General-Data-Protection-Regulation or GDPR is basically a regulation that businesses will need to follow to protect personal data and privacy of European-Union (EU) citizens for transactions that occur within the EU states and for those businesses also who are outside but have the EU citizens data with them. Non-compliance would lead to hefty fines and loss of business for the organizations. GDPR will definitely set standards for all organizations to abide and they will have to put their systems and processes in place for compliance standards. Though the interpretation of GDPR leaves much to be sought, it says that companies must provide a reasonable level of protection for the confidential data and following are the key elements included in the GDPR; which include 1) the right to be forgotten, 2) obtaining valid consent and 3) access to data.
This concept implies that a person can exercise his right of request for his personal data to be erased. This applies to all data controllers and to companies that has made the personal data public through online forums or social media community but there are some exceptions though. It means that it cannot supersede certain laws requiring that certain data can be maintained by some organizations like the HIPAA-required records for the US companies. As the GDPR compliance becomes mandatory, it is required that the IT companies take the following steps:
Data processing is the key element for organizations and this can include everything from using an employee’s data to process the payroll to using a customer’s information for targeted advertising. But now, under GDPR, the ambit of data processing has become structured and the users have to process the personal information by meeting the definition of legitimate interest. GDPR defines lawful grounds for data processing, which are as follows:
GDPR focuses on transparency and some points to be kept in mind are as follows:
GDPR has introduced data portability, wherein, it means that the customers can demand that their personal data be ported to them from the data controller. When the customers provided data to the controller, provided consent to use their data or were in a contract where the controller was automatically processing their data then such customers can port their data and reuse it for their own purposes and across different services. So, here there are some requirements to be followed by the data controllers to deliver back the data to the customers. Online data has to be in a machine-readable format and has to be such that it can be read, copied and transferred easily. How this task is to be done is not specified by the GDPR. Since the privacy rights are with the customers, then the organizations should make it simple for the customer to port their data. Like for example it can allow the data subject to determine which fields can be exported. Data security while exporting it should be provided by the organizations and sometimes it may have to be directly exported to its competitor. Examples of data include a list of media such as songs and photos though the inferred data like the behavioral data determined from analysis would be out of scope for data porting.
These are some of the key concepts included in GDPR and organizations need to comply with these for better transparency and trust in business transactions.