Pages

Friday, December 31, 2021

GDPR

GDPR stands for the General Data Protection Regulation.

It is a law designed to protect the privacy of the people that it covers.

GDPR calls a covered individual a data subject.

The European Union (EU) intends for the GDPR regulation to unify data protection across all member countries.

Note: EU countries cannot take away protections defined in the GDPR. But, they can add safeguards to the law for their own citizens.

The European Commission is working to bring other European laws that relate to data privacy into alignment with the GDPR.

This process will likely continue for some time. Don’t be surprised if the rules that govern your work continue to evolve.

The GDPR grants several new rights for the individuals it covers. These rights give data subjects:

Control over when, how, and why companies can collect and use a subject's personal data

Access to the personal data that companies and organizations collect from him or her.

The GDPR says a company is responsible for the personal data that it uses.

The law covers how companies collect, process, store, and share personal data.

Consequences

The GDPR carries serious penalties for any business that does not follow the law.

Consequences include:

Large fines and penalties

Loss of reputation and trust

Personal Data Can Be Anywhere

Use these examples to think about where a person's data might be stored in your organization.

Sales

Sales organizations might handle personal data from customers, potential customers, competitors, and fellow employees.

Data can be:

Collected from sources including other departments, social networks, and customer referrals

Processed as potential customers move through lead qualification and sales contracts

Stored in sales databases, either on premise or in a third-party cloud

Shared with other departments or third-party services that provide marketing, customer service, or even contract support

HR

HR has data for many types of people. These people can include employees, applicants, contractors, and sometimes vendors.

Here are a few examples of how personal data can be acquired and used in HR:

Collected through applications and resumes

Processed in background checks, benefits, and hiring

Stored in an internal or external HRIS (Human Resources Information System)

Shared with other departments, hiring managers, and possibly third parties that may handle things like payroll

Data about customers can be collected, processed, shared, and stored in a customer service department.

For example:

Collected through customer calls, emails, or chats

Processed when submitting requests

Stored in internal or external databases

Shared with other departments during problem solving or for analysis

Marketing can handle personal data from a variety of sources.

Here are a few examples of how a marketing department might handle personal data:

Collected through website visits, requests for information, social media, and lead lists

Processed when profiling and qualifying potential customers to send to sales

Stored in internal or external databases

Shared with other departments or external organizations when analyzing market trends

Who Is Affected?

Although the GDPR is an EU regulation, the impact will reach beyond the EU’s physical territory.

Assume coverage

If personal data comes from anyone who is in the EU, assume that data is covered by GDPR.

If you monitor, collect, process, or share personal data from a data subject in the EU, assume you will need to comply with GDPR.

What About Public Entities?

Public entities

Public entities, such as government agencies, need to follow the GDPR.

However, the GDPR provides special guidelines for some public entities or activities at a public entity.

Examples of specific guidelines include:

The criminal justice system

Matters of national security

An EU member state carrying out activities related to EU security or policy

Privacy by Design

GDPR defines personal data as any piece of information that might identify a specific individual.

The definition for personal data is very broad.

Rights granded by GDPR are - Transparency and consent, Data Access and Portability, Protection and notification. 

It covers information that includes:

  • Name
  • Address
  • Medical history
  • Financial information

Online identity

Unlike previous laws, GDPR covers types of data created from a person's online activity.

For example:

Tracking cookies

IP addresses

Social media posts

Differences in personal data

Some pieces of data identify an individual directly. This type of data typically needs a very high level of protection.

Some pieces of data can't identify an individual on their own. Data of this type would need to be combined with other data to identify an individual.

Direct and Indirect Identification

Personal data can identify a person in one of two ways.

Browse each card and read its contents to move on

The identity puzzle

Think about a jigsaw puzzle. It is hard to see the picture when only looking at a single puzzle piece. But once you combine the pieces, you can identify the picture.

The same is true with personal data that can indirectly identify a person.

A single puzzle piece

This piece of data will not identify an individual on its own.

For example, think about a job title: Procurement Manager.

Putting the pieces together

When combined with other pieces of personal data like a name and company, criminals will have all the context and clues they need to identify someone.

