Introduction to GDPR
GDPR – General Data Protection and Regulation was adopted by the European Parliament in Jun’ 2016 and it is enforcing throughout the globe on May 25’ 2018. GDPR applies to everyone involved in processing data about individuals directly or indirectly, regardless of whether the organization is located within the EU. The main reason for the GDPR is to protect EU citizens from privacy leakage and data breaches. GDPR replaces the 1995 Data Protection Directive which was adopted at a time when the internet was in the early stage of development. Let’s have a look at GDPR requirements.
GDPR Requirements
1. Consent
As per the GDPR, now there are more strengthened conditions for the consent, and companies will no longer be able to use terms and conditions full of legalese because the consent must be given in an easily accessible form with the attached purpose for the processing of data. Consent should be easy to understand, clear and distinguishable from other matters using plain language. Companies cannot use personal data without user consent and it must be as easy to withdraw as it is easy to give.
2. Breach Notification
In GDPR, notification to any data breach is mandatory. Any data breach must be notified to the affected individual and to the data protection authority within 72 hours after first getting aware of a data breach.
3. Right to Access
Data subjects have the right to know whether their data is being processed by the data controller where, how, and for what purpose. The data controller should provide an electronic copy of the personal data to data subjects free of cost.
4. Right to be Forgotten
Right to be forgotten is also known as “Data Eraser”. In article 17, the condition for data eraser is outlined. When the data is no longer relevant to its original purpose, data subjects can ask the data controller to erase their personal data and cease its dissemination (circulation).
5. Data Portability
Data portability is the right for a data subject to receive the personal data which they have provided in a ‘machine-readable and commonly use format’. It allows individuals to obtain and reuse their personal data for their own purpose by transferring it from one controller to the other.
6. Privacy by Design
The latest legal requirement for the GDPR is ‘Privacy for Design’ which has existed for years. This specifically says that the technical and organizational measures shall be implemented by the controlled, in order to meet the requirements and protect the rights of data subjects. Article 23 of GDPR talks about data minimization and use limit to access the personal data.
7. Data Protection Officers
Qualified officers must be appointed in the organizations having employees greater than 250 which systematically monitor and process personal data.