General Data Protection Regulation or GDPR is basically a regulation that businesses will need to follow to protect personal data and privacy of European-Union (EU) citizens for transactions that occur within the EU states and for those businesses also who are outside but have the EU citizens data with them. Non-compliance would lead to hefty fines and loss of business for the organizations. GDPR will definitely set standards for all organizations to abide and they will have to put their systems and processes in place for compliance standards. Though the interpretation of GDPR leaves much to be sought, it says that companies must provide a reasonable level of protection for the confidential data and following are the key elements included in the GDPR; which include 1) the right to be forgotten, 2) obtaining valid consent and 3) access to data.
First GDPR Concept Is about the Right to be Forgotten
This concept implies that a person can exercise his right of request for his personal data to be erased. This applies to all data controllers and to companies that has made the personal data public through online forums or social media community but there are some exceptions though. It means that it cannot supersede certain laws requiring that certain data can be maintained by some organizations like the HIPAA-required records for the US companies. As the GDPR compliance becomes mandatory, it is required that the IT companies take the following steps:
- Design a data inventory to know where the personal data of its customers reside
- Determine if the data erasure requests can be performed or if exemptions are required and if so, the reasons
- Design a data erasure request process
- Provide training for personnel to handle data erasure requests
Second Concept Talks about Obtaining Valid Consent
Data processing is the key element for organizations and this can include everything from using an employee’s data to process the payroll to using a customer’s information for targeted advertising. But now, under GDPR, the ambit of data processing has become structured and the users have to process the personal information by meeting the definition of legitimate interest. GDPR defines lawful grounds for data processing, which are as follows:
- Consent needed for every specific purpose
- To deliver on either a current project or before entering into another
- Due to legal obligation
- To protect the interests of the all the customers
GDPR focuses on transparency and some points to be kept in mind are as follows:
- Consent must be free and not to be clubbed with terms and conditions. The consent should not be a condition signing up for a service until it is precisely so.
- Consent must be used only for the specified purpose and must be easy to understand with no hidden contradictions.
- Consent must be segregated by type such as for advertising or analytics and not all inclusive.
- The user should have the option of opting in and it should not be compulsory as in pre-checked boxes.
- Companies have to retain all materials regarding the consent as a proof.
- Users should have the option to be able to easily withdraw from the consent
Third Concept Is of Access to Data or Portability of Data
GDPR has introduced data portability, wherein, it means that the customers can demand that their personal data be ported to them from the data controller. When the customers provided data to the controller, provided consent to use their data or were in a contract where the controller was automatically processing their data then such customers can port their data and reuse it for their own purposes and across different services. So, here there are some requirements to be followed by the data controllers to deliver back the data to the customers. Online data has to be in a machine-readable format and has to be such that it can be read, copied and transferred easily. How this task is to be done is not specified by the GDPR. Since the privacy rights are with the customers, then the organizations should make it simple for the customer to port their data. Like for example it can allow the data subject to determine which fields can be exported. Data security while exporting it should be provided by the organizations and sometimes it may have to be directly exported to its competitor. Examples of data include a list of media such as songs and photos though the inferred data like the behavioral data determined from analysis would be out of scope for data porting.
These are some of the key concepts included in GDPR and organizations need to comply with these for better transparency and trust in business transactions.