What is GDPR?
General Data Protection Regulation is an EU data privacy and protection regulation that came into force on 25th May 2018. The regulation gives EU citizens more control over their personal data and enforces responsibilities on businesses that deal with the data of these EU citizens.
Whom Does it apply to?
GDPR applies to all businesses in the EU and those that function outside the EU and provide products or services to EU customers or businesses.
Basic terms in GDPR
- Personal Data- This means any information which can be used to identify a person such as a name, an identification number, location data, or an online identifier among other physical, physiological, genetic, mental, economic, cultural, or social identities details.
- Data Subjects- The person to who the information belongs and is an identified or identifiable natural person
- Controller- This means a person or business determines the purposes and means of the processing of personal data
- Processor- This means a person or business which processes personal data on behalf of the controller
Data Subject Rights
GDPR Regulations provide data subjects with the following rights:
Right to data portability, Right to access to information, Right of correction or right to rectification, Right to be forgotten, right to restriction of processing, right to be informed, right to object, right not to be subject to decisions based solely on automated processing
GDPR Principles
The GDPR sets out 7 principles in Article 5:
- Personal Data must be processed lawfully, fairly, and in a transparent manner.
- Personal Data must be collected for specified, explicit, and legitimate purposes.
- Personal data must be adequate, relevant, and limited to why it is being processed
- Personal Data must be accurate and kept up to date. Any inaccuracies must be fixed or removed timely.
- Personal data must be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
- The controller is responsible for and must demonstrate compliance with GDPR Privacy Principles.
Personal Data Breach Notification
A personal data breach is a security risk that affects personal data such as identity theft, fraud, and other financial loss. If a customer’s personal data is compromised, the Processors need to report the breach to the controllers without undue delay as per the contract they have with the controllers and controllers need to report the breach to the relevant authority within 72 hours of being aware of the breach to ensure the harm or effects of such breaches are limited.
Organizations must not only guarantee that personal data is collected lawfully and under tight restrictions, but individuals who collect and handle it must also safeguard it and prevent any form of exploitation while respecting the rights of data owners.