Fundamentals of GDPR Compliance
In this blogpost we will be touching upon the basics of GDPR compliance and rights of data subjects. What is GDPR? The General Data Protection Regulation is a primary legislation that protects the personal data of EU citizens. It replaced the Data Protection directive 95/46/EC in 2018. All the companies that were compliant with the earlier legislation were expected to comply with GDPR by May 2018. These regulations are applicable to all EU citizens, companies that are run in any member state of the European Union, businesses who have clients in the EU and vice versa. This basically means that these set of regulations do have a global impact. GDPR was introduced in order to create more reliable and consistent laws in data protection across the EU. Even though the UK is planning on leaving the EU in the near future, GDPR will still be applicable to the UK. Brexit will not have any impact on this situation. This legislation helps provide several rights to data subjects or individuals who’s data organisations possess.
A few of the rights data subjects/individuals mentioned in articles 12 to 23 are:
- The right to access
The data subjects have the right to access the information held by the data controller. The data controller should respond to the individual within 30 days of the request made.
- The right to be informed
The data subjects must be clearly informed about their information being used and processed. They shall be notified about the changes made to their information and also their rights.
- The right to have this information erased
The right to erasure is a right every data subject must possess in case they want to stop their data from being processed and used. This is also known as the right to be forgotten.
- The right to make corrections
Data subjects have the right to rectify data that is being stored and processed by data processors in case of any changes.
- Data Portability
A data subject can request for their file or information to be sent to a third party electronically in a machine readable and commonly used format as long as it is technologically feasible.
Apart from these basic rights, data subjects also have the right to object their data from being processed, refusal of automated decision making etc. GDPR also demands that certain organisations appoint a Data Protection Officer to supervise and manage the process of data processing and ensure that they are compliant with GDPR. Most companies appoint a privacy professional/expert as a DPO for the same reason.
Some of requisites for GDPR compliance include the following:
- Getting consent for processing data.
- Give data breach notifications.
- Keeping the procured data private and anonymous.
- Processing data safely while transferring it to different channels or jurisdictions.
- Keeping a record of the steps taken to process date for accountability.
Data is definitely one of the most important assets in today’s day and age and must be protected at all costs for running a smooth and successful business establishment with happy consumers. Non-compliance of GDPR not only results in creating a bad reputation for your business, but also two levels of penalties. The first level is €10 million or 2% of your company’s annual turnover, whichever is a higher amount, and the second level is 4% of the annual turnover or €20 million. Complying with these regulations will only help you attain more satisfied customers in the future. We will be discussing these rights and duties in detail in our future posts.
Feel free to reach out to us if you have any questions on anjali@complystreet.com.