Example:

Job Title: Procurement Manager

Name: John Smith

+ Company: XYZ corporation

a unique John Smith

Sensitive Personal Data

Extra protection needed

GDPR also created a sub-category of personal data called sensitive data.

Sensitive data requires extra protection. If misused, it can lead to prejudice, violence, or other extreme outcomes.

Examples of sensitive data include:

  • Trade union membership status
  • Political party membership
  • Philosophical or religious views
  • Race
  • Sexual orientation

Anonymous Data

What if I work with anonymous data?

The GDPR is concerned with data that can be used to identify an individual.

So, anonymous data is not subject to the regulation. Data is considered anonymous if there is no way to identify a specific individual from it.

For example, a research project may receive a large file filled with anonymous personal data to analyze for statistical purposes. The data would not be subject to GDPR.

Rights Granted by GDPR

GDPR gives new or strengthened rights to covered individuals.

These rights fall into three broad categories:

What an individual knows about how and when their personal data is being collected, used, or shared

How an individual can access and manage the personal data a company keeps about him or her

How a company must communicate about data protection and data breaches

Right to be informed

Individuals have the right to know if, how, and when a company uses their personal data.

Companies are responsible for providing information about the processing of personal data.

Communication from companies must be:

Clear, concise, and easy-to-access

Written in plain, easy to understand language

Free, at no cost to the individual

Explicit consent

When a business interacts with a consumer, the consumer must freely give consent before a company can use their personal information.

There should be no question about whether the individual has provided consent or refused to provide consent.

For example:

Think about a user who visits a website. The user needs to actively opt-in to data collection before a company can begin collecting data from him or her.

Also, if an individual denies consent, a company must still provide access to their website without tracking the user's data.

Right to withdraw consent

It should be as easy for a covered individual to withdraw consent as it is for him or her to give it.

Keep in mind: In some cases, there is a legitimate reason to keep collecting data or storing data in a database.

The archives of a newspaper are a good example. A government collecting relevant data for tax purposes is another.

Data requests

Covered individuals can request to see the personal data a company has about him or her.

They can also request that a company fix any errors in that personal data.

Companies are expected to reply to these requests in a timely manner.

Data portability

What does data portability mean? Let's look at one potential example:

Hal consented to have personal data collected by perchaseonline.com.

This personal data included things like shopping lists, shipping addresses, billing addresses, and contact information.

Hal can request a portable copy of that data so that he can use it to do business with another shopping site.

Data storage and security

GDPR may require companies who collect a lot of personal data to document the steps they take to ensure data security.

This can include:

A privacy risk assessment

A data back-up and disaster recovery plan

A report to the regulators on data security methods

Data breach notification

Covered individuals might also have the right to be notified of a data breach that involves their personal data.

Companies might also need to give notice of the breach within 72 hours of the breach’s discovery.

The notification must also be in an easy-to-understand format.

Building a Foundation for Compliance

Compliance Basics

Start with the fundamentals

GDPR interpretation will continue to evolve.

But there are fundamental things that you can do to promote compliance in your company.

Minimize risk

Only collect, use, and keep data you really need.

Whenever possible, use data that is anonymous and in aggregate.

Follow all company guidelines when handling personal data.

Justification

Be able to provide justification for why you do what you do with personal data.

If your company obtains consent to handle personal data, make sure that consent is:

Clear and easy to understand

Documented

Know your data

Knowing where your data is and how to access it is critical under GDPR.

You will need to know these things for:

  • Reporting to regulators
  • Communicating to covered individuals
  • Responding to requests for information, correction, or erasure from covered individuals

Work as a team

Listen to those who lead GDPR compliance efforts in your company.

Immediately communicate potential breaches to the proper authorities in your organization.

Offer assistance, as needed, to fulfil a covered individual's requests involving their personal data.

If you manage a team, make sure everyone understands how to comply with company policies.



No comments:

Post a Comment

Appreciate and enjoy your comments! Always wonderful to get feedback! The interaction with you is the most rewarding thing! Please do write your name too..

Thank you!

Happiness Always!