The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. GDPR’s goal is to protect personal data. Personal data is any information that refers to an identified or identifiable natural person. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
Here are 10 short takeaways from the current (2020) Law:
The Right to be Forgotten. GDPR gives individuals the right to ask organizations to delete their personal data without undue delay.” “Undue delay” is considered to be about a month. You must also take reasonable steps to verify the person requesting erasure is actually the data subject.
Transparency and Communication: You must tell the users how you are going to process data in a concise, transparent and easy to understand way. You must transparently and openly provide them with the information they need to understand how their data is collected and used.
Right to Object: Data subjects have the right to object to you processing their data.
Data protection. Protecting and processing of personal data must adhere to the data protection principles. Technical measures include encryption, and organizational measures are things like limiting the amount of personal data you collect or deleting data you no longer need.
The right to a Private life. The right to one's private life is laid down in the European Convention on Human Rights (ECHR). Article 8 provides for a right to respect for one's private and family life, one's home and one's correspondence. Typical personal data is a person's personal identity number, name and address.
The Data Controller. Data controllers determine the purposes and means of the processing of personal data. Controllers make decisions about processing activities. Based on the privacy risks that exist in connection with the processing, the controller has a general responsibility to take appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the General Data Protection Regulation.
The Data Processor. Data processors handle storing data, retrieving data, running the payroll, marketing activities, or providing security for data. A data processor is an entity that processes personal data on behalf of a data controller. A data processor is never part of the data controller's organization. The processor may not engage another processor without first obtaining the controller's written permission.
Data Protection Audits. To be compliant with the GDPR you need to know your data and this could mean taking the time to map all of your data, and use this map to gain visibility and clarity over your information flows. A company must prove how they are abiding by GDPR’s lawfulness of transparency, Fairness Purpose limitation, Data minimizing accuracy, Storage limitation, Data collected is kept for an extended amount of time and Data should be analyzed for specific purposes only.
1st, 2nd and 3rd party Data Processors. 1st party collected the data from the user directly. 2nd party has bought a list of emails (for example) or a list of customers from a 1st party collector. 3rd party has bought it from the 2nd party. The processor may not engage another processor without first obtaining the controller's written permission.
Swedish DPA Authority for Privacy protection. This is the agency responsible for enforcing GDPR in Sweden. Its task is to protect the individual's privacy in the information society without unnecessarily preventing or complicating the use of new technology.