The General Data Protection Regulation (GDPR) applied on 25 May 2018, this new law applies to all companies that collect and process data belonging to European Union (EU) citizens. This includes companies with operations in the EU and/or a website or app that collects and processes EU citizen data.
It expands the rights of individuals to control how their personal data is collected and processed and places a range of new obligations on organizations to be more accountable for data protection.
The GDPR applies to personal data. This is any information that can directly or indirectly identify a natural person and can be in any format. The Regulation places much stronger controls on the processing of special categories of personal data. The inclusion of genetic and biometric data is new.
Example: Name, Address, Email address, Photo, IP address, Location data, online behavior (cookies), Profiling and analytics data, Race, Religion, Political opinions, Trade union membership, Sexual orientation, Health information, Biometric data, Genetic data.
An awareness of GDPR is the first requirement, and no progress toward compliance will be made if the decision-makers in your company are not aware of the new laws.
Conduct regular training to ensure that employees remain aware of their responsibilities with regard to the protection of personal data and identification of personal data.
Under GDPR, if your business shares inaccurate personal data with another organization, you must notify the other organization of the inaccuracy.
You should document what personal data you hold, where it came from and who you share it with. You may need to organize an information audit
Across the organization or within particular business areas. The GDPR requires you to maintain records of your processing activities. By doing this you are complying GDPR’s accountability principle.
Also Read Privacy Policy – Sensitive Information that Collected by Websites and Mobile Applications
You should review your current privacy notices and put a plan in place for
Making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their Information. This is usually done through a privacy notice. Privacy notices must be provided in a concise, transparent and easily accessible form, using clear and plain language.
Under GDPR, all companies dealing with information of European citizens will need to provide more information to customers. You’ll need to clearly explain:
The ICO’s Privacy notices code of practice reflects the new requirements of the GDPR.
When GDPR is introduced, individuals (your customers) will have more rights, and your data protection procedures must reflect that.
The GDPR includes the following rights for individuals:
You’ll need to provide this data in a commonly used structure and machine-readable form. It must also be provided free of charge.
Under GDPR, individuals have the right to receive a copy of the personal information held about them by a company. This is known as a subject access request.
In most cases, you will not be able to charge for complying with a Request.
You must do this without undue delay and at the latest, within one month.
If your organization handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly.
You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online
You must identify and document the lawful basis for any processing of personal data.People will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.
You will also have to explain your lawful basis for processing personal data in your privacy notice and when you answer a subject access request. The lawful bases in the GDPR are broadly the same as the conditions for processing in the DPA.
It should be possible to review the types of processing activities you carry out and to identify your lawful basis for doing so. You should document your lawful bases in order to help you comply with the GDPR’s ‘accountability’ requirements.
The lawful bases are:
GDPR sets a high standard for consent and could mean a major overhaul of how you obtain consent from your customers. GDPR is clear that an indication of consent must be clear and involve an affirmative action. Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want.
There are stricter rules for obtaining consent:
GDPR will introduce special protection for children’s personal data. Businesses must start implementing systems to verify ages or obtain guardian consent for any data processing.
If your organization offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully.
The GDPR sets the age when a child can give their own consent to this processing at 16. If a child is younger then you will need to get consent from a person holding ‘parental responsibility’. Remember that consent has to be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand.
GDPR introduces a requirement for all organizations to report certain types of data breaches to the relevant governing body and your customers.
You must notify the relevant stakeholders if your data breach will result in discrimination, damage to reputation, financial loss or loss of confidentiality of individuals.
Data breaches must be reported to the data protection authority within 72 hours of discovery. Individuals impacted should be told where there exists a high risk to their rights and freedoms, e.g. identity theft, personal safety.
Personal data needs to be secured against unauthorized processing and against accidental loss, destruction or damage. You will need to track the types of data you hold and document when you would be required to notify the ICO.
If you fail to report a breach, even by accident, you’ll be hit with a fine – 2 percent of global turnover or $11 million, whichever is higher. This is in addition to the fine you’ll pay for the breach itself.
There is a requirement to build effective data protection practices and safeguards from the very beginning of all processing:
If a DPIA indicates that the data processing is high risk, and you cannot sufficiently address those risks, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
Data protection officer (DPO) – The appointment of a DPO is mandatory for Public authorities; Organisations involved in high-risk processing; and Organisations processing special categories of data.
A DPO has set tasks:
To prepare for GDPR, organizations can use this six-step process:
Know your obligations under GDPR as it relates to collecting, processing, and storing data, including the legislation’s many special categories.
Perform data discovery and document everything — research, findings, decisions, actions and the risks to data.
First, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data, and what applications process that data.
Assess the risks to all private data, and review policies and procedures. Apply security measures to production data containing core assets, and then extend those measures to back-ups and other repositories.
Investigate any other risks to data not included in previous assessments.
Repeat steps four to six, and adjust findings where necessary.
https://ico.org.uk/media/1624219/
https://www.business.com/articles/
https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…
Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to address…
Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, were recently detected by Fortinet's AI-driven OSS malware…
A Brazilian man, Junior Barros De Oliveira, has been charged with multiple counts of cybercrime…
McDonald's India (West & South) / Hardcastle Restaurants Pvt. Ltd. operates a custom McDelivery web…
View Comments
GDPR definitely sets the bar high for data privacy laws worldwide. Looking forward to seeing what other laws mimic GDPR in the next few years.