If you are a business that handles the data of EU citizens, you need be GDPR-compliant. businesses that sell or monitor to EU citizens, as well as those who deal with them all included.
The law aims at making companies more transparent, and also expands privacy rights. Additionally, it requires companies to notify data breaches within 72 hours.
Processing personal data
The GDPR defines personal information as information that could be tied to an identified or specific natural individual. Name, email address, account details IP addresses, names, etc. constitute personal data. This can include information about the political views, religious beliefs or sexual orientation of the person. The GDPR mandates that all processing of personal data is carried out in a manner which is in line with the freedoms and rights of individuals. This includes making sure that personal data are processed legally with transparency, fairness and in a transparent way. This also means that personal data shouldn't be retained for any longer time than is needed, and adequate security measures must be put in place.
The processing of personal information is only allowed if it's legally based upon the six bases outlined in GDPR. Most commonly, it is consent, but there are other motives as well. The processing of data can be justified if the task can be considered to be in the public's interest. This only applies when the data processing is not in violation of those rights enjoyed by the individual.
If you're not sure if your activity of processing is legal, you can consult the Explanatory Notes of the GDPR. These notes outline what is considered as"processing" and what you can demonstrate that the activity is. A good example is sharing personal information with members of your organisation can be considered as processing. So can recording their IP addresses to use to analyze.
New EU data protection regulations have profound implications for how businesses collect and store data about consumers. Consent is one of them. They must also have the option of having inaccurate data corrected, and also to demand their data be deleted should they choose.
Purpose limitation
The concept of "purpose limitation" in the GDPR allows data controllers to use personal information for specific, explicit and legitimate purposes. It's a crucial element of the general principles of lawfulness, fairness and openness. The law's principles apply to individuals who control data, as well as other third parties that handle personal information. The GDPR demands that these organisations define their purpose and document them, along the other activities of processing. Data subject rights can be enhanced through the new GDPR that will require them to understand the purposes of the organization and access to their personal information within a month. Furthermore, it bans the charging of this service, unless it's unjustifiably high or manifestly insubstantial.
A broad definition of purpose could are a threat to the safeguards that the purpose limitation principle attempts to protect. Online shops that ask to know the birth date of customers violates the principle because they are not precise and explicit. A business could instead ask for the customer's general age or the date range. It is enough to meet the regulations.
A doctor using his patients medical records with out their consent is another example. This is not considered a valid application of the patient's data because it is not compatible with the initial purpose. Doctors should use the data for treatment purposes and not for any other motivation.
This is why it's important to establish the primary purpose of storing personal data prior to commencing to collect data. In fact, a clear statement of purpose is required under Articles 12 and 30 of the GDPR. However, it is advisable to incorporate these purposes into other policies and documents, including information governance policies or business strategies as well as marketing policy. You should also train your employees to clearly be able to document the reason for which they process information.
Transparency
Transparency when processing personal information is vital to being in compliance with GDPR. In Articles 13 and 14, the GDPR states that individuals have the right to be aware of how their personal information is processed. Regulations also require that the data be presented in a clear, concise and understandable format. Regulations also require that data be provided in a concise, transparent and comprehensible format. The information must be clear to understand and in a easy to understand English. The principle of transparency is important when dealing with young children or vulnerable people, where the language used as well as the manner of communicating should be adjusted to suit.
Organizations must not just ensure that their privacy policies are readily understood however, they should also be able to communicate these policies with different forms and formats. According to the GDPR, privacy policies must be written down but other communication techniques are acceptable, such as videos, voice notification animations, infographics and cartoons. It is the goal of making certain that all people have access to information regardless of their preferences or disabilities. It also states that organisations must keep a record of the policy, or have the policy available to someone who reads it out loud upon demand.
IAB Tech Lab framework is an effective tool to assist publishers remain transparent and in line to GDPR. It allows users to select which third parties and the purposes of data processing they agree to. This framework removes the "all or everything" concept of consent as well as gives the user more control over their data.
The authors of the GDPR realized that technology changes quickly as well as elements that may not yet qualify as personal information could be identified in the future. The GDPR stipulates that businesses should consider security of personal data through design and at the outset when creating new products or services. That means the design of any new application should consider the kinds of personal information that it's going to gather and the ways in which it can be secured.
Data portability
Data portability is a privilege that empowers individuals to take control of their personal data and to transfer it over to another controller. The ability to transfer their information from one system as well as service which encourages innovation. This is a method to counterbalance the dominance of big platforms and services, which may have unfair advantages over smaller rivals. The right to transfer data is a feature of the GDPR, which is a crucial element in the privacy system. Data portability is not a right to transfer of personal data to one data controller (who can be legally processed on base) to another controller.
It can take a lot of time and money in order to fulfill a data transferability request in particular for those who aren't yet implementing privacy through design. To stay competitive, digital enterprises must be able to implement this feature. The future will see increasing numbers of people will switch between multiple digital platforms and applications. The ability to transfer data is increasingly important to business.
Article 20 outlines that a user of the data has the right to receive personal data provided by the controller in a structured frequently-used and machine-readable format and then to transfer it GDPR compliance services to a new data controller in a way that is not hindered by the controller that originally provided it. However, the definition of "personal information" is expansive and can contain information on other people. This presents a challenge to data portability, particularly for services that manage contact information or leverage the data for a specific purpose.
In particular, streaming providers like Netflix gather a lot of data on their customers. This could include credit card numbers, viewing preferences, etc. Prior to GDPR this information remained with the company providing the service. These companies are now required to provide this information to other services and platforms. This will lead to more competition between services and platforms, and should also encourage the development of new technologies.
Consent
In the GDPR, consent is one of the principal legal bases for data processing. It is however, only able to be legally valid if freely given, specific well-informed and clearly defined. That means the individual should be able to take a genuine choice without any restrictions or pressure, as well as they are able to revoke the consent at any point. It also means they should be able to refuse the use of your personal data for whatever purpose or service. These make dark designs like pre-selected check boxes and cookie walls unacceptable.
A clear consent is required with clarity and an easily available format, and also in plain language. The form must state in plain language the name of the person who is the controller of the data, as well as the reason of the processing, and any transfer of personal information in addition to the risk involved. It should also describe the nature of the data that is processed, and any future rights the individual might have.
It must also be made clear it is an affirmative positive action that requires an individual to signify their acceptance instead of simply giving a consent in a passive manner. It must be provided by an individual or individual, not by a company or an organization. Therefore, it's impossible to get a legal consent from simply asking a person to tick the box or click an image.
If consent is used as the legal basis to process personal information, the controllers must be prepared to delete the data after individuals withdraw their consent. Even if they have legitimate interests. It is therefore a good decision to have a second legal ground rather than consent.