GDPR Regulations that apply to AACS 2.1:
“One of its important traits is that it will impact every entity that holds or uses European personal data whether they operate inside or outside of Europe. In short, no matter where you are in the world, if you sell goods to European citizens or process their personal data, you have to comply to the GDPR. This means the regulation will affect many more business than the current Directive, a positive aspect especially for EU citizens who are now more protected, but a less positive change for those businesses outside of the EU who find themselves having to comply with a new set of rules. This also solves the question many people in the UK have been asking: “does Brexit affect them and their business?” The short answer is that it all comes down to the individuals they work with. As it is unlikely, at least at first, that organizations in the UK will cut down all ties to EU individuals, they should comply to the GDPR, in order to be sure they will avoid unnecessary fines.”
"Obtaining consent to process someone’s personal data has always been required. However, the GDPR makes it harder for data controllers to obtain it and easier for data subjects to retract it. As stated in the regulation, approval must be given freely, it must be specific, informed and unambiguous. It will not be valid if bundled with other matters, such as in the general terms, it has to be distinguishable from all other matters. Parental consent will be needed in order to process children’s data – at the moment the age limit is set at 16, but there are ongoing discussions for a lower age limit, but not below 13.
So, how exactly does this work?
DATA SUBJECTS HAVE TO BE PROVIDED WITH A CLEAR EXPLANATION OF THE PROCESSING TO WHICH THEY ARE CONSENTING.
UNDER THE GDPR, DATA SUBJECTS ARE PERMITTED TO WITHDRAW THEIR CONSENT EASILY. IT SHOULD BE NOTED THAT SILENCE OR INACTIVITY CANNOT BE CONSIDERED CONSENT. AS SUCH, PRE-TICKED BOXES FOR INSTANCE, ARE NOT CONSIDERED VALID CONSENT.
CONSENT HAS TO BE SPECIFIC AND INFORMED. THE CONTROLLER HAS TO EXPLAIN THE SCOPE AND THE CONSEQUENCES OF THE DATA PROCESSING.
CONSENT CANNOT BE APPLIED TO AN OPEN-ENDED SET OF ACTIVITIES, INSTEAD IT MUST BE LIMITED TO A SPECIFIC CONTEXT.
THE LANGUAGE USED TO EXPLAIN THE NATURE OF THE DATA PROCESSING ACTIVITIES SHOULD BE NATURAL AND IN AN EASILY ACCESSIBLE FORM."
“A much discussed topic is the IP address . The GDPR states that IP addresses should be considered personal data as it enters the scope of ‘ online identifiers ’. Of course, in the case of a dynamic IP address – which is changed every time a person connects to a network – there has been some legitimate debate going on as to whether it can truly lead to the identification of a person or not. The conclusion is that the GDPR does consider it as such. The logic behind this decision is relatively simple. The internet service provider (ISP) has a record of the temporary dynamic IP address and knows to whom it has been assigned. A website provider has a record of the web pages accessed by a dynamic IP address (but no other data that would lead to the identification of the person). If the two pieces information would be combined, the website provider could find the identity of the person behind a certain dynamic IP address. However, the chances of this happening are small, as the ISP has to meet certain legal obligations before it can hand the data to a website provider. The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant.”