What is GDPR (General Data Protection Regulation)? GDPR includes some key concepts and these are to be complied by enterprises so as to attain better transparency and trust when dealing with customers in business transactions.
What Is GDPR?
General Data Protection Regulation (GDPR) is a regulation to protect the personal data and privacy of the citizens of the European Union (EU) and this is to be followed by businesses dealing with transactions within the EU and also who are outside who have the EU citizens personal data with them. Any enterprise that becomes non-compliant has to deal with paying hefty fines and may have to lose their business in dealing with the customer data. GDPR needs that enterprises have their security standards ready and their processes in place to achieve the compliance rules and abide by them. The key elements that are included in the GDPR are as follows:
- The right to be forgotten
- Obtaining valid consent from the customers
- Access to data
The Concept of the Right to be Forgotten
This rule states that the customer can demand that companies that have his personal data erase that whenever required. But there are some exceptions to it. Certain laws require that enterprises in the US maintain records to comply with HIPAA-like security standards. Hence the right to be forgotten cannot supersede certain laws for some data controllers and companies. Below given are the steps that have to be taken by the enterprises:
- Enterprises need to design a data inventory to know about the whereabouts of the customer’s personal data.
- They need to determine if personal data can be erased if requested and if no, then the reasons for not being able to do so.
- A proper data erasure request process has to be in place
- The staff has to be provided training to handle the erasure requests from the customers
Obtain Valid Consent from the Customers
Previously, the data collected by enterprises from its customers could be used for anything and everything. But now, under GDPR, enterprises need to maintain a structured data processing and personal information can be used only for matters of legitimate interest. The data processing has to follow lawful grounds such as the ones given underneath:
- Any specific purpose needs to have prior consent
- To deliver on a current project before another one is undertaken
- Legal obligation
- Interests of the customers have to be protected
Transparency is the Core of GDPR
Below mentioned are the points to prove it:
- Terms and conditions must not be included in the consent form. Consent has to be free and should never be a condition.
- Consent should be clear with no hidden contradictions.
- Consent should be prioritized and segregated by types like for advertising or analytics purpose and can be used only for that.
- There can be no compulsion on the user to check every box of consent.
- All the consented materials are to be retained by the enterprises as proof.
- The users can withdraw from the consent at any time of their choice without any obligation.
Access/Portability to Data
Data portability, which means that personal data can be ported from the data controller to the customer, has been provided in GDPR. The customer has provided his personal information to the controller and has provided consent to be used by the enterprises. Now, even though the controller has been processing the personal data of the customer, the customer has the right to ask back the data and reuse it for their own personal tasks. It can also be diverted to other services. Hence, there are procedures that have to be followed by data controllers when giving back the data. The processed data that is online has to be in a readable format so that it can be easily read, copied or transferred. The customers are at an advantage since the privacy rights solely rest on them. But the catch here is that data like the media files of songs and photos can be ported back but not the behavioral data determined from the analysis done by the enterprises. Such data is out of the portability ambit and also the data security while exporting has to be provided by the enterprises. Enterprises can avail CASB solutions that would make their GDPR compliance easier with security policies imposed after deploying these solutions.