GDPR stands for the General Data Protection Regulation.
It is a law designed to protect the privacy of the people that it covers.
GDPR calls a covered individual a data subject.
The European Union (EU) intends for the GDPR regulation to unify data protection across all member countries.
Note: EU countries cannot take away protections defined in the GDPR. But, they can add safeguards to the law for their own citizens.
The European Commission is working to bring other European laws that relate to data privacy into alignment with the GDPR.
This process will likely continue for some time. Don’t be surprised if the rules that govern your work continue to evolve.
The GDPR grants several new rights for the individuals it covers. These rights give data subjects:
Control over when, how, and why companies can collect and use a subject's personal data
Access to the personal data that companies and organizations collect from him or her.
The GDPR says a company is responsible for the personal data that it uses.
The law covers how companies collect, process, store, and share personal data.
Consequences
The GDPR carries serious penalties for any business that does not follow the law.
Consequences include:
Large fines and penalties
Loss of reputation and trust
Personal Data Can Be Anywhere
Use these examples to think about where a person's data might be stored in your organization.
Sales
Sales organizations might handle personal data from customers, potential customers, competitors, and fellow employees.
Data can be:
Collected from sources including other departments, social networks, and customer referrals
Processed as potential customers move through lead qualification and sales contracts
Stored in sales databases, either on premise or in a third-party cloud
Shared with other departments or third-party services that provide marketing, customer service, or even contract support
HR
HR has data for many types of people. These people can include employees, applicants, contractors, and sometimes vendors.
Here are a few examples of how personal data can be acquired and used in HR:
Collected through applications and resumes
Processed in background checks, benefits, and hiring
Stored in an internal or external HRIS (Human Resources Information System)
Shared with other departments, hiring managers, and possibly third parties that may handle things like payroll
Data about customers can be collected, processed, shared, and stored in a customer service department.
For example:
Collected through customer calls, emails, or chats
Processed when submitting requests
Stored in internal or external databases
Shared with other departments during problem solving or for analysis
Marketing can handle personal data from a variety of sources.
Here are a few examples of how a marketing department might handle personal data:
Collected through website visits, requests for information, social media, and lead lists
Processed when profiling and qualifying potential customers to send to sales
Stored in internal or external databases
Shared with other departments or external organizations when analyzing market trends
Who Is Affected?
Although the GDPR is an EU regulation, the impact will reach beyond the EU’s physical territory.
Assume coverage
If personal data comes from anyone who is in the EU, assume that data is covered by GDPR.
If you monitor, collect, process, or share personal data from a data subject in the EU, assume you will need to comply with GDPR.
What About Public Entities?
Public entities
Public entities, such as government agencies, need to follow the GDPR.
However, the GDPR provides special guidelines for some public entities or activities at a public entity.
Examples of specific guidelines include:
The criminal justice system
Matters of national security
An EU member state carrying out activities related to EU security or policy
Privacy by Design
GDPR defines personal data as any piece of information that might identify a specific individual.
The definition for personal data is very broad.
Rights granded by GDPR are - Transparency and consent, Data Access and Portability, Protection and notification.
It covers information that includes:
- Name
- Address
- Medical history
- Financial information
Online identity
Unlike previous laws, GDPR covers types of data created from a person's online activity.
For example:
Tracking cookies
IP addresses
Social media posts
Differences in personal data
Some pieces of data identify an individual directly. This type of data typically needs a very high level of protection.
Some pieces of data can't identify an individual on their own. Data of this type would need to be combined with other data to identify an individual.
Direct and Indirect Identification
Personal data can identify a person in one of two ways.
Browse each card and read its contents to move on
The identity puzzle
Think about a jigsaw puzzle. It is hard to see the picture when only looking at a single puzzle piece. But once you combine the pieces, you can identify the picture.
The same is true with personal data that can indirectly identify a person.
A single puzzle piece
This piece of data will not identify an individual on its own.
For example, think about a job title: Procurement Manager.
