If your business who handles the personal data of EU citizens, you are required be GDPR compliant. This includes businesses that sell to EU citizens or monitor the behavior of those living in the EU.
The purpose of this regulation is to enhance transparency in the company and in privacy. Additionally, it requires companies to report data breaches within 72 hours.
Processing of personal data
GDPR describes "personal information" as the information that may be associated with an identifiable and identified natural person. This includes a person's name, address, email address and bank account information as well as an IP address. The personal data may also contain specific information regarding the political opinions and beliefs, as well as the sexual orientation of an individual. As per GDPR, all processing of data needs to comply with the individual's rights and freedoms. This includes making sure that personal data are processed legally in a fair and transparent manner. Additionally, the personal data are not held longer than it is required and that the appropriate security procedures are being implemented.
Personal data processing is only allowed if it's legally based upon the six motives outlined in GDPR. The most popular reason is consent, however there are other legitimate grounds too. In particular, the collection of personal data is allowed as long as it's needed for the performance of a task carried out in the public interest. It is only applicable if processing doesn't violate the rights of the subject.
If you are unsure whether your processing activity is lawful You can refer to the Explanatory Notes to the GDPR. These notes will explain what constitutes as processing and how you can demonstrate that you are. In the case of for example, sharing individuals' personal information to other employees of your company could be considered processing. Likewise, you can log the IP address of an individual for analysis reasons.
The latest EU regulation on protection of data has an impact profound on the way companies store and collect consumer data. These include the right to be informed, which signifies that users must give their be able to consent prior to their data being stored. The consumer's right to amend any data that is inaccurate and request that their personal data is deleted is also important.
Purpose limitation
Under the GDPR, data controllers are required to handle only data about individuals that are needed for specific, legitimate and explicit purposes. This principle is an important element of the general law guidelines of fairness, transparency and lawfulness. The principle is applicable to data controllers as well as to any third party that handle personal data. They must establish the purposes for which they process data, as well as their other functions. Data subjects' rights can be enhanced through the new GDPR, which will require them to understand the nature of their data and gain access to their data within one month. It also prohibits the charging of the service unless excessively or clearly unfounded.
The broad scope of the purpose limits the security that the purpose limitation principles aim to give. An online store that requests to know the birth date of customers violates the principle, because the information isn't precise or clear. It is possible for the business to ask for a general age range or date range. This will suffice for compliance with the law.
A different example would be a physician that uses his patient's health information for a different use without consent of the patient. This isn't legal use the data in this way, as it is not compatible with the initial purpose. Doctors must use information only for treatment purposes and not for any other purpose.
This is why it's important to clearly define the purpose of storing personal data prior to starting to collect it. The GDPR demands that the purpose be documented. However, it is recommended to include the goal into any other document or policy, like information governance plans and business strategies. It is also important to train your employees to clearly record the reasons for processing data.
Transparency
Transparency in the processing of the personal data of individuals is crucial for adhering to GDPR. Under Article 13 and 14, the GDPR states that citizens have the right be aware of how their personal information is processed. This includes information about the purposes for which the data will be used and what third parties it will be provided to. Regulations also require the data to be supplied in a clear, concise, and intelligible format. The information should be easy to understand and in a straightforward and simple language. Transparency is essential, particularly when communicating with vulnerable people or kids. The tone and language used must reflect this.
In addition to ensuring that privacy policies are straightforward to understand, organisations should ensure that they share their policies in a variety of formats and media. As per the GDPR, privacy policies must be written down but other communication methods are permitted for example, videos, voice messages or cartoons, as well as infographics. It is intended to ensure that everyone can have access to the information, regardless of preferences or impairments. Furthermore, the GDPR states that an organization must keep a record of the policy or provide someone for the purpose of reading out the policy when requested.
IAB Tech Lab framework is an ideal tool for helping publishers be transparent and compliant to GDPR. It allows users to pick which of the third parties they want to use and for what data-processing purposes they consent to. This framework removes the "all or all or nothing" concept of consent and gives users greater control over the data they provide.
In the past, elements that were not considered to be personal information may be considered to be in the near future. The GDPR stipulates that businesses should consider privacy by design and at the outset when creating new services or products. It means that the layout of an app must take into account the types of personal information that it's going to gather and the ways in which it can be secured.
Data portability
Data portability is a right that empowers individuals to take the control of personal data and transfer it to another controller. The right allows individuals to move their information between different platforms and platforms, as well as encourages creativity. It's also a method to limit the influence of big platforms and services who may be able to gain unfair advantages over smaller competitors. Transferring data to another controller is an essential element of privacy that is a part of the GDPR. It is crucial to remember that the right to data portability does not allow for data transfer across controllers to a new controller that does not have an appropriate lawful basis for handling (Article 20 in the UK GDPR).
The process of requesting data portability may be time consuming and costly and costly, particularly for those who aren't already implementing privacy through design. To be competitive, modern enterprises must be able to implement this feature. GDPR consultancy In the near future, the more users will shift between various digital platforms and services. Data transferability will become essential to the business.
The article 20 states that the person who is the recipient of personal data is entitled and without interference from the original controller to receive the data in a format that is machine-readable, structured and commonly used for the control. They may also be able to transmit the information to a different data controller. However, the term "personal data" can be broad and comprise information regarding other individuals. This creates a dilemma to data portability, particularly for services that manage the contact details of individuals or utilize it for specific purposes.
For example, streaming services like Netflix gather a lot of information about their users. They can store the number of credit cards used, as well as viewing preferences. Prior to GDPR, this information was maintained by the company. Now, these companies are required to disclose this detailed data to other platforms as well as services. The competition will increase between platforms and services, while also encouraging innovation.
Consent
The GDPR provides consent as one of the most important legal basis for processing of data. But, consent can only be considered valid if it's freely given, specific, informed and unambiguous. It means individuals should be free to choose without being influenced or under any pressure whatsoever, as well as being able to exercise the power to withdraw their consent at any time. Also, they must be able to decline the use of their personal data for any purpose or service, and be able to do so without detriment. Dark patterns, such as check boxes that have pre-selected choices or cookie walls, are not acceptable.
It must ask for explicit consent using a format that is easy to comprehend that is accessible and written in a simple manner. The document must explain how to read and write that the identity of the controller of the data, as well as the reason of the data processing, as well as the transfer of any personal data along with the dangers involved. It should also describe the kind of data is processed, as well as any rights that the person has.
Also, it should be noted that consenting to a contract is an affirmative, positive act, which requires the individual to affirmatively express their approval rather than just giving a non-active assent. It's also crucial to be aware that the consent must be given by a natural person, not by an organization or an institution. Therefore, it is impossible to get a valid consent from someone by having them click on a button hyperlink.
When relying on consent as an legal basis, data controllers have to be prepared to delete private information of individuals once they withdraw their consent. This is also the case if the data controller is pursuing legitimate interests. This is why it's a great idea to rely on another legal ground in lieu of consent.