GDPR is the EU General Data Protection Regulation. This regulation can be a lot to read and understand, especially if you haven’t yet. We’ve jotted down a few highlights from conversations on our quest to be GDPR ready.
We all have a list of things that come to mind when we hear the phrase “personal data.” Under the EU GDPR, this list may include more than you think.
The EU GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
So, in other words, personal data is any piece of information that identifies a person. Your name, age, IP address and more. All these pieces of data are what the GDPR is setting out to protect for EU citizens.
The GDPR provides enhanced rights for EU citizens to control their personal data. This law provides protection of personal data of any EU citizen whether that data is stored and processed within or outside of the European Union.
Controller vs Processor
Article 4 of the GDPR defines data controllers and data processors. These two roles play a significant part in GDPR compliance.
The data controller is the person or entity that receives and controls your personal data. They “control” the data and are therefore the primary party responsible for the data security and responding to requests from people regarding their personal data.
Often, there are additional parties that actually process the data for the controller. For example, a data processor may be the company used to send emails out to clients for ExaVault. This data processor would take email addresses from ExaVault and use that data to send the emails through their system as well as track emails that are received, opened or send back due to an invalid address.
Under the GDPR, both data controllers and data processors are held responsible and liable for being compliant with the terms of the regulation. A data processor must provide the same assurances that they are GDPR compliant as the controller does. They can do this by taking data security measures such as encryption, security testing, and only processing the information needed for the job required by the data controller. A data controller is responsible for making sure they choose processors who are GDPR compliant.
All information that a company provides should be plainly written and easy to understand and to locate whether electronically or in hard copy.
As an individual, it is your right under GDPR to know what personal data is being collected and why.
If a company does not have a legitimate reason to collect specific data, then it should not be asking for it. Transparency such as this is a large part of the EU GDPR. There must be a valid reason to ask for someone’s birthday and for many companies there is not a valid reason for needing that information. Even stating the reason you want to track an IP address can make a huge difference in establishing trust with customers and with being GDPR compliant.
Along with transparency, consent is another critical piece of the GDPR. To be compliant with GDPR you must be aware of how you are getting consent from individuals.
Here are the highlights of consent under the new regulation:
- Consent must be given freely.
- Affirmative consent is required – the individual must take an action to give consent.
- Opt-in required for everything.
- No pre-checked boxes or auto opting in for newsletters, emails, and other communications or data processing.
Giving consent provides an individual with more control over their personal data. Which, is part of the point of GDPR.
What highlights came out of your quest for GDPR compliance? Do you feel confident that the new laws regarding consent and transparency will improve the security of your personal data?
Learn more about what ExaVault has done to be GDPR ready here.