GDPR meaning and role
GDPR (General Data Protection Regulation) is an institution that has the role to protect Personal Data of EU citizens involved into any organization activity.
According to GDPR, an individual's identity is considered protected if it can’t be identified with the help of any information stored about them.
Any information that falls into one of the next categories can identify an individual and is considered to be Sensitive Data:
- Religious believes
- Genetic data
- Political opinions
- Trade union membership
- Biometric data
- Sexual orientation
A Company is compliant with GDPR rules and regulations if it is:
- Accountable - which means that it knows what is doing and everything is done with a good reason.
- Completely responsible - the organization knows clearly what to do with this Personal Data of each individual
GDPR states that every member of an organization is responsible for how the data is collected, stored processed and destroyed. Personal Data should be stored only if it is absolutely necessary and removed when no longer needed. To help with the decisions of all these procedures a Data Protection Officer should exist in every organization.
GDPR was created to help with reducing the risks generated by personal or sensitive information that can be used in fraudulent ways or without somebody consent.
Risks of not following GDPR rules:
- Identity stealing;
- financial breaches;
- blocked access and hacked accounts;
These risks can be only a few of the reasons this organization of Data protection was created.
When a Supervisory Authority or a Data subject is asking an organization to prove the compliancy for the Personal Data processed the organization must be always capable to produce and show relevant documentation for that, such as:
- Formal Documentation on how Personal Data is processed
- Organisational Charts with people's position and responsabilities
- Data Protection Impact Assessments
How GDPR is protecting the users from the online
When Personal Data is collected from an individual, it is important for them to know where and how this data will be used and for how long.
Websites nowadays are storing a lot of data about the user or the visitor.
When data is processed outside EU, any organization must state what Safe Guards that operated in their area have been put in place to protect the personal data, in the same way GDPR is doing it on Europe.
This is the reason why every page on the internet has an Accept cookies policy and a way to Withdraw the Consent done and every Subscription email must have an Unsubscribe link.
Both Amazon and Ebay, like example, shows products that you looked for before, on your next visit on these platforms. The same reason why Google will return adds on your laptop with products that you looked for on your smartphone.
According to GDPR, companies must be sure they receive user consent for all the information that represent Personal Data, as:
- Interest in some products
- Profile picture
- Email address
- Phone Number
- Sexual orientation
- dress code can also help to identify a person
- and much more
Only having the individual's consent this information can be used to show other relevant products on the next visit on the same web application. To make things clear and transparent about what data is stored and processed, every website must have a Policy privacy and cookies page that must be accepted by any visitor.
GDPR and third party implications on Personal Data processing
GDPR is looking to protect against Personal Data abusive use. An abuse example is when someone is registering for a service completing personal data in a form and the form is submitted (directly or later as lists) to other companies too (third parties) for marketing or market research purposes. The chain of spamming become endless making it very hard for someone's personal information to be ever extracted from this system.
If you ever felt is impossible to Unsubscribe from an email list (the link is missing or the Unsubscribe link is not doing anything), a complaint to GDPR is the solution.
Data Protection has 7 key principles that must be followed by any organization:
- Any data processing must consider the law, be fair and transparent showing clearly how the Personal Data is taken and how is used
- Purpose Limitation - says that an organization should not ask for any data that is not needed
- Data Minimisation - can help with the decision if a desired processing purpose can be achieved without using personal data
- Accurate and up to date data – help with ensuring somebody Personal data is always updated and correct used
- The Storage should be limited to a form that will allow easy identification (like in the situation of a breach)
- Data must be Confidential and Securely stored and processed with the help of Passwords, Biometrics, 2 factor authentication and Virtual Private Network (V PN)
- Accountability and liability – which means the capability or proving at any time that the appropriate steps have been taken to protect this data and it also says that if a person wants to know what data is processed about it, or want this data to be removed, it has the capability to do so.
Organising, updating or removing all this information or even sending it to a different organization, means Processing Personal Data
For an organization to make sure that it is storing and processing the right data it needs to:
- adopt Technical and Organisational Measures
- Carry out Data Privacy Impact Assesments
If an organization does not follow the rules related to Personal Data Protection imposed by GDPR is risking big fines up to 20 million Euros or 4% of the annual turnover.