What is GDPR?

New EU regulations surrounding the collection and use of the personal data and information of EU citizens comes into effect on May 25, 2018.

The regulation seeks to give greater control to individuals over the data collected and processed by organizations, and gives EU citizens control of their digital data by empowering them with the right to know when personal data is being collected, the purpose for collection the right to purge it upon request.

Read on for an overview of the new regulations

Impact and Scope of the GDPR

Increased Territorial Scope

The reach and applicability of the GDPR impacts any website/organization that handles the personal data of any EU citizen. This means any website must comply with no matter where in the world the servers or administrators are physically located.

Penalties and Fines

Penalization for noncompliance comes in the form of tiered fines that scale to the severity of the violation. Fines are capped at 4% of global annual turnover or €20 million, whichever is greater.

Data Subject Rights

In plain English, a data subject is any EU citizen from which you are collecting personal data. GDPR compliance requires data subjects be granted certain rights:

  • Right to Access. Data subjects must be able to request and obtain confirmation that data is or is not being collected on them, and if so exactly what data is being collected, how, where, and for what purpose. That data must also be provided to them in an electronic format free of charge on request.
  • Right to Be Forgotten. Data subjects must be provided a quick and painless way to withdraw consent and have collected data purged.
  • Data Portability. Similar to the Right to Access, Data Portability requires that data subjects are able to request, obtain, and/or transfer possession of collected data at any time.
  • Breach Notification. If a breach/unauthorized access of personal data takes place that is likely to “result in a risk for the rights and freedoms of individuals”, notification must be made within 72 hours of becoming aware of the breach.

Explicit Consent Requirement for Data Collection

Strengthened consent requirements are the core of the new regulation. If you collect or manage any EU citizen’s data, you must:

  • Request the explicit consent of every user before any data collection takes place. Requests must be in clear, plain, easily understandable language free of legalese. It also must stand alone from other matters or requests and not be buried in other text.
  • Have a clear and accessible privacy policy that informs users how collected data will be stored and used.
  • Have a means for users to request access and view the data you have collected on them.
  • Provide users with a way to withdraw consent and purge personal data collected on them; i.e. the “Right to Be Forgotten”.

The measures Zaui Software has taken to be compliant with GDPR:

Safeguarding your personal data, and helping you to safeguard your users’ is extremely important to us. Here we outline the steps we have taken to ensure we are compliant with these new regulations.

How do I ensure my Business is compliant with GDPR?

We’ve got your GDPR bases covered for as far as your use of Zaui goes. However you need to think about GDPR in the context of your entire operation. Here we provide a GDPR readiness checklist for tour, activity and transportation operators.