If you manage a business or manage the personal information that are held by EU residents. Companies that manage or sell to EU residents in addition to those who do business with them are in the same category.
This law is intended to boost transparency in both privacy and business. It also mandates that companies report data breaches within 72 hours.
Processing of personal data
The GDPR define personal data as data that can be connected to a identified or specific natural individual. This includes a person's name number, address, email information about their bank account and even the IP address of their computer. Details about an individual's views on religion, political beliefs or sexual preferences can constitute personal information. The GDPR mandates that all processing of personal data be performed in a way that's in accordance with the rights and liberties of each individual. This includes ensuring that the personal information is handled lawfully as well as transparently and fairly. It also requires that the personal information is not stored longer than it is required and that appropriate cybersecurity measures are implemented.
The processing of personal information is permitted only if founded on the six lawful grounds detailed in GDPR. Consent is the most popular justification, but other elements are also taken into consideration. Data processing can be justified in the event that the undertaking serves the public best interest. But, it's only valid when the data processing isn't overly relative to the interest of the person who is being processed.
If you're uncertain if your activity of processing is legal then you should consult the Explanatory Notes to the GDPR. These notes will explain what constitutes as processing and how you can prove that the activity is. In the case of for example, sharing individuals' personal information to other employees of your organization can count as processing, as can logging their IP address to analyze purpose.
The new EU data protection regulations have profound implications for how businesses collect and store data about consumers. These include the right to be informed. This requires that customers consent before their data is collected. They must also have the right to get inaccurate information removed and that their information be erased if they wish.
Purpose limitation
Under the GDPR, data controllers are required to process only personal data that is essential for legitimate, specific and clear purposes. This principle is an important aspect of the law's overall principles of fairness, transparency and lawfulness. This is the case for both data controllers as well as to any third party which handle personal information. These entities must identify and record their purposes of processing and the other actions they perform. Data subjects' rights are further enhanced with the GDPR's amendments, which requires them to know the nature of their data and gain access to their data within a period of one month. Also, the regulation prohibits the charge for this service unless it is excessively or clearly unfounded.
Wide-ranging purposes compromise the security that the purpose limitation principles seek to protect. For example, an online business that stores customers' exact birth dates violates the purpose limitation principle because it's not precise and exact. In contrast, the business could ask for a customer's age category or general date range that would suffice to meet the regulations.
A doctor using his patients medical records with out their consent is yet another instance. It's not an acceptable use of the data, as it's incompatible with the purpose for which it was originally intended. Doctors should use the information for purposes of treatment and not to serve a secondary motive.
It's essential to establish the primary purpose of processing data about individuals prior to beginning to collect the data. The GDPR requires that the reason for processing be clearly documented. However, it's best to incorporate the purpose into other documents and policies including information governance policies and business strategies. Also, it's a good idea to design training sessions for employees on the best way to document the purpose of processing personal information.
Transparency
Transparency when processing personal data is essential to adhering to GDPR. In the Articles 13 and 14, the GDPR states that people have the right to learn how their personal data is processed. The regulation also requires that the data is presented in an easy-to-read, transparent and easily understandable format. This regulation requires the data to be provided in an easily understood, concise and transparent format. The information must also be easily accessible and written in a plain and simple language. Transparency is particularly relevant when it comes to children and vulnerable persons when the language as well as the manner of communicating must be adapted in line with.
The organizations should not be content with ensuring that privacy policies can be easily understood as well as communicate them using various formats and different media. The GDPR requires that the policies need to be available in writing, but other forms of communication can be used, such as videos, voice alerts, cartoons as well as information graphics. It is intended to ensure that every person has access the policy regardless of preferences or impairments. The GDPR further states that organisations must keep a record of the policy, or have the policy available to someone who reads it aloud on the request of the customer.
The IAB Tech Lab's framework is a great tool for publishers to be more open with their customers and meet GDPR's requirements. The user can select which third parties as well as the purposes for which data processing they'd like to provide consent for. This framework removes the "all or nothing" concept of consent and allows users to exercise greater control over the data they provide.
In the past, elements that weren't considered personal information may be considered to be in future. This is why the GDPR states that businesses should consider security of personal data through design and in default when developing new services or products. Designing an app has to take into consideration the types of data that will be collected and its security features.
Data portability
The right to portability of data allows individuals to control their own personal data and to transfer that information to another controller. It allows users to move their data between platforms and services and promotes new ideas. Also, it tries to reduce the influence of big platforms and services who could get an unfair advantage over smaller counterparts. Transferring data to another controller is an essential element of privacy that was included within the GDPR. The right to data portability cannot permit the transfer of personal data between one entity (who uses a legal processing base) to a different controller.
Making requests for data portability could take a long time and be costly, especially for organizations that do not already adopt privacy by design. But, the implementation of this right is vital for companies in digital to remain competitive. As time goes on, more people will move between various digital platforms and services. The ability to transfer data is more important for businesses.
The article 20 states that the data subject has the right to receive personal data from the controller in an organized, frequently-used and machine-readable format, and also to send it to a new data controller, without impedement from the controller that originally provided it. Personal information is broad it can also include information from other individuals' details. Data portability is a problem with respect to services that control contacts or make use of data for specific purposes.
Netflix as an example collects a lot of information about its users. It could be information about credit card numbers, watching preferences, etc. Before GDPR, these details were kept by the service. Companies are now obliged to make this information available to other services and platforms. Competition will rise between platforms and service providers, while inducing innovation.
Consent
According to GDPR, consent forms one of the principal legal bases for data processing. Consent must be granted freely clear, concise and well-informed. That means the individual have the right to make an informed decision without pressure or influence, and they are able to revoke the consent at any point. Additionally, they must be able to decline the use of their personal data for any purpose or use in order to do so without detriment. The use of dark patterns such as check boxes that have pre-selected choices as well as cookie walls, are unacceptable.
They must seek explicit consent using a format that is easy to comprehend, accessible and written in a simple manner. The form must state in simple language what the controller's name is, the title of the data, as well as the reason for the processing, the transfer of any personal information and the dangers involved. It must also explain the nature of the data that is processed, as well as any rights that the person may have.
The act of consent must be seen GDPR expert as a positive affirmative action which requires the user to give their consent actively rather than in a passive manner. It is also important to remember that consent has to be signed to a genuine person, not by a company or organization. That means it's difficult to acquire a legally valid consent just by simply asking a person to tick the box or click an image.
Consent is a valid basis for data collection. an legal basis, data controllers should be ready to delete personal information of a person once they withdraw their consent. The same applies if the data controller has legitimate interests. In such a case, it is a better alternative to employ another legal framework rather than consent.