Data Protection Law Deconstructed: A Complete GDPR Summary
GDPR Summary is not like the same old wine in a new bottle. It is a revolutionary new law that requires organisations to do more than just tick and untick some boxes. It needs them to make enterprise-wide changes and ultimately transform their business operations. Also, the cost of negligence can be very high. So, organisations need to make sure that they are on the right side of GDPR. Here is a quick GDPR audit summary to understand the workings of this new regulation and discover whether your organisation is GDPR compliant or not.
The need of the Hour
Data protection is a critical concern for everyone from governments to corporations to individuals today. And rightly so. As the use and misuse of data become more prevalent, the gaping holes in the existing data protection laws have come to the fore. Governments across the world are going back to the drawing board to make amends and create laws that address the modern data privacy concerns and not those of a decade ago. European Union’s General Data Protection Regulation (GDPR) is a milestone in that direction. It replaces previous data protection laws in the EU states like the UK’s 20-year old Data Protection Act (DPA).
GDPR 2018 is a unified data protection law for all the people living within the European Union, which also expands oversight to data that is exported out of the EU geography. This GDPR summary will hit the fundamentals and then build upwards.
Which Data Is Covered Under GDPR?
GDPR Policy Template, the data identifies explicitly a natural person is classified as personal. It doesn’t matter whether that data is collected by direct or indirect reporting; it can be in any format and processed in any way.
What does that mean?
Companies should be ready for more stringent controls over personal data. The list of personal data includes the name, address, email address, photograph, IP address, GPS data, cookies, and analytics data. Other than that, there are special categories of data like race, religion, political views, membership to labour unions, sexual orientation, and health information. In light of the modern developments, biometric data and genetic data are now added in the special categories of personal data.
Consumers Get a Lot of Power
Consumer data protection is the primary goal of GDPR. However, under this law, the consumer becomes significantly more empowered. GDPR Summary eleminate a large number of loopholes in the previous set of rules. Consequently, without the knowledge of the consumer, organisations find it more difficult to obtain and process data. This GDPR summary covers, what rights the consumers have under GDPR.
Stricter Rules for Consent
They have become stricter. Organisations need to be more careful while crafting their consent forms. For GDPR compliance, they need to show evidence of consent to collect and use the personal data of any individual. This quick GDPR summary covers what kind of consent forms are acceptable.
✓ Clarity of Purpose
GDPR is very particular about the type of consent the organisations want their employees, customers, and other partners to sign. It demands that the consent forms be written in plain language that makes sense to the individuals signing it. The signatory should be informed about the extent of the consent they are granting. There should be no ambiguity. The purpose of the data collection and processing should be explicitly stated, and the consent should be freely given.
✓ Active Consent
Up until now, the silence of the individual was treated as consent. Not anymore. Under GDPR, already ticked boxes, inability to say no, or any inactivity does not qualify as consent. The data subject has to provide active consent to use the information provided by them for organisations to be able to use and process it.
Also, children under the age of 13 years do not have the power to give their consent. Their consent can be valid only if parental consent accompanies it.
✓ Power to Withdraw
GDPR gives data subjects the right to withdraw their consent at any time. Without the consent, organisations cannot use the data of such individuals for any processing.
Better Control over How Data is processed
Residents of the EU states are going to enjoy a lot more control over who collects their data and how they process it. This GDPR summary indicates how the rights of the EU residents are all set to experience a significant boost after May.
✓ Improved Access
Under GDPR, data subjects can put up a request to the controller to understand why their data is being processed and how it is being processed. They can also ask the controller of the data for a copy of the data being processed. However, the controller does have the right to charge a fee to cover the administrative costs incurred in this process.
✓ Exercising Objection
EU residents also have the right to object to the data processing and report it to the supervisory authority. They can even get any inaccurate data corrected.
GDPR goes one step further to give the EU residents the right to have their data erased by the data collector and processor. The data controller has to oblige to such a request for deletion of personal data. This has been termed in the Article 15 of GDPR as the ‘right to be forgotten’. It is possible that the controller receives an erasure request for data that has already been made public. In such a case, the controller has to undertake all the necessary measures, including technological, to inform the other data processors about the erasure request.
✓ Data Portability
GDPR wants to make EU residents master of their privacy. Under GDPR, they decide which service provider gets to collect that data and who gets to store it. So much so that they can place a request to move their data from one service provider to another.
Which Organisations Come Under Its Purview?
One of the most profound impacts of GDPR is the extension in the instances that come under its purview. Of course, all organisations that operate within the EU are required to comply with the new regulation. Whether it is a profit-making business, a non-profit charity, or a public authority, if they are collecting the personal data of people residing in the EU, they are covered under GDPR. So, it is not just the citizens, GDPR safeguards the data of everyone residing in the EU.
Organisations that do not operate within the EU, but do collect, store, or process the data of the EU residents, also come under GDPR. Even third-party organisations that work for companies offering goods and services to EU residents come under the purview of GDPR. That is a large group of industries and businesses that are affected by GDPR, and that is why it has created so many ripples across the business world.
What Principles Do These Organisations Have to Follow?
GDPR has enlisted 6 data protection principles in Article 5. All the organisations within the EU or those outside of the EU that deal with the personal data of EU residents are required to process the personal data according to these 6 GDPR data protection