8 Basic Rights Enshrined in the GDPR
The GDPR is the EU Data Protection Directive of 1995. It is a step towards bringing information collection to be in line to meet current requirements. It gives individuals 8 basic rights, and places strict requirements on public agencies, companies as well as other organisations that handle personal data.
These requirements include: the importance of consent; clear and transparent data for the end-users. The regulations also state that not complying will result in severe penalties.
Legal basis of processing
The GDPR demands that companies find a legitimate reason for the collection of personal data. This can be the consent of a person, contractual obligation lawful requirement, legal duty or legitimate interest. It is important to thoroughly evaluate which base is the most appropriate for your purposes, and document this. Similarly, if there is a change in circumstances or a change in purpose which means that your original base is no longer appropriate then you should inform your client and record the new base.
The legal foundation for most transactions is consent. It must be given freely, specifically, in good faith, and without ambiguity. Additionally, the consent should be recorded in a manner that allows it to be viewed at any time. The presence of a checkbox on a website, for example, does not necessarily constitute consent valid. But, statements made verbally or signatures on contracts are valid. The GDPR prohibits the making use of consent for any purpose different from those to which it was provided.
Also, it is possible to use personal information on the bases of a contractual obligation between an individual and you. It can be necessary to process personal data for purposes of fulfilling a contractual obligation (such as delivering goods) or prior to the time of delivery (for example, providing an estimate). It is also possible to handle personal data on the basis of an "emergency" basis, if the need arises to safeguard individuals' lives or limit harm.
It is also possible to handle personal data in an "legitimate motive" basis, but only after you have assessed whether the data is compatible with their reasonable expectations and would not have an undue impact on their privacy. Your assessment needs to be documented and must be weighed against your interests against those of the people whose information you're processing.
Transparency
The GDPR states that transparency is a key aspect of accountability. The regulation states that companies are required to disclose how they deal with private information whether received from an individual or a third party. The disclosure must include a description of what data is processed as well as what purposes it will be used. Additionally, the law requires firms only store the data required to fulfill their purposes and take proper security steps. Furthermore, they have to report any breaches of data promptly and inform those affected by the breaches.
Transparency in the GDPR is applicable to both data controllers and processors, meaning that every business must adhere to the laws if they are processing personal data in Europe. Data controllers are defined as "persons, public authorities, agencies or other bodies which, alone or jointly with others, establish what the objectives and ways of processing personal data" and processors are "persons who manage personal data on behalf of a controller".
It's not an easy task to be transparent but the law offers instructions for companies to adhere to. Transparency is the act of being clear to all those who have data are being processed what this processing entails and the reason. It also requires that firms only collect and keep details that are necessary for their stated objectives, and not keep more than what is permitted to be required by law.
Privacy policies must be clear that are clear, understandable as well as written in a plain English. The policies should include the name of the business that is processing the data, its purpose and the type of information collected, who is the recipient of that information, or groups of recipients, and information about data transfer outside the EU, retention period, and the rights of individual users to their own personal data. The privacy policies should be easily accessible and all in one form.
Consent
Consent is essential for firms in order to manage information in the age of GDPR. The company you work for could be subject to significant penalty or reputational damage when it does not comply with GDPR. This is because the UK Information Commissioner's Office has already imposed significant fines on British Airways ($230 million) as well as Marriott ($125 millions).
The GDPR requires that consent be given in good faith and with specificity. The consent should be precise and easy to understand and must cover the entire scope of processing of data that you intend to perform. Also, it must be separated with other terms and conditions. This ensures that users understand what they're committing to and will be simple for them to withdraw their consent the same way as it is for them to consent.
Consent requirements are stricter under GDPR than DPD. It is not possible for companies to utilize browsewrap or checkboxes which are automatically checked to opt in to receive marketing messages. They must instead take the clear affirmative approach, such as pressing a button or typing in their email address. Sales representatives will be required to go over procedures, forms and other applications.
A consent that is clearly stated, specific and explicit can be accepted. Pre-ticked boxes, silence and the absence of any activity aren't considered consent in GDPR. The business should not also offer incentives to users to agree with your privacy policy. Examples include offering cash-back vouchers when signing up to a loyalty scheme is a clear incentive, but this isn't a legal basis to process personal information.
The GDPR defines personal information as any data that could be used to determine the identity of an individual. It includes public information and private. In general, businesses gather information about their customers to understand their customers ' needs and to improve the quality of services and products they provide. Certain kinds of data on people are collected by the authorities to ensure the protection of public interests.
Privacy through design
The principle of privacy by design among of the guiding principles of GDPR, and it requires firms to implement privacy principles into their data collection and processing processes and procedures starting from the beginning instead of adding it later. This is a major transformation in mindset and culture inside the organization. Incorporating privacy into the processes you use can save both time and money in the long run. This will reduce the likelihood of data breaches and increase confidence among your clients.
The GDPR contains two provisions that promote privacy through design. These include data minimisation as well as security of data in default. These two rules require companies only store the minimum amount of information necessary in order to fulfill their business demands and utilize the data for those purposes. Additionally, businesses must provide users with clear details about how their personal data will be used, and for what purpose. Companies must also provide users with an option for users to choose to be a part of further data usage.
To be compliant with GDPR, your company has to have a complete accountability strategy. It should include vetting, monitoring and setting up internal controls for all data collaborators and data partners. It is also crucial that employees are kept informed of the potential security hazards GDPR consultant quickly and accurately manner. Security breaches need to be disclosed internally as well as externally within a few hours of when they occur. It can save you from paying expensive penalties.
Embedding your privacy policies into your software is the most effective option to be GDPR compliant and protect your customers' privacy. It will reduce precious time and energy for engineering and legal teams. Additionally, it will reduce having to be constantly responding to the latest cyber security threats and threats to security of data. This will allow your team to concentrate on delivering code and establishing trust.
Data portability
Data portability is a fundamental rights guaranteed by GDPR that enables individuals to have the personal information they have stored transferred from one controller to another in a standardized, common-sense or machine-readable manner. Also, individuals can reuse their personal data across multiple IT environments, service providers and even in business processes. It is created in order to let users stay clear of vendor lock-in and to facilitate switching between online service providers.
In general, this rights covers personal data that individuals provide to the controller as well as personal data which the data controller has seen either directly or indirectly (for instance, the location of a person's personal data from wearables or smart meters or other devices connected to the internet) and activity logs, such like website visits and browsing records. It isn't applicable to any additional data extrapolated from personal information individuals have provided including health assessment data or credit scores, etc.
If it's technically feasible that a controller can technically do so, they will follow a request made by subjects to transmit their data to another data controller. However, this does not prevent the individual from exercising their rights, such as deletion.
Most of the time there is a need for the controller to manage personal information prior to transferring it to another system, environment or business process. The information must be in an acceptable format and this does not need to require a significant expenditure or technical work for the data controller. There may be the case, for instance, providing the data in a clear and accessible format like pdf files is enough. Alternately, a common formats like the csv format would suffice.