The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR or General Data Protection Regulation came into force on 25th May, 2018.
Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of individuals (formally called data subjects in the GDPR) inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area. Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.
In order to be GDPR-compliant, a website or application must ensure the privacy and security of customer (end user) data. Any personal data may be collected only after taking explicit consent from the users with a clear explanation of the purpose behind such data collection. There should also be options for the end users to review the data collected by the website/application and delete them permanently, if they choose to. Most popular CMS platforms such as WordPress and Joomla have already become GDPR-compliant with their latest release or offer plugins to ensure compliance. Websites and/or applications, which are not built on top of any CMS, need to ensure GDPR compliance by building GDPR functionalities at the time of design and development. Care must also be taken to ensure the security of data storage facilities and data transmission mechanisms.