The General Data Protection Regulation is an EU data protection law, effective from the 25th of May 2018, that by replacing the 1995 Data Protection Directive brings in new rights for individuals and new responsibilities for organizations processing personal information. This set of rules are valid in 28 EU countries and are also applied to organizations processing personal data outside of the EU if EU data subjects are included.
The main principles of GDPR are that they provide guidelines for EU citizens to control their data more efficiently with more personal data protection and rules that are unified across all the European Union.
Personal data is any kind of data that is or can be assigned to a person in any kind of way, such as:
-Identification information: name, surname, address, passport number…
– Web data: IP address, cookies…
– Healthcare documentation
– Biometric data
– Racial and ethnic data
– Religious and personal beliefs
The 6 main data processing principles according to GDPR are:
TRANSPARENCY AND LEGITIMACY- All personal data should be processed in a lawful and fair manner. All information regarding the purpose, methods, and scope of data processing should be easily accessible.
LIMITATION BY PURPOSE- All data should be collected and used solely for the purposes that were previously declared by the company.
DATA MINIMIZATION- Only data needed for processing with previous consent can be collected.
ACCURACY- Only accurate and valid data can be used. Any inaccurate personal information should be deleted or corrected depending on the user’s demand.
LIMITATION OF STORAGE TERM- All personal information should be stored during the period of processing only.
CONFIDENTIALITY- Personal data should be protected by the companies processing users’ data from unauthorized and illegal processing and damage according to GDPR security rules.
Business types that are affected by GDPR
GDPR rules apply to any company that uses and processes the personal information of EU citizens, regardless of the location of the company.
Some of the businesses that need to comply with the GDPR regulations necessarily are listed below:
There are some crucial steps one should undertake to get a business prepared to avoid penalties and violations. Here are some useful tips on how to make your business compliant with the EU data protection directive:
It is desirable to create a scheme indicating the scope of personal information, where it comes from and where it goes, what is done with it, and how it’s used. Full information about the route and destination of personal data should be transparently displayed in a company’s document, including its location, who has access to it, and any personal data storage-related risks.
In compliance with GDPR, only necessary personal information should be kept. Any outdated or incorrect information should be deleted. Prioritize data and handle it properly.
All data should be provided with proper protection in order to prevent possible data breaches. Modern data protection technologies in the company’s infrastructure are highly recommended to keep all data safe. Also, possible measures taken in case of a data breach should be in place. If engaged in outsourcing, comply all security issues with suppliers.
According to the GDPR EU directive, personal data of the customers/users can be processed by the one whom the consent has been given, implied consent is not an option anymore. Company owners are advised to go through their documents, such as agreements and statements, analyze them and adjust accordingly to provide their users with valid security and privacy information.
According to the GDPR, one has the following rights regarding their personal information
PARTIAL RESTRICTIONS- The right to prohibit the direct marketing use of their information if they wish so
THE RIGHT OF BEING INFORMED- In case of a personal data breach, the customer should be notified within 72h
PROCESSING PROHIBITION- If claimed, the customer’s data should not be processed, but should not necessarily be deleted either
CORRECTION OF PERSONAL INFORMATION- In case of inconsistencies or outdated information, the customer has the right to request their correction
DELETION OF INFORMATION- If the customer chooses to dissolve an agreement their data should be immediately deleted
DATA HANDOVER- On customer’s request data should be handed over to a new service provider
DATA ACCESS- Every customer has the right to know how their data is used and should be granted access to that data if requested. All necessary information should be provided
INFORMATION- One should be informed upon data collection and give explicit consent for the company to use the provided information
Regarding the importance of data protection, companies that perform regular wide-scale surveys, process special personal data (medical records, criminal records…) should have a person/people handling the protection of the provided personal information.
CONSEQUENCES OF NON-COMPLIANCE WITH THE GDPR
The fine for GDPR rules violation is up to 4% of annual turnover or 20 million EUR, depending on which amount is higher.
In order to meet GDPR requirements, it is important to create internal company policies of data protection, verify data activity processing, maintain and keep documentation up to date concerning processing procedures, train staff and appoint a manager who will be responsible for personal data collection, processing, and storage safety.
Regardless of the type of business, a company is dealing with, as well as the location of the company, if personal information of EU citizens is used in any matter, GDPR regulations apply and should be complied with.
Additionally, some of the benefits of complying with the GDPR:
Finally, GDPR is a highly important legislative document that increases the level of personal data protection across the EU and beyond. Complying to it leads to a higher level of customer trust and also may open some doors to EU cooperation for non-EU companies. Carefully select, manage and process the provided data, store it properly and look out for leakage!
Coreware can help you with all your GDPR questions and requirements. Feel free to fill out our contact form and reach out!
Need us to sign a non-disclosure agreement first?
Please email us at firstname.lastname@example.org or call us at (+1) 559-362-3813