General Data Protection Regulation (GDPR) has set the EU market abuzz recently. It affects every company welcoming EU visitors, no matter where it’s based. So, the IO Technologies team wants to make clear its specific aspects. In fact, everything is not so catastrophic as it could seem.
Let’s shed some light on this serious question with a short guide to GDPR Beginning with general information about the topic, finishing with the obligatory GDPR principles you must keep in mind
What is GDPR?
The new data protection act is drawn up by the EU to guarantee people’s data rights and keep their privacy safe. Now, nearly everyone can access your personal info. No one wants their personal information to leak or be known by everyone around. What’s more, privacy is one of the constitutional rights of every EEA resident.
The new European data protection act provides people with a greater level of digital rights protection. According to the official websiteGDPR’s goal is to increase the value of personal data in the digital economy.
Consequently, it doesn’t mean just problems for any business. Taking measures to become GDPR compliant may be a challenge for companies worldwide, however, this process is the next step of the whole digital evolution. Leaving your comfort zone is always followed by significant changes.
We want to remind what types of personal data the GDPR will protect:
- Identity data (name, IDs, address);
- Web data (IP, cookies, location, RFID tags);
- Biometric data (fingerprints, verification data, etc);
- Health data including genetic information;
- Racial and ethnic data;
- Sexual orientation;
- Political and religious opinions.
Note, if you are already aware of the GDPR basics, you may skip to the end to read a list of possible benefits of being GDPR compliant.
6 Principles of GDPR
The general approach to personal data protection can be summed up by 6 main GDPR principles:
All personal data must be processed transparently in adherence to EU legislation This should be delivered to clients in a simple and understandable way.
The collection of personal data should be limited to the specific goals of a specific company. Collecting data for statistical and scientific research or for public interest (when collected data may positively affect society) purposes are exceptions.
In-accurate personal data must be corrected or deleted.
Companies are not allowed to collect more data than they actually need.
Personal data has to be stored as long as is required for processing along with specific goals.
Companies have to guarantee a high level of data protection to prevent unauthorized processing or data damage.
What are the rights of a data subject?
According to GDPR, companies must remember that their clients have specific rights that must be protected.
They should care about the rights of visitors who provide companies with their personal data. Here is the full list of their rights:
- The right to information. A client has to be clearly informed about what data will be processed.
- The right to subject access. A data subject may request all his/her personal information your company stores.
- The right to rectification. This means that people can correct wrong information about them.
- The right to erasure (or the right to be forgotten). A person can demand the erasure all the data about them. This claim has to be fulfilled and not ignored under any circumstances. For example, media websites must delete all the information they hold about a specific data subject if they receive such a request.
- Time limits. Data subjects must receive an answer to their requests within a month or even quicker.
- The right to restrict processing. If a data subject doesn’t want to erase the information about them, they may limit the purposes of data processing.
- The obligation to notify relevant third parties. Once a data subject wants their data to be erased, and it was provided to third parties, ask them to do so. A data subject may also ask about what data is stored by third parties.
- The right to data portability. A data subject may request to transfer their personal data from one controller to another. For instance, a client will be able to migrate from one service to another without creating a new account.
- The right to object. If a data subject objects a data controller can legally prove that further processing is necessary, or halt all related activity.
- The right to not be evaluated on the basis of automated processing.
- The right to bring class actions. Data subjects are allowed to send their complaints to the regulatory authorities or even sue companies.
What Does it Mean for SMEs
GDPR applies to every company that processes the personal data of EU citizens, regardless of their geographic location. The size of a company doesn’t matter If you own a small or medium-sized enterprise, which processes clients’ data, you should care about compliance with GDPR. Small companies won’t have to hire a Data Protection Officer (DPO) however, the rules are the same for everyone.
Firms will have to protect digital data such as cookies and IP addresses the same way they did it with people’s personal data.
If your company or media resource collects sensitive data, you’ll need to get explicit consent from every client. By ‘sensitive data,’ we mean religious views, sexual orientation, and so on. You can find more details in our checklist for being GDPR compliant.
To receive more information on implementing GDPR check out our detailed GDPR FAQ.
What are the Main Benefits of the GDPR?
GDPR should increase consumers’ confidence and help to grow business.
Just imagine what will people think when they see the line on your website saying that their personal data is protected by the GDPR. With guarantees trust comes, and it is one of the main things that helps to build healthy B2C relationships.
Hopefully, you will be ready for May 25, 2018, the day when GDPR comes into effect.