What is GDPR?
GDPR is seen as one of the most stringent current privacy laws which treats personal data as a human right. GDPR is for keeping personal data of customers secure and penalise companies who violate the protection of EU citizens’ personal data.
Why GDPR matters you?
GDPR specifies the rights of consumers. Under GDPR, consumers have the right to be informed, the right of access their personal data, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the rights around automated decision making.
With GDPR, you can make a Subject Access Request (SAR) to a company who process your personal data, they are obliged to answered within one month to reveal what information they hold about you.
You have the power to get your personal data erased when it is no longer necessary for the purpose it was first collected.
Who need to comply with?
Companies who collect, process, and store privacy data about EU citizens are legally bound. These includes any companies regardless their presence in EU. If a company has no presence in the EU, but processing personal data of EU residents, they still need to be in compliance.
What types of privacy data does the GDPR protect?* Identity Information (name, address, ID numbers, etc.)* Web data (location, IP address, cookie data, RFID tags, etc.)* Health and genetic data* Biometric data* Racial or ethnic data* Political opinions* Sexual orientation
If violated, what would be the penalties?
Organisations must notify supervisory authorities within 72 hours if they experience a serious data breach.
Lower level:
- up to ¢10M Or 2% of worldwide annual revenue
Upper level:
- up to ¢20M Or 4% of worldwide annual revenue
The biggest GDPR fines in 2020 was from Google with $56.6 million by France’s top court. As Google didn’t provide enough information to users in consent policies and no more control over how personal data is processed.
What actions companies to take compliance?
— — Action to take compliance:
- Conduct information audit.
- legal justification for processing personal data.
- In company’s privacy policy to have the requirements above stated.
— — Action to protect data:
- from privacy by design to data destruction.
- data encryption.
- create internal security policy and build awareness.
- assess data protection impact if needed.
- establish channel to notify authorities and customers in the event of data breach.
— — Company Governance:
- a designated personnel to be responsible for GDPR compliance.
- have data processing agreement with third party if outsourcing data processing activities.
- appoint a representative to communicate with the authorities in the EU member state, if processing large amount of data of EU citizens and have no office in the corresponding member state.
- appoint a Data Protection Officer (DPO), if it is a public authorities, or a company processes large amount of data of EU citizens.
— — Protect customer’s data rights
- if requested by customer, send their information to the customer.
- allow customer to correct or update inaccurate or incomplete information about themselves.
- if requested, delete the data of the customer.
- if requested, stop processing the customer’s data.
- if requested, transfer the data of the customer to a third party.
- if requested, unlist customer from telemarketing.
- if data are automated processed, procedure in place for human intervention if requested.
- keep evidence of consent from customer with who, when, how and how long the data will be kept and used.
