If you operate a business that handle the personal data that are held by EU residents. Businesses that monitor or sell to EU residents as well as those who do business with them are all included.
The law aims at making businesses more transparent and expands privacy rights. The regulations also require that businesses report breaches of personal data within 72hrs.
Processing personal data
The GDPR define personal data as data that can be connected to a identified or identifiable natural individual. It includes the name of a person and address, as well as email addresses information about their bank account as well as an IP address. Information about a person's political views, religion or sexual preference could also be considered personal data. The GDPR stipulates that any processing of personal data is performed in a way that's in accordance with the rights and freedoms of an individual. This includes ensuring that the personal information is handled lawfully, fairly and transparently. It also implies that personal information should not be retained for any longer time than is needed, and adequate security measures have to be put into put in.
The processing of personal data has to be done on the basis of one of the 6 lawful reasons outlined in the GDPR. Most commonly, it is consent, but there are other reasons in addition. In particular, the collection of personal data is allowed as long as it's needed for the performance of a task that is carried out for the public or public interest. But, it's only valid if the processing isn't excessive in relation to the interests of the person requesting data.
If you are unsure whether your processing is legally permissible then you should consult the Explanatory Notes to the GDPR. These notes will explain what constitutes as"processing" and the ways you can prove that the activity is. A good example is sharing information about your personal details with other members of your organization could be considered processing. It is also possible to record their IP address to use as a basis for analysis.
The new EU laws on data protection have profound implications for how firms collect and keep consumer data. They include the right to be informed, which means that consumers must consent before their data is obtained. Also, they must have the option of having inaccurate information corrected and to request the deletion of their personal data in the event that they want.
Purpose limitation
Under the GDPR, data controllers are required to process only personal information necessary for specific, legitimate and specific purposes. This principle is an important element of the general law principles of fairness, transparency and the lawfulness of data processing. The law's principles apply to individuals who control data, as well as those who deal with personal information. The GDPR stipulates that organisations define their purpose and document their purposes along the other activities of processing. The GDPR also strengthens the rights of individuals who are data subjects which require them to be informed of the reasons for processing and permitting them access their own personal information within a one-month period. Additionally, the regulation prohibits pricing for this service unless it's unjustifiably high or manifestly insubstantial.
A broad range of purposes can undermine the security that the purpose limitation principles are designed to offer. For example, an online shop that collects customers' exact birth dates violates the limitation of purpose principle since it's not precise and specific. The company can ask instead for a general age or a date range. It is enough to meet the regulations.
The practice of a doctor using patients medical records without their consent is yet another instance. This is not a valid usage of data because it's not compatible with the original purpose. The physician should only utilize these data to conduct treatment but not for another reason.
It is important that you be clear about the reasons of processing personal data prior to obtaining it. Documenting the purpose is an obligation under the articles 12 and 29 of the GDPR, but it's best to document the reasons behind processing in other documents and policies, such as information governance plans, business strategies, and marketing policies. It's also a good idea to develop training programs for employees on how to document the purpose of the processing of personal data.
Transparency
Transparency regarding the processing of personal data is essential to adhering to GDPR. Under Article 13 and 14 The GDPR stipulates that people have the right to learn how their personal data will be processed. It also provides information on the purposes for which the data is collected and the individuals with whom it will be given to. Regulations also require that data be provided in a concise, transparent and understandable form. It should also be easily accessible and written in plain written language. Transparency is essential, particularly when communicating with vulnerable people or kids. The language and style employed must be reflective of this.
Alongside ensuring privacy policies are simple to comprehend, companies need to ensure they are communicating their policies in a variety of media and formats. The GDPR stipulates that policies should be available in writing, however, other types of communications are permissible, including videos, voice alerts, cartoons, and infographics. This ensures that every person has access the policy regardless of preference or disability. The GDPR also stipulates that the company must record the policy or make accessible someone who is able to read it out loud on the request of the customer.
IAB Tech Lab framework is an ideal tool for helping publishers to be more transparent and in compliance to GDPR. The framework enables users to decide which third-party and processes they want to consent to. This framework removes the "all or none" way of consent and allows users to exercise greater control over their data.
The authors of the GDPR realized that technology can change rapidly as well as elements that may not presently qualify as personal information may become identifiable in the future. According to the GDPR, companies are required to develop new products and services keeping data security in mind. When designing an application, it is required to consider what kind of data is collected as well as the security measures used.
Data portability
The right to portability of data permits individuals to manage their own personal data and the transfer of that data to another controller. Users can transfer their personal information from one platform and service, that encourages creativity. This is a method to counterbalance the dominance of big platforms and services, which may have unfair advantages over smaller rivals. Data portability was included in the GDPR and forms a crucial element in the privacy system. Data portability is not a right to transfer of personal data of one control (who uses a legal processing basis) to a different controller.
Providing data portability requests can cost a lot of time and money particularly for companies that are not yet implementing privacy by design. To stay competitive, digital enterprises must be able to implement this feature. In the future, many more individuals will be moving between different digital platforms and applications. This means that data transfer will become increasingly vital for business.
Article 20 outlines that the person who is the data subject is entitled to receive personal data from the controller in a structured widely-used, machine-readable format and then to transfer the data to another controller, without impedement from the initial controller. However, the term "personal data" can be broad, and may comprise information regarding other individuals. The transferability of data is an issue, particularly for services which manage contacts or use data for specific purposes.
Netflix For instance, is a prime example. They collect a variety of information on their subscribers. This includes their account information for credit cards, their viewing habits and other. Prior to GDPR, this information remained with the company providing the service. They are now required to share their data with various platforms and other services. This could lead to increased interplay between platforms and services and will encourage the development of new technologies.
Consent
Under GDPR, consent is one of the most important legal bases for data processing. It can however only be deemed valid when it's explicitly given, clear well-informed and clearly defined. The person must be able to decide for themselves not to be influenced or subjected to any kind of pressure, in addition to having the option of rescinding consent at any point. Additionally, they should be able to refuse the use of your personal data in any way, for any reason, or as a service. The use of dark patterns such as tick boxes with data protection consultancy preselected options and cookie walls aren't acceptable.
The consent request must be made explicit in a clear and accessible format and written in plain language. It must clearly explain the nature of the controller, their purpose for processing, the transfer of personal information, and their risk; the nature of the data being processed; the possibility to withdraw the consent in the future; other rights that an individual might enjoy and so on.
Consent should be considered as an affirmative positive act that requires the individual to affirm their decision in a proactive manner rather than merely passively. It is crucial to be aware that the consent must be made by a natural person, not by an organization or institution. This means that it is impossible to get a legal consent from having someone check a box or click on any link.
If consent is used as the legal basis for processing personal data, then controllers need to be prepared to stop using this data if someone withdraws consent. This applies even if the controller holds legitimate interests. Therefore, it is a smart option to use a different legal ground in lieu of consent.