Jump to table of contents

What’s the Deal?

The EU has developed and, on May 25, 2018, will be making active, a comprehensive set of regulations dictating how personal data is to be managed. These regulations dictate the rights that individuals have over their own personal data.

Anyone who interacts with EU citizens on the web must take the GDPR into account. If you are a publisher that accepts EU user registrations, EU reader subscriptions, or even EU-based web visits, this means you!

The processing of Personally Identifying Information (PII) should only be undertaken on a lawful basis, which typically involves the consent of the participant. In cases where general PII is processed, unambiguous consent is fine (e.g., a statement regarding cookies). In cases where more sensitive PII is processed, explicit consent must be given. Consent may be revoked by the data subject at any time. The data subject may also exercise their other rights at any time, and those acting as Data Controllers and Processors must have a means to address those requests.

Finally, Data Controllers and Data Processors have an obligation to ensure the proper storage and security of any processed PII, and must also notify affected Data Subjects within established timeframes if a breach has been identified.

PKP advises four separate steps towards compliance:

  1. Understand what personal data you process: what it is, how it’s stored, and how it can be accessed, modified and erased;
  2. Develop adequate internal data storage and security procedures, including a security breach notification policy;
  3. Develop and provide adequate data policies, including a contact mechanism, for your audience;
  4. Configure your platforms to be secure, and to track the minimum amount of data possible.