Becoming GDPR Compliant running Koken CMS

Now when the hype around the GDPR compliance has settled a bit. Thus, it seems fair to share some tips that help site owners running the Koken CMS become GDPR compliant without any hazzle.

The abbreviation “GDPR” is more and more often used in offices around the world. “GDPR” stands for General Data Protection Regulation, a new legislation approved by EU Parliament, which went into effect in May 2018. As the date was approaching, discussions of how to achieve GDPR compliance became one of the hottest topic on the net.

To help you effortlessly start becoming GDPR Compliant, I developed the GDPR Cookie Consent plugin for Koken together with some more "hands-on" tips below.

Generally speaking, the main goal of the GDPR legislation is the protection of freedoms and rights of all individuals located in the territory of European Union regardless of their citizenship. It builds up on previous pieces of data protection laws and presents a more thorough approach to the issue. GDPR takes into account accelerating world of international e-commerce and offers a more detailed and up-to-date set of norms for handling personal data of company’s client base.

GDPR Cookie Consent for Koken in Javascript effectively prevents setting cookies by third party scripts like ad or analytics snippets until an explicit consent is given.

GDPR Cookie Consent can, if the user choose, browse your portfolio completly "cookie free".

GDPR cookie consent is a Koken plugin, that allows you to seamlessly integrade a cookie manager in your portfolio; making your site GDPR Compliant

Some tips that can help you to become GDPR compliant

Learn terminology

General Data Protection Regulation is a legal document, which means that it is written using specific terminology, the one we most likely don’t use on a day to day basis. The body of the legislation consists of 11 chapters, 99 articles, and nearly two hundred recitals. Needless to say, it is fairly lengthy, complicated and requires certain preparation from the reader. To make the understanding easier, here are some main terms, used in the Regulation.

Term “personal data” refers to any information relating to an identified or identifiable person. An individual can be identified by name, an identification number, location data or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Term “controller” describes any actor that determines the purposes and means of the processing of personal data.

Term “processor” symbolizes a third party (vendor) that analyzes data in the ways, approved by the controller. It is controller’s responsibility to ensure that vendors they cooperate with stick to the rules of the Regulation. In case vendors do not reflect the standards of GDPR, it is company’s responsibility for cooperation with them.

Term “data subject” refers to an individual whose personal information is being processed by controllers and processors. GDPR aims to protect rights of data subjects that are located in European Union.

Ask for consent

General Data Protection Regulation seriously considers how well-informed your customers (data subjects) are about what their information is ought to be used for. Companies are required to clearly state purposes of data collection, when and how it will be used and when destroyed. Company’s desire to collect and process data should be explicitly stated, meaning that the will to collect data cannot be hidden along the lines of privacy policy or that data mustn’t be recorded by default.

To ensure the data processing is lawful, data subjects are asked to give consent to the usage of their personal information, unless the processing is necessary for compliance with a legal obligation, protection of interests of a data subject, performing a contract with the data subject or achieving the legitimate interests pursued by a controller or by a third party.

Know their rights

The new Regulation introduces some new and enforces already known rights of data subjects. From now on, individuals will have significantly more knowledge and power to control personal information, shared with the companies.

For instance, data subjects have the Right to Rectification or the Right to be Forgotten. Practically it means that at any point in time, an individual has the right to contact the company and ask to delete or change the information. According to the legislation, data must be modified or removed immediately, no longer than within a month upon the request of an individual. However, the Right to be Forgotten can be executed only if it does not contradict the legal system of data processing of a given country.

Individuals will have the power not only to withdraw consent to use their data but to move it elsewhere. The Right to Data Portability enables customers to request a data transfer to a different controller. Basically, a customer can ask your company to transfer their data to a different (might be rival) company.

Some changes are introduced to the rules of notification. In case of a personal data breach - unauthorized disclosure of any data by a third party - an individual must be immediately notified. According to the GDPR, data subjects should be instantly notified about the loss or disclosure of any type of their personal information if it’s expected to put under risk the rights and freedoms of a data subject.

Do it smart

It is always better to start the process of GDPR compliance with something simple. The best idea is to transform and improve your current data protection policies than invent new ones from scratch. Hence begin by auditing current process of data collection and review it according to the new Regulation.

Install the GDPR Cookie Consent plugin for Koken

Baldurs Photography på Instagram
Bjarne Varöystrand