It followed a raft of complaints from Max Schrems’ privacy group, NOYB, which is targeting organisations that make it difficult for people to opt out of tracking cookies.
NOYB has already launched hundreds of formal complaints, and says it plans to file up to 10,000 further complaints this year.
The taskforce is expected to help supervisory authorities exchange views on the legal analysis of, and possible violations of, the GDPR’s cookie compliance practices.
As such, we expect to see greater enforcement of the rules in the future and possibly an increase in the number of fines being levied.
What can you do to avoid the prospect of penalties? In this blog, we look at four things you can do to create a GDPR-compliant website.
1. Decide whether the information you’re collecting is necessary
The GDPR’s philosophy is essentially that, the less personal data an organisation collects, the less chance there is of it being misused.
Gone are the days of amassing as much information as possible and putting it into a database for future use. Instead, you must have a specific plan for how you intend to use personal data, and justify it using one of six lawful grounds.
Consent is currently the most common lawful ground, but the GDPR toughens the rules for getting and keeping it, so organisations should only use it if no other grounds apply.
There are detailed rules for how to seek consent, which vary depending on what kind of information you want and who you are seeking it from.
Policies should be written in clear language, explaining how you are collecting data, where it is being stored, how long you intend to keep it (the GDPR states that information can only be kept for “as long as necessary”) and how individuals can exercise their data subject rights.
These rights include:
- The right of access: Individuals must be allowed to submit subject access requests, which require organisations to provide a copy of any personal data pertaining to them.
- The right to rectification: If the information an organisation holds is inaccurate or incomplete, individuals can request that it be updated.
- The right to erasure (also known as ‘the right to be forgotten’): In some circumstances, individuals can request that the organisation deletes their personal data.
- The right to restrict processing: As an alternative to erasing data, there are times when individuals might prefer to simply restrict processing (such as when they contest the personal data’s accuracy).
Individuals have eight rights in total, which you can read about in more detail on our blog.
Free PDF download: EU General Data Protection Regulation – A Compliance Guide
The GDPR heralds the most significant change to data protection law in the EU, and globally, in recent years.
In this green paper, we give an overview of the critical areas of change introduced by the Regulation and the key points organisations need to comply with.
Cookies are only subject to the GDPR if they contain personal data. This is the case for those used in analytics, advertising and functional services (e.g. survey and chat tools).
Organisations must account for all cookies that contain personal data and decide whether there is a legitimate, specific reason for using them.
If there is no justifiable reason, the offending cookies should stop being used. If there is a reason, the website should make this clear.
Cookie Law recommends that organisations do this via soft opt-in consent: “This means giving an opportunity to act before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.”
4. Document your compliance
At the core of each of these concerns – as well as many other requirements of the GDPR – is documentation.
Organisations need to have written evidence to justify their data collection practices. This is essential both internally, helping staff stay on top of data protection and meeting individuals’ rights, as well as externally.
In the event of a breach, an organisation’s supervisory authority will conduct an investigation. If it finds that the organisation is compliant with the GDPR’s requirements, disciplinary action probably won’t follow.
For help creating that documentation, take a look at our GDPR Toolkit.
This toolkit contains easy-to-use templates, customisable worksheets, policies and expert guidance.
It will help you:
- Identify risks to personal data and put in place the necessary controls to resolve those issues;
- Embed the documentation in your organisation quickly and easily; and
- Integrate GDPR documentation alongside ISO 27001.