GDPR: General Data Protection Regulation

The GDPR was approved by the EU Parliament on the 14th of Abril 2016 and is taking action next 25th of May 2018. The GDPR is a mandatory law, not just a directive, as it was defined as an EU regulation. The effect of the regulation not only applies to companies that are located within the EU but also to those based outside the EU but with access to users inside the European zone.

The goal of this regulation is to unify data protection across all countries in the European Union and to ensure companies and corporations meet the criteria when dealing with personal information about a digital user from Europe.

Personal data and the involved information about a user

Personal data is understood as any information which defines an online user and that helps to identify or categorize a certain subject. Name, e-mail, identifier, personal preferences, IP address or current location are examples of basic personal information.

Companies operating from outside the EU must also compliance with the new legislation if they have access to data of subjects within EU. There is a penalisation for those organisations who do not meet the new data regulation and the amounts could reach up to 20€ millions in case of serious infringements.

The regulation defines that users should give explicit consent for any use of their personal data. All digital websites and platforms must update their privacy policy to display a single and human readable text. A clear description of the purpose should be delivered without the use of any technical terms or legalese.

All these is required before accessing and processing any personal information.

Similarities and difference between a data controller and a data processor

They both are involved in the process of manipulating data and information. A controller is the one who defines the purpose of the information that is been gathered whereas the processor is the party that processes the technical requirements of the data collection on behalf of the controller.

It is common for large scale companies to externalise their data management and use a provided service from a data processor company. An example of the difference between them could be seen in a payroll company which offers payroll services to other companies. In this case, the payroll company itself is a data controller as it controls the personal data about its own staff. However, it is also a data processor as it processes the personal data of their clients.

Data controllers and data processors have responsibilities and are required to meet certain criteria when dealing with personal data. Data controllers are the ones with more responsibilities as they decided the final use of the information. They are required to comply with legislations such as the GDPR in order to make transparent their data practices to the final user.

Data processors, in the other hand, have less restrictions. They are usually requested to provide information about their security implementation, encryption procedures and backup processes of the data they manage. Additionally, data processors can be required to register with the Data Protection Commissioner as data processor entities.

User rights and access privileges

The new regulation also stablished a right for all users to have access to their personal data stored and processed by any digital platform. In case of a request, the controller should provide a digital copy in electronic format of the stored data for a particular user. This should be delivered free of charge and without any cost to the user.

According to the GDPR, companies should immediately notify their users in case of a data breach if their personal data has been compromised.

Another right that is been reflected on the GDPR is the right to be forgotten. This allows a user to request a removal of all its personal data stored in a digital platform. The company receiving the request should proceed to erase all data without undue delay.

Updates on the privacy policy

What are the key aspects that should be listed on a privacy policy page that is compliant with the new GDPR? Here is a basic list of items to cover under the privacy policy page:

• What personal information do you collect about a user.
• How and why you collect it. You should provide an explanation about the use of that data.
• How does your system manage the security of the data involved.
• Do you grant access or allow third parties to get information about your users.
• What cookies do you use.
• How users can manage, control or request details about their data in your system.
• If you are using the services of a data controller, provide details about it together with their contact information.
• You should inform whether your data system will use personal data based on automated decisions and algorithms.
• Provide information about the rights that the user has under the GDPR regulation.
• Whether your platform transfers data internationally.

References

• https://www.eugdpr.org/key-changes.html
• https://gdpr-info.eu/art-17-gdpr/
• https://termsfeed.com/blog/gdpr-privacy-policy/
• https://www.dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm
• http://www.alpconsulting.in/blog/payroll-processing-company/