The General Data Protection Regulation delivers a uniform data protection framework for natural persons in the European Economic Area. The territorial scope of the Regulation, as described in Article 3, explains that the regulation applies to the processing of personal data in the context of activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Processing of personal data includes the offering of goods or services and the monitoring of behavior of data subjects as far as their behavior takes place within the Union. The latter in particular is important for webmasters since cookies and pixels may identify the applicable natural persons on a website. Furthermore, webmasters may use their online platforms for lead generation, marketing, or direct sales. In such events, GDPR Regulation always applies.
Webmaster who maintain multiple websites often see the benefits of a proper functioning internal market. Visitors to their websites utilize the border-less and virtual society and may come from different countries. Without a uniform legal framework for data protection, webmasters could be subject to a variety of rules in different countries. Since the GDPR Regulation provides for a strong and consistent level of protection, most jurisdictions outside the EEA may have only small additional requirements. However, responsible webmasters should always seek professional advice when their enter different territories. Even when virtual entrance happens unintentional. This is because data protection of natural persons prevails and the location of the webmaster or website is irrelevant.
Understanding GDPR for Webmasters starts with the roles of the persons collecting, controlling and processing the personal information of individuals. These are named the data controller and data processor and are designated by the Regulation as the controlling persons for data protection. Controllers are partly responsible for processing of personal data in accordance with the Regulation. The controller determines the purpose of the processing activities, and ensures that processors abide by the rules set forth in the Regulation. The controller also has a duty to protect personal data by implementing appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. The responsibility of the controller includes the implementation of controls and Data Protection Impact Assessments. The data processor is contracted by the controller and processes personal data on behalf of the controller. Since the objective of the Regulation is to protect the personal data of individuals within the EEA, controllers and processors located or established outside the European Union are not exempt from the Regulation.
When does the GDPR Apply to Webmasters?
Online activities of natural persons in the EEA are subject to the GDPR Regulation and the e-Privacy directive. As such, there must be lawful grounds for data processing and these lawful grounds must be demonstrated by the controller.
Webmasters may operate their own online environment or work for third parties. When processing or collecting of personal data is involved, a webmaster may be subject to the GDPR. As covered in Article 2 of the Regulation, the material scope comprises personal data processing by automated means that involve or intent to involve a filing system. Marketing, advertising and sales promotion that may identify individuals in the EEA is therewith subject to the GDPR Regulation.
Online media and web 2.0 platforms allow users and members to create accounts. To maintain the platform, advertisers are allowed to promote their business, generate leads and sell their products. As such, controllers and processors can also be jointly responsible. It reveals that data protection is no mean feat and should be treated accordingly.
GDPR Compliance as a Competitive Advantage
Appropriate compliance with the GDPR saves time and headaches. It further reassures visitors of a website that their personal data is protected and that violations of data protection regulation can be punished. But that’s not all. When a data breach is established, or a supervisory authority starts an investigation, negative publicity could harm a brand severely.
The GDPR defines lawful grounds for data processing in Article 5 of the Regulation. The principles are lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; and integrity and confidentiality. Marketing activities rely on consent and legitimate interest. Compliance with these lawful grounds is not followed by all webmasters and therefore those who do can focus on building and growing their online platform, instead of repairing the damages resulting from this non-compliance and potential data breaches.
Prevent Data Breaches and Regulatory intervention
Data protection regulation provides clarity. Both for the data subject who has control over his personal information, and for the enterprise controlling and processing this personal information by having a regulatory framework and environment for compliance and handling violations.
Protection against data breaches is at first done by following by the six data protection principles. A risk assessment (Article 35) identifies potential high risk areas and allows the controlling enterprise to act accordingly. GDPR Software Solutions are there to help Webmasters and make their work easier. Still, in the current era cyber crime and hacks are realistic dangers. Therefore, handling an incident the way suggested by the Regulation is recommended. For incident assistance, see below how you can be assisted.
GDPR Tools for Webmasters…
Regulatory compliance is difficult and time-consuming for those who build up an environment from scratch. GDPR software can help webmasters who want to save time and money. As such we deliver the following services to fulfil the needs of GDPR for Webmasters:
- Info Center: with a selection of 66 skillfully drafted documents that will give you all reports, templates, policies and guides you need to get the GDPR compliance job done;
- Mission Control: the 12 step approach guiding you on your path to GDPR compliance;
- Toolbox: A selection of 23 expertly designed and programmed tools to assist you on your implementation journey;
- Data Breach Support: Professional assistance is recommended and mostly needed when things go wrong. This breach support service is 24hrs worth of 1-2-1 support after you have identified a data breach. Once you have purchased this package and notified us that there has been a breach, we will kick into action to protect your customers, information and your reputation. We will investigate and reconcile your data breach, inform your customers and develop a strategy with you, to prevent and protect against further breaches. Most importantly, we will deal with the supervisory authority so you don’t have to.