that consent has been given.

On May 4, 2020, the European Data Protection Board (EDPB) adopted guidelines on valid consent under GDPR.

Valid consent from an individual must be a freely given, specific, informed and unambiguous indication of the user’s wishes, i.e. a clear and affirmative action by the user.

The EDPB guidelines make it clear that scrolling or continued browsing on a website does not constitute valid consent and that cookie banners are not allowed to have pre-ticked checkboxes.

Cookie walls (forced consent) have also been ruled noncompliant.

The EDPB is the highest supervisory authority in the application of the GDPR across the EU. It’s comprised of representatives from the data protection authorities of each EU member state. Their guidelines and decisions form the bases of enforcement of the GDPR at national levels.

Learn more about EDPB guidelines for valid consent

Individuals have a number of rights under the GDPR, including rights to data portability, data access, and the “right to be forgotten, among others. They can withdraw their consent whenever they want, and it must be as easy to do as to grant consent in the first place.. In such cases, the data controller must stop processing personal data once the request is received, and delete the individual’s personal data if it’s no longer necessary to the purpose for which it was collected.

In case of a data breach, an organization must notify data protection authorities and affected individuals within 72 hours.

The GDPR also obligates public authorities, organizations with more than 250 employees, and companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO). The DPO must take measures to ensure and maintain GDPR compliance throughout the organization.

How to be GDPR-compliant?

If your website has visitors or customers from the EU and you — or embedded third-party services like Google and Facebook — are processing any kind of personal data, you need to obtain prior consent from the visitor.

To obtain valid consent, you need to explain the extent and purpose of your data processing in plain language, prior to processing any personal data.

This information must be available to the visitor at all times, e.g. as part of your privacy policy. You must also make it easy for visitors to change or withdraw consent.

All consents must be logged and securely stored, and all tracking of personal data, including by embedded third-party services, must be documented, including to which countries data is transmitted.

Data Protection - Better rules for small business

European Union stars inside a black shield shape surrounded by icons related to GDPR compliance

How Cookiebot CMP helps

Using Cookiebot Consent Management Platform (CMP), you can automate GDPR compliance for your website for cookie and tracker consent requirements.

Cookiebot CMP enables you to monitor and document cookies and other tracking technologies in use on your website, display the relevant information to your website visitors, and automatically obtain and securely log all user consents.

What is personal data?

The GDPR defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Online identifiers such as IP addresses also now qualify as personal data, unless anonymized.

Pseudonymized personal data is also subject to the GDPR if it is possible to re-identify it by reverse engineering.

Lady sitting at the desk, surrounded by icons related to

GDPR enforcement date: May 25, 2018

The EU data protection reform was adopted by the European Parliament and the European Council on April 27, 2016. The General Data Protection Regulation has been publicly in effect since May 25, 2018, replacing the Data Protection Directive.

GDPR Fines and Penalties

Organizations that do not comply with the GDPR risk heavy fines up to €20 million, or 4% of the organization’s global yearly turnover, whichever is higher, for severe or repeated violations.

GDPR checklist: 6 things you need to do

1. Prepare your organization

Introduce stakeholders across your organization to the requirements of GDPR. Conduct employee training in Cybersecurity, Privacy by Design and Privacy by Default principles. Assign a Data Protection Officer (DPO) if required, e.g. if you employ more than 250 people.

2. Audit your data

Make sure you know where all your data lives, who has access and on what devices. Identify where personal data is processed, including by third party processors. Document the grounds for lawful processing and update current privacy policies.

3. Audit service partners

Make sure that service partners, e.g. embedded third-party services on your website, or Software-as-a-Service providers, are also compliant with the GDPR, or in an officially sanctioned “adequate” jurisdiction. Review and map their international data flows.

Implement methods for requesting, obtaining and securely recording consent to achieve and maintain privacy compliance. Keep a clear record of what each individual data subject consented to and provide options for the data subject to revoke or change consent at any time.

5. Respond to data subject rights requests

Implement procedures that enable your organization to respond to data subject rights requests, i.e. data access, rectification and erasure, in a timely manner. Document how they will be exercised in both customer and employee contexts.

6. Prepare for data breaches

Ensure that there are procedures in place to protect against a data breach, but also to detect, investigate and report on any breach affecting personal data to meet the GDPR’s 72-hour deadline for notification.

Resources

UK Information Commissioner’s Office (ICO): The UK data protection reform

Privacy by Design - The 7 Foundational Principles (PDF)

Infographic: Better rules for small business