GDPR is an EU privacy law that regulates the collection and processing of personal data. It gives users control over their data and requires organizations to obtain explicit consent to collect data and be transparent in how data is used. Non-compliance can result in fines of up to 4% of annual global turnover or €20 million. The key principles for organizations are to only collect necessary data, be transparent in data collection and use, store data securely and limit storage duration, and honor user rights to access or delete their data. Proper consent and privacy policies are required under GDPR.

1. A Quick Look at GDPR
And how to Make Websites Comply

2. What is GDPR?
GDPR is a privacy law that regulates the data collected of the EU citizens by
organizations around the world.
The law gives the users much control over their personal data.
The law makes it mandatory that the users be aware of what data are collected
and get the explicit consent for collecting them.
The users have many rights over the data that has been collected, and the
organizations are required to honor them within a set period or time.

3. What is GDPR (contd.)
Even if an organization is not located in the EU, they have an obligation to
comply with the law, if they have users in the EU
Not complying with the law may lead to hefty fines. The fines could potentially
be up to €20 million or 4% of the annual turnover of the previous year.

4. Some Important Terms in GDPR
1. Data subject - The term data subject refers to a natural person whose data
is collected, held, or processed.
2. Personal Data - This refers to the information that can directly or indirectly
identify a data subject.
3. Data controller - Data controller is an entity that determines the purposes
and means of processing the personal data.
4. Data processor - It is the entity that processes the data on behalf of the
data controller.

5. Some Important Term in GDPR (contd.)
1. Processing - It refers to any operation or set of operation performed on the
personal data.
2. Profiling - Any means of automated processing of personal data.
3. Third-party - is an entity other than the data subject, data controller, or the
data processor that is authorized to process personal data.
4. Consent - A consent is a freely given, informed, and unambiguous
agreement expressed by the data subject, given by a statement or an
affirmative action, to the processing of his/her personal data.

6. Principles of GDPR
There are 6 Principles of the GDPR that the organizations should abide by.
● Lawfulness, Fairness, and Transparency - The data collected should be
processed lawfully, fairly, and with complete transparency.
● Purpose Limitation - Data should only be used for specific purposes.
● Data Minimization - Only the data that is requires for a process should be
collected
● Accuracy - The data collected should be always accurate

7. Principles of GDPR (contd.)
● Storage limitation - The data collected should not be stored a period
longer than that is required.
● Integrity and Confidentiality (security) - This principle states that the data
controller should be held responsible for, and be able to show compliance
with all the above 6 principles of GDPR.

8. Right of the Data Subjects
GDPR gives multiple rights to the users that the organizations are expected to
respond to in the specified period of time.
● Right to be Informed - The data subjects should be informed all the details
about their personal data that are collected.
● Right of access - The individuals have the right of access to the personal
data.
● Right to rectification - The data subjects have the right ot have their data
rectified.

9. Rights of the Data Subjects (contd.)
● Right to erasure - The data subjects have the right to have their data
erased in certain circumstances.
● Right to restrict processing - This gives the individuals the right to restrict
or suppress the processing of their data.
● Right to data portability - This allows the data subjects to obtain and reuse
their personal data for their own purposes.
● Right to object - The data subjects have the right to object to the
processing their data in certain circumstances.
● Rights related to automated decision making including profiling

10. How to Get Started
The first step is an internal audit of all the data that are collected, how and why
they are collected and processed, for how long. Determine the point of each
and every data collection.
Next step is to inform the users at every point of where the data are collected.
Inform the users all about the data that is collected, in a clear and easily
understandable manner.
Craft a privacy policy for the website informing the users about every activities
done by the organization.

11. How to Get Started (contd.)
Get the consent of the users, existing and new, at every point the data is
collected and keep a record of the consent to be provided as proof if and when
required.
Proper infrastructure in place to identify and honor every user request
regarding their rights.
It is important to inform the users of a data breach when it occurs. Always keep
proper security measures in place regarding the personal data and inform the
users as soon as possible in case of a data breach.

12. How the Law Applies to Cookies
Cookies are one of the ways that the website collect user information.
The law does not apply to the cookies that are necessary for the website to
function.
For the rest of the cookies that collect user information that can be used to
directly or indirectly collect data, should only be stored on the users’ website
when they have given their explicit consent.

13. How the Law Applies to Cookies (contd.)
When giving consent, the users should be informed as and their consent should
be explicit and given by affirmative action like clicking on a button.
Most website inform the users of their cookie usage on the website with the
help of a small banner. A link to a cookie policy page is given to the users with
details about what cookies, used and the purpose of using and other related
information.
To be compliant with the law, it is important to get the users’ consent before
the website places a cookie on the users browser.

14. Consequences of not Complying
Not complying with the law can potentially result in hefty fines. And this is
applied to every organizations that serves the citizen of the EU.
There are two different maximum amounts of the fine imposed. These are €10
million or 2% of the annual turnover or whichever is higher and €20 million or
4% of the annual turnover.
The penalty of non-compliance may also vary depending on multiple criteria as
per the guidelines to the supervisory authority.

15. Thank you...
Slides prepared by Cookie Law Info