GDPR is a regulation which seeks to rebuild confidence in the sharing of data through raising standards as well as ensuring they comply with them. The GDPR applies to all companies who collect personal information about EU citizens.
The GDPR is based on the existing European Data Protection Directive from 1995. Its aim was to make one law in force across the whole EU.
Conditions for Consent
The GDPR requires companies to seek permission from individuals regarding how they will use their personal data. This is called consent and is one of six legal bases to process personal information. It is possible to withdraw consent at any point and should be readily available.
In contrast to the previous directive, that only demanded that consent had been freely given and freely granted, the new directive stipulates that the consent must be clear and specific. The consent must be clear and the agreement of the subjects to the processing of the data they provide is clearly understood. This consent can be given through a myriad of means in the form of a verbal statement or in writing, on a web page, or using two-factor verification.
It is vital to understand the fact that consent may only be an element of a wider collection of data that's available, and that the purpose for which the data is used must not be more than that. If you wish to ask for permission to collect personal information for research purposes, it is not often possible to pinpoint what the research will involve. It is recommended to provide specific alternatives when you can for certain research areas and also provide more information regarding other conditions.
Additionally, it's essential to note that if someone withdraws consent the data you collect must be deleted the information in question until another legal basis is identified. The data you collect cannot be changed from consent based on reliance to legitimate interest because that will not be enough of a justification.
Penneo Sign helps businesses to meet the requirements of consent. Our online consent forms allow you to explain your purposes, and then ask for explicit consent from data subjects by requiring them to choose either "Yes" or "No." Then, you can generate a PDF document that has the fields needed and send the form to the person whose information is required. It will be certain that you have the necessary records to prove that your permission was legal and that it is easy to comply with any requests of people who want to cancel their consent at a later date.
Transparency The requirements for transparency
Companies must explain how they collect and process the personal data of individuals. They must also ensure that users have access to this information and review the information. It is crucial to remember that the right of information' as outlined in law is a part of this.
An authority for data protection can impose fines on companies that fail to comply with the GDPR's requirements for transparency. This applies to not only big international businesses but smaller companies which target EU citizens and operate in the EU. The penalties could reach the thousands of Euros.
It is the EU's Article 29 Working Party (WP29) has released guidance that will help businesses meet their transparency obligations. It says that privacy policies must be simple to understand and should describe what is processed, why the data is being processed, with whom they are sharing it with as well as how long data is kept. Prior to granting consent to an organization's policies or accepting their terms it's essential that all users are informed of the issues.
WP29 specifies that privacy policy have to be put in writing however, non-written methods such as videos animations, voice messages and even cartoons can be used provided they're easily understood. On request, the policy are required to be readily available. It is also recommended for anyone to read the policies out loud. The GDPR consultants policy should be available on the company's website, an app and hard copies should be available if required.
Remember that transparency is not only about what happens with your personal data but also how this will be affecting individuals. It is essential to be aware of this in particular when processing takes place without an individual's prior consent. This is the case when data comes from various sources. For example, a company may buy data from another source to gain insight into their clients. Data can be utilized to improve the quality of a product, but the user may not have known that the initial supplier used the information for this purpose.
In this case, transparency can be a problem. This is because, despite GDPR's increased importance however, there have been very few studies conducted on the subject. A lot of US-based research done on the transparency outcome may not be relevant to the European situation.
The requirement for accountability
This has always been a part of European local legislation on data protection, but GDPR puts this issue into sharper focus. It demands that an organisation has a clear understanding of the type of data it uses and why, as with a range of technical and organisational measures that ensure an understanding of the data being processed.
A GDPR compliance plan would have to include documentation on what personal information an organization gathers and how it is collected in the first place, how it's kept and by whom it is stored, who has responsibility for the information and many more. It should also include the internal processes and procedures which will ensure that that this knowledge is proactive and regularly maintained. It should also ensure that any changes required to the system for processing information should be outlined and planned.
An assessment of the impact of data protection (DPIA), when necessary is an additional element of accountability. It's an important part of the concept "Data Protection through Design and Default" according to which privacy needs to be taken into consideration from the beginning in the development of a product or new activity.
In the event that a process is deemed to pose danger for the rights and freedoms of a person, DPIAs are necessary. The regulations define three types of operations that must be accompanied by DPIAs. These are the extensive and systematic profilers, which have a major impact as well as public surveillance on an extensive scale, as well as processing of genetic and biometric information.
The DPIA can help an organization discover and mitigate any potential risks. The DPIA must explain the secure storage and protection of information. The DPIA must be carried out prior to the processing process begins. Likewise, any modifications to the processing system also need to be vetted through an DPIA process.
It is also essential for an organization to record the outcomes of an DPIA, and any relevant conclusions and reasoning. It is a good idea to sign written agreements for any joint controllers which clarify the roles and responsibilities of both parties.
A commitment to accountability is the primary requirement to ensure compliance with GDPR, which it will require a fundamental transformation in the thinking of many companies. Strategies used by organisations range from burying their heads in the dirt to focus on reducing their first-time fine and those who view the compliance process as a fundamental part of the day-to-day activities.
The Data Portability Requirements
The right to data portability under GDPR is an important innovative way for individuals to have more control over the information they share with others. This poses a risk for companies as well as a strategic advantage if properly implemented.
People have the right to obtain from an individual data controller all of the personal data that they've provided in a structured, common and machine-readable format. It is the case for any personal data which is used for the purpose of consent or for the fulfillment of a contractual obligation. Also, it applies to any personal data processed automatically.
What does this mean in practice? A simple example would be taking digital music files downloaded from the streaming platform and put to a different platform, but it could be much greater. Also, it includes data on books bought through an online bookshop, the use of energy (with the electricity company as the data controller) to determine carbon footprints, etc.
This rights doesn't extend to other data the controller might have created with respect to personal information derived from the original or other pseudonymized information. This also does not apply to private data processed to serve legitimate interests or in the public interest, but certain circumstances may be considered to have this right.
A company will need to prove that they're complying to the demand. It means that they must to demonstrate precisely how personal information was collected as well as the reason it was processed. They must then provide the data in the appropriate format, i.e. the format which can be easily reused.
This will prevent the lock-in of vendors that has been an issue for many services including cloud storage, or social media. The EU co-legislators of the regulations were hoping to permit users to transfer their data from one service provider to another without getting a victimized by 'controller locking-in'. The GDPR Guidelines published by WP29 address this issue as a continuing concern in the coming digital age.