GDPR stands for General Data Protection Regulation. It’s a European Union regulation that gives rights to EU subjects over the protection and privacy of all data collected about them and the movement of that data outside of the EU.
The regulation essentially gives specific rights to EU Subjects about the use, retention, and movement of their data. It became a law on May 25, 2018.
3 Important Terms Related to GDPR
EU Subject
A Citizen of the EU, in general residing in the EU when they provide their data to someone.
Controller
Generally the organization that collects and controls what happens with the data.
Processor
Generally the organization that follows the controller’s instructions to store, process, move, change, merge, publish or in other ways hands the EU Subjects data
…and an important concept
Subject Data, Personal Identifiable Information (PII) or Protected Health Information (PHI) is considered any data that can be tied back to a unique individual or combined with other information to tie back to an individual, such as…
- Biometric
- Home address
- IP address
- Family name
- Photography
- Phone number
- Credit card number
- Religion
- Date of birth
- Driver’s license number
- Salary
- Union membership
- Car
- National identity number
- Health
- Place of birth
- Computer cookie
- Work email
- Place of work
- MAC address
- Home email
- Sexual orientation
- And more.
GPDR gives significant power to EU Subjects of over the use of their data. GDPR gives EU Subjects
- The right to be forgotten (erasure)
- The right to know what data is being collected
- The right to correct inaccurate data
- The right to transfer date elsewhere in an electronic format
- The right to consent to how the data is used and the right to revoke that consent
GDPR obligates companies:
- To safeguard that data (best practice security)
- To encrypt Subject data
- To anonymize data if used for testing
- To clearly and unambiguously explain to the Subject how and where their data will be used
- To respond promptly to Subjects rights and requests
- To track where all Subject data goes
- To never transfer data outside of the UE without the Subjects explicit permission
- To report suspected breaches within 72 hours.
Violations of GDPR by companies
- Supervisory Authorities have indicated they will issue significant fines. The law stipulates, €20M or 4% of Global Revenue, whichever is higher.
- Broad powers to issue sanctions. Audits and public warnings, reprimands, and orders.
- The Law makes it considerably easier to bring private claims. Compensation for “distress” and “hurt feelings.”
This can effectively end a business’ operations.
How to comply with GDPR
- Protect PII/PHI.
Follow your company’s policies and procedures on safeguarding data. - Don’t move data.
PII data should never be emailed, put into test systems, moved across international borders, or viewed across international borders. - Involve your IT with software purchases.
That self-serve mail list program or customer service response software may transfer data or not store it per GDPR rules. - Report all issues.
Lost laptops, accidentally emailed documents, thefts of anything holding data, suspected loss of passwords…all should be reported. - Don’t assume data is not covered by GDPR because you know the customer or individual.
Customers or individuals may have unknown EU subject data. You can’t prevent people from typing things into webs forms and fields. GDPR is designed to case a wide net.
Together, we can keep the Internet safe. If you have any questions about GDPR or compliance, please contact us today for help.