What is the GDPR?
Digital privacy has always been important, but lately, it’s become more of a concern. The vision of 1984 is looking more and more realistic. Users aren’t just entering their email and phone numbers without thinking, they want to know why a company needs their information and what they plan to do with it.
The General Data Protection Regulation (GDPR) seeks to inform users about those processes. Starting May 25th, companies that collect personal data from citizens in European Union (EU) countries must be in compliance with the GDPR. This regulation will require companies to protect the personal data of EU citizens. The GDPR protects everything from your political opinion to your social security number. If a company does not comply with the GDPR, they could be subject to fines.
The GDPR is quite lengthy, and your Data Protection Officer should know all of the requirements front and back. Here are some of the key requirements that we picked out and translated into plain English.
Processing Personal Information
The GDPR asks that companies process data lawfully, fairly, and in a transparent manner. This means that data should be accurate, kept up to date, and relevant to the purpose of being processed. Companies must be upfront about their processing activities.
Collect Only the Necessary Data
Companies should limit their processing to collecting only the necessary data. There should be no reason to keep that personal data once the purpose of processing is fulfilled.
Data Subjects Have Rights
Data subjects, or the site’s users, have a right to ask you why you’re collecting their information, exactly what information you have about them, and what you plan to do with that information. The subject has the right to correct any information, delete information, or opt out of processing entirely.
Data Subjects Must Give Companies Consent
Before processing any personal data, companies must confirm with data subjects for permission to use their information. If consent is given, it must be documented. This consent can be withdrawn at any time. The consent must be freely given, relevant to the purpose of processing, and informed about the company’s methods.
Personal Data Breach
This is a breach of security leading to the accidental or unlawful loss, change, or unauthorized disclosure of personal information. In the case of a breach, companies must let data subjects know within 72 hours that their information has been compromised.
Data Protection by Default
To avoid those personal data breaches, you should plan to incorporate technical and organizational methods when creating your new system.
Data Protection Impact Assessment (DPIA)
The DPIA is a process that lets your data subjects know when there are any changes made to your data processing methods. The assessment should inform subjects about the systematic description of processing methods, the purpose of processing data, the risks to their rights and freedoms, and the safeguards in place to protect their personal information.
Data Protection Officer (DPO)
To organize the process of collecting data, the GDPR requires that the company assign a Data Protection Officer. The DPO is responsible for using data protection best practices and advising the company about compliance issues or updates.
Not only is digital privacy important, it’s expected. With each new technological development and the rise of digital communications, users want a layer of security and they want to be informed. Users are asking why, and companies now have a responsibility to answer that question.
Sevaa Group has many clients that must comply with the GDPR, and we’ve been scouring documents about the regulation to learn everything we can. Ensuring our clients’ and their users’ privacy is our top goal. We’re happy to answer any questions about the GDPR or other security options, like SSL certificates.
*This is not official legal advice about the GDPR. Please seek counsel from a lawyer to discuss legal direction involving GDPR.