On May 25, 2018, the General Data Protection Regulation (GDPR) came into force after a seven-year preparation process. This document has already influenced many areas of life and business: from technology and medicine to advertising and banking. At the same time, the provisions of the new regulation concern not only citizens and companies-residents of the EU.
Scope of the GDPR
The GDPR has an extraterritorial effect, which means that the regulation applies to all companies that process the personal data of EU residents and citizens, regardless of the companies’ location. Therefore, representative offices of foreign companies in the EU are also required to follow the rules.
Organizations that store and process large amounts of consumer data need to monitor compliance with the new rules closely – and for many companies, these processes are at the heart of business models. Accordingly, such organizations need to appoint a Data Protection Officer (DPO) to monitor compliance with GDPR requirements and send information about it to the regulator. This officer’s responsibilities include, among other things, notifying regulators (and, in some cases, data subjects) of any personal data breach within 72 hours of an incident being identified.
GDPR non-compliance
In case of non-compliance with the act’s provisions, fines of up to 20 million euros or 4% of the company’s annual income (whichever is greater) are provided.
Consider a well-known case. Almost immediately after the entry into force of the GDPR, two associations of legal activists filed complaints against Google. As a result of the proceedings, the French supervisory authority issued a fine to an American company for incorrectly setting up the page for creating a Google account on the Android operating system. A violation of the obligation to provide information transparently, as well as a violation of the obligation to have a legal basis for the processing of advertising personalization, was identified. The amount of the fine amounted to 50 million euros – this is the largest fine under the GDPR.
Virtual data rooms
Now developers are obliged to consider users’ consent to the processing of personal data. And that is why ready-made solutions for GDPR organizations appeared: Usercentrics, Consent Management Provider, ccm19, Borlabs Cookie, Onetrus, and others.
The general principle of the services is the same: a script is embedded in the web application code, which once per session shows a pop-up dialog box for setting and agreeing/disagreeing with the cookie policy on the site. Each of the services can both automatically work with cookies and allows you to configure the types of cookies for a particular case – for example, functional cookies cannot be disabled without affecting the operation of the site, and cookies for collecting user information for analytics can be. Therefore, different types of cookies must be independently configured.
Services differ mainly in subscription prices, the number of supported sessions and languages, functions, and appearance.
Each service has tools for manipulation with appearance: changing the color and appearance of the pop-up dialog. In addition, the appearance of the button for changing user settings (if the user decides to change the scenes during the site use) is also different. Still, the services allow you to disable the default button and set up a link to go to the settings dialog on your own.