General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR), which came into effect in May 2018, has given European citizens the power to control their personal information that companies store and process, without compromise.
Definition
The GDPR applies to organizations based in the European Union (EU) as well as those located outside the EU but selling goods/services to the EU or processing and/or holding personal information of EU citizens. It is a step forward for individuals towards greater transparency and better control of their personal data, and for businesses towards greater accountability.
The GDPR law applies to “personal data,” which refers to any information that can be used directly or indirectly to identify the identity of a person. This can include a name, photograph, IP address, phone number, computer login identifier, postal address, fingerprint, voice recording, social security number, email, etc.
Certain data is considered sensitive as they involve information that can lead to discrimination or prejudice:
Political opinions, religious beliefs, trade union membership, ethnic origin, sexual orientation, medical condition, or philosophical ideas are sensitive data. They have a specific framework that prohibits prior collection without clear and explicit written consent, for specific cases validated by the CNIL (French Data Protection Authority) and with proven public interest.
How to comply with the General Data Protection Regulation (GDPR)?
To ensure that your company is GDPR compliant, there are 5 major rules to follow:
- Real data protection, Privacy by design principle
- Consumer consent
- True right to be forgotten or “right to erasure”
- User access to their data
- Data Protection Officer (DPO)
In other words:
- Implement privacy by design principle from the inception of your service.
- Ensure that customers can easily update their information.
- Establish procedures for data portability and management.
- Delete data that is no longer necessary from customers who have stopped using your services.
- Ensure sufficient awareness about GDPR is created in your company, especially among key decision-making personnel.
- Include in your privacy policy:
- A legal basis explaining why your company needs to process personal information.
- A list of the personal data you store.
- An overview of the data-related processes accessible to the public.
- A list of subcontractors to whom you transmit all or part of your customers’ personal data.
- Ensure that your technical security meets international compliance standards.
- Maintain documentation on all personal data to which you have access, including its source and use.
- …