Over a year after the GDPR's implementation, it has changed the way businesses conduct data practices. Although some are still skeptical of its effectiveness, others consider it to have pushed businesses to invest in better cybersecurity.
Also, companies must clearly inform customers of how personal information is utilized. That means there will be no more checked boxes that are pre-assigned and no more implicit consent.
Definition
In 2018, the GDPR modified the ways companies handle personal data. The law requires companies to establish legal grounds to collect and store data. It also requires companies to inform customers about how that data is being used and also to ensure consumers' rights. Companies that violate these rules may be punished severely, including fines of up to 20 million euros, which is 4% of global annual turnover.
Within the context of GDPR, "personal data" refers to any information that can be used to identify the identity of an individual. Name, age, banking details, social media updates as well as other information that are linked to individuals are all part of. Personal data is not restricted to non-commercial or domestic information, like messages sent by friends during high school.
Whether or not a company is obliged to comply with GDPR will depend on whether or the company is a data controller or a data processor. A data controller can be described as a "person or public authority organization or institution that, alone or jointly with others has the power to determine the motives and ways of processing personal data". A data processor is individual who handles personal information for the data controller.
If a business operates as a controller for data and has a Data Protection Officer (DPO) appointed, the company must designate a Data Protection Officer (DPO) to supervise its compliance with the GDPR requirements. The data controllers are also legally required to implement an action plan for dealing any breach of personal information within 72 hours and then report the issue to the person responsible for GDPR compliance.
The volume of information the company is sharing with third parties is to be lowered. It is referred to as reduction in processing of data, and it can help protect customers from risks ranging from including the possibility to be hacked. The data minimization program could, for instance, make sure that employees are not sharing sensitive data with their colleagues, or via social media.
The purpose
The goal of the GDPR is to grant citizens the right to control their information. That means they can request access to this data as well as have it removed from sites if they're unhappy with how it's employed. It gives people the ability to make businesses accountable in ways that were never before possible.
If a person is entitled to view their personal information or data, then they'll be able find out why the data is being used as well as with whom it's been shared, and if it's been sent overseas. They can also ask for correction if it's inaccurate. The law also outlines principles businesses are required to follow in processing personal information. In addition, the law lays the standards for fairness, transparency and legality. The law requires companies to collect data with the sole purpose that they have specified explicitly to the data subject when they collect it.
Every processing process should be secured. The data needs to be secured during transport and also during its rest. Also, according to the law, the controller of data must maintain the records of every processing activity. These documents must be made available to the supervisory authority on request.
The GDPR states that the controller should be appointed DPO (also known as a Data Protection Officer). They must be certified and trained to understand the GDPR. They're in charge of evaluating the potential risks associated with handling personal information and ensuring that employees are aware of these risks. Also, they must participate in the formulation of privacy policies that businesses have and also train employees on them. Data subjects should be able to reach them to ask any questions they might have concerning the use of their personal data.
Consent
GDPR stipulates that consent may just be one the six legal bases that allow for personal data to be processed. Companies that rely on consent will have to revisit and review their policies. It means that firms that solicit consent from the public should provide additional specific information about why their personal information is being used and what the potential risks are, and how to change their mind at any point.
It is vital to keep in mind that the consent granted must be freely and voluntarily expressed. The subject of data affirms that they have consented. This could be a statement of intent, a press or an active action. Inactivity, silence, or an agreement with blanket contract terms does not mean that this. This cannot be implied via GDPR services explicit options, or by blanket opt-outs, as they aren't considered an obvious indication.
Another crucial aspect is the fact that it's specific. As per the WP29 Specific consent is designed "to give privacy and control for the individual who has been contacted". Thus, controllers of data must clearly define the purpose(s) of their processing when asking for consent and provide greater specificity when it is possible. Also, they should differentiate the information required to obtain consent from other matters.
Finally, a person should have the ability to refuse to the processing of their personal data at any point and to have their data removed at any point. It's also a good idea to put in place ways to manage and track such oppositions. Removing consent must be as easy as that required for consent to be given. The rights are also accompanied by numerous obligations as well as rights for the data subject, which include the ability to move their personal data between service providers as well as the right to get their personal data deleted in certain situations (also known as the right to erasure). Also, individuals have the right of access to any private information an organisation may hold. This information must be made available within a reasonable period of time with a simple format.
Data Erasure
One of the most powerful tools in the data subject's arsenal is the power of forgetting, which is referred to under GDPR as the "right to be erased'. The legal right, which is triggered upon a request for erasure, demands that companies completely erase personal information of individuals from their systems for business, including backups.
Under GDPR, a company has one month to respond to an erasure request, but that's only the beginning of an extensive journey. The business must also direct the other systems to erase all hyperlinks to an individual's data, and must notify them in the event that it does not decide to delete the data after all. The company must also rewrite all records that are linked to PII and incorporate this information in an updated data map.
The ability of systems for handling such requests is critical to businesses, specifically those that operate technology and marketing companies that gather and process huge quantities of consumer data at scale. Respecting the rights of consumers is a core requirement of the GDPR. Any firm that isn't equipped with the appropriate infrastructure in order to meet the requirements will incur significant fines if caught.
In the event that a company chooses to hold onto the data they must explain why and offer the user the choice of arguing or appealing the decision. The GDPR lets companies keep information for use in public, like historical research and stats. A company may refuse to delete data when doing so would severely hinder or block progress toward the objective. And it can make a charge that is reasonable in order to cover the expenses of making the decision.
Transfer of Data
The GDPR requires businesses who handle personal information to protect individuals' rights and give them control over the way their data is collected or used. It also requires that data be shared and erased. It places a huge burden on technology firms that are able to collect and exploit data from consumers, as well as marketing firms and intermediaries who join with them. Every industry will be affected and those who's businesses depend on the collection and use of huge amounts of data from consumers may feel it most. They are likely to be the hardest impacted by customers who take advantage of their new extended rights in large quantities and refuse consent to certain uses of their data, demanding access to their data is being shared with third companies, or eliminating the data they have stored on websites completely.
Companies that process data on a global basis, the new rules pose more problems. Article 32 of GDPR addresses "data transfer" and sets out rules for making sure that sufficient safeguards are put in place whenever individuals' personal data are transferred to processors or controllers in countries outside of the EU. The EDPB has issued Guidelines clarifying the definition of transfer, in particular indicating that an IDT can be established if a controller or processor not established in the EU discloses personal data to an entity (not necessarily another controller/processor) located in the EU, as long as at least one of the following conditions is met:
The first part of the condition is that the recipient must be subject to GDPR, and that the processing occurs within the context of its provisions. The second requirement is that the company has to be the data controller or processor that will behave as such in relation to the disclosure. According to the Guidelines it is not an IDT when employees from the controller or processor within the EU travelling abroad for purposes of business and have access to data via their corporate systems.