What Does GDPR Mean?
The EU General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. Approved in April 2016, GDPR compliance will be enforced starting May 25, 2018.
GDPR aims to address the export of personal data outside the EU. It is primarily directed to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Companies and organizations failing to comply with the new EU GDPR policies by the enforcement date may face heavy fines.
As per the European regulations, personal data refers to any data related to the identified or identifiable natural person. This can be literally everything – a piece of data or a number of data points that are combined together to create a record about a person. In the EU, personal data contains a “sub-category” of the sensitive personal data, which refers to:
- Racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Health data.
- Sex life or sexual orientation, etc.
Sensitive personal data should be protected better than the regular personal data. The leakage of the sensitive personal data will result in the greater consequences.
What does that mean for you?
Below are the 3 major areas where key changes to the GDPR have been
- Increased Territorial Scope (extra-territorial applicability)
As we begin working towards GDPR compliance, we are developing our fundamental document; Privacy Impact Assessment, which is a written document that must be made accessible to everyone involved in the project. This document will specify the privacy risks that are inherent in the data that each website we develeop will possess.
Collectively, we will find the regulations, terms, and requirements in the event of a privacy concern.
The PIA should make it clear:
- How and what kind of the personal data is processed and retained?
- Where and how is the data stored?
- For how long is the personal data stored?
- Is the data collection and processing specified, explicit, and legitimate?
- What is the basis of the consent for the data processing?
- If not based on consent, what is the legal basis for the data processing?
- Is the data minimized to what is explicitly required?
- Is the data accurate and kept up to date?
- How are users informed about the data processing?
- What controls do users have over data collection and retention?
- Is the data: encrypted? anonymized or pseudonymized? backed up?
- What are the technical and security measures at the host location?
- Who has access to the data?
- What data protection training have those individuals received?
- What security measures do those individuals work with?
- What data breach notification and alert procedures are in place?
- What procedures are in place for government requests?
- How does the data subject exercise their: access rights?
- right to data portability?
- rights to erasure and the right to be forgotten?
- right to restrict and object?
- Are the obligations of all data processors, including subcontractors, covered by a contract?
- If the data is transferred outside the European Union, what are the protective measures and safeguards?
- What are the risks to the data subjects if the data is: misused, mis-accessed, or breached? modified? lost?
- What are the main sources of risk?
- What steps have been taken to mitigate those risks?
- Working for GDPR is not only about the code and design. This also suggests that everyone who is involved in the specific project is aware of the legal background of their profession and knows the regional/local/national privacy laws.
Current Clients and Compliance
- Unbundled Consent
- Active Opt-In
- Just in time Notifications
Our goal is to be more transparent to our clients. Retroactively and moving forward, we will add privacy by design and testing to the digital projects.