Putting the pieces together
When combined with other pieces of personal data like a name and company, criminals will have all the context and clues they need to identify someone.
Example:
Job Title: Procurement Manager
Name: John Smith
+ Company: XYZ corporation
a unique John Smith
Sensitive Personal Data
Extra protection needed
GDPR also created a sub-category of personal data called sensitive data.
Sensitive data requires extra protection. If misused, it can lead to prejudice, violence, or other extreme outcomes.
Examples of sensitive data include:
- Trade union membership status
- Political party membership
- Philosophical or religious views
- Race
- Sexual orientation
Anonymous Data
What if I work with anonymous data?
The GDPR is concerned with data that can be used to identify an individual.
So, anonymous data is not subject to the regulation. Data is considered anonymous if there is no way to identify a specific individual from it.
For example, a research project may receive a large file filled with anonymous personal data to analyze for statistical purposes. The data would not be subject to GDPR.
Rights Granted by GDPR
GDPR gives new or strengthened rights to covered individuals.
These rights fall into three broad categories:
What an individual knows about how and when their personal data is being collected, used, or shared
How an individual can access and manage the personal data a company keeps about him or her
How a company must communicate about data protection and data breaches
Right to be informed
Individuals have the right to know if, how, and when a company uses their personal data.
Companies are responsible for providing information about the processing of personal data.
Communication from companies must be:
Clear, concise, and easy-to-access
Written in plain, easy to understand language
Free, at no cost to the individual
Explicit consent
When a business interacts with a consumer, the consumer must freely give consent before a company can use their personal information.
There should be no question about whether the individual has provided consent or refused to provide consent.
For example:
Think about a user who visits a website. The user needs to actively opt-in to data collection before a company can begin collecting data from him or her.
Also, if an individual denies consent, a company must still provide access to their website without tracking the user's data.
Right to withdraw consent
It should be as easy for a covered individual to withdraw consent as it is for him or her to give it.
Keep in mind: In some cases, there is a legitimate reason to keep collecting data or storing data in a database.
The archives of a newspaper are a good example. A government collecting relevant data for tax purposes is another.
Data requests
Covered individuals can request to see the personal data a company has about him or her.
They can also request that a company fix any errors in that personal data.
Companies are expected to reply to these requests in a timely manner.
Data portability
What does data portability mean? Let's look at one potential example:
Hal consented to have personal data collected by perchaseonline.com.
This personal data included things like shopping lists, shipping addresses, billing addresses, and contact information.
Hal can request a portable copy of that data so that he can use it to do business with another shopping site.
Data storage and security
GDPR may require companies who collect a lot of personal data to document the steps they take to ensure data security.
This can include:
A privacy risk assessment
A data back-up and disaster recovery plan
A report to the regulators on data security methods
Data breach notification
Covered individuals might also have the right to be notified of a data breach that involves their personal data.
Companies might also need to give notice of the breach within 72 hours of the breach’s discovery.
The notification must also be in an easy-to-understand format.
Building a Foundation for Compliance
Compliance Basics
Start with the fundamentals
GDPR interpretation will continue to evolve.
But there are fundamental things that you can do to promote compliance in your company.
Minimize risk
Only collect, use, and keep data you really need.
Whenever possible, use data that is anonymous and in aggregate.
Follow all company guidelines when handling personal data.
Justification
Be able to provide justification for why you do what you do with personal data.
If your company obtains consent to handle personal data, make sure that consent is:
Clear and easy to understand
Documented
Know your data
Knowing where your data is and how to access it is critical under GDPR.
You will need to know these things for:
- Reporting to regulators
- Communicating to covered individuals
- Responding to requests for information, correction, or erasure from covered individuals
Work as a team
Listen to those who lead GDPR compliance efforts in your company.
Immediately communicate potential breaches to the proper authorities in your organization.
Offer assistance, as needed, to fulfil a covered individual's requests involving their personal data.
If you manage a team, make sure everyone understands how to comply with company policies.
No comments:
Post a Comment