Describes general guidelines on GDPR and what to think about when collecting PII, deleting data, and so on.
This section contains general information and recommendations on General Data Protection Regulation (GDPR). It is NOT legal advice nor comprehensive. You should always confer with your own legal experts based on your own website, market, needs, and internal requirements. The complete regulation can be found on GDPR's website.
General Data Protection Regulation (GDPR) is a regulation in the European Union that is immediately applicable and binding for all member states. It took effect on 25 May 2018.
The purpose of GDPR is to protect the privacy and personal data for the individual. To do this, the regulation gives more power to the data protection authorities in the member states to take action against businesses who do not follow the new laws. The penalties for not following GDPR can be quite severe, up to €20 million or 4% of the company's annual global turnover, whichever is the greater.
GDPR does not mean that you cannot keep personal data in the future, but it does mean that you will have to think carefully before storing any personal data, and that you will have to have a clear motivation to do so and have a strict plan on how to handle this data.
GDPR in short
The GDPR "rule of thumb" is that you must be able to account for the user data that you store, including why and how.
Roles and responsibilities
Data subject – The individual that is protected according to GDPR. The data subject has the right to their own personally identifiable information (PII) data; that is, they must consent to the storage of their data and they have the right to recall their consent, view their data, and to ask for their data to be updated or deleted.
Data controller – The company asking for and owning the private data; for example, a website owner or you as an Optimizely partner. The data controller is responsible for making sure that the data subject gives his or her consent for storing PII and also that the data subject is aware of the purpose of the PII data collection. This purpose might be that the data controller has a legal contract with the data subject, or to comply with legal obligations, or for a legitimate reason. Note that even if the data controller has a legitimate reason, it is still not allowed to override the data subject's interest.
The data controller is only allowed to collect data, with consent, for a specific purpose and for a specific time period. It is not allowed to store more PII data than necessary.
Data processor – The company/database/tool controlling the data, such as the Optimizely Digital Experience Platform. In Optimizely's case, Optimizely has only process data on the instructions from the data controller. Optimizely makes sure that it has the appropriate technical and physical levels of security to protect the collected data. As data processor, Optimizely is also legally responsible to help the data controller with procedures for managing the collected data.
Regulators – Each EU member state has a data protection authority which oversees data protection in each member state and coordinates the work across all member states.
Personally Identifiable Information (PII) – PII is any type of data that can, directly or indirectly, identify a data subject; that is, an individual (data related to organizations are not PII). This is data such as name, address, and phone number, but it can also be job title, IP address and sensitive data such as race, religion or political orientation. Encrypted or pseudonymized data is also viewed as PII, since it could be decrypted or de-pseudonymized. See Collecting data.
Anonymized data is not PII.
The right to consent – You are not allowed to collect PII data without the data subject's clear, unambiguous and affirmative consent. See Asking for consent.
Processing of data – You can process data only in the manner and to the extent and purpose you stated when receiving the consent. See Using data.
The right to access data – The data subject has a non-negotiable right to their own data. If you collect PII data, you must be able to extract that data and present that to the data subject within 30 days. See Fetching & updating data.
The right to be forgotten – The data subject has a right to ask you to delete their PII data. See Deleting data.
Data portability – The data subject has the right to ask you for all their PII data in a format that can be transferred to another company, vendor, system, and so on, such as if an insurance customer wants to move their insurance policies to another company. GDPR does not specify the format for this. See Fetching & updating data.
Data rectification – A data subject has the right to ask you to update their PII data and you have to comply within 30 days.
The right to object – The data subject has, at any point in time, the right to withdraw their previously given consent.
How does GDPR affect you?
If you run or work for an EU-based company, GDPR is directly applicable to your business and you must follow it. Even if your company is not based in the EU, GDPR may affect your company. If you process any kind of personal data related to individuals based in the EU, GDPR is also applicable to your company.
What do you have to do?
With a GDPR expert, perform a GDPR audit of your organization, internal IT systems, your products, and your websites. It is crucial that you have your entire organization onboard for this work. The audit should result in an action plan with the steps needed to be GDPR-compliant because all departments are affected by GDPR. You should have procedures in place and that everyone knows how their work is affected, what the GDPR procedures are and how breaches are handled.
If you work for company that processes large amount of PII data, you must have a dedicated Data Protection Officer (DPO). You should also have an Information Security Officer.
If the data protection authorities want to perform an audit at your company, you must be able to show them your GDPR guidelines, which should include the following information:
- What type of data is collected? Is it PII data?
- Who is collecting and using it?
- Where is the data collected, used, stored, and transmitted?
- For how long is the data collected, used, stored, and transmitted?
- When is the data collected, used, stored, and transmitted?
- How is the data collected, used, stored, and transmitted?
- Why is the data collected, used, stored, and transmitted?
- And how do you handle requests from data subjects that want to view, update or delete their PII data?
GDPR compliance is not something you set up once and then it is all set for the future. GDPR compliance is something that you need to keep in mind and work with every day in the future. You need to fine-tune and update procedures, align and adhere tp the procedures, and train employees, partners, and suppliers.
What you should have in place
- Data protection officer (at least if you process large amount of PII data)
- Consent notification process and template
- Process for accessing PII data; also known as Subject Access Request (SAR) procedure
- Process for updating PII data
- Process for porting PII data
- Process for deleting PII data
- Process for cooperating with third-party companies, partners and vendors around GDPR issues
- Data breach policy
The following topics contain product-specific guidelines to consider when working with Optimizely:
- Collecting data
- Asking for consent
- Storing data
- Using data
- Fetching & updating data
- Deleting data
- Data breaches
For more product-specific guidelines, see Product-specific guidelines and its subsections.
Updated 12 days ago