The General Data Protection Regulation is the latest European data privacy law that aims at changing the way EU citizens’ personal data is collected, processed and stored, transferring the power over personal data from companies to data subjects.
A person’s identity is no longer just a set of randomly floating data; the new law provides power, control and consent over the shared data.
According to the GDPR, consent must be obtained from data subjects before companies can collect any personal identifying information. It also brings a new perspective on consent management, in which the liberty to withdraw consent must be granted at any moment.
Even though the first step towards GDPR compliance is awareness and a thorough understanding of what changes the regulation has brought, acknowledging its impact over your organisation is the starting point towards compliance.
The GDPR applies to data processors and controllers that:
The GDPR applies to the processing of personal data:
The GDPR does not apply to the processing of personal data:
The following types of personal information are exceptions from the GDPR’s requirements:
Need a 2-pager to help convince a decision maker?
Right of access
Data subjects have the right to receive confirmation on whether their personal information is processed and if that is the case, be granted access to it.
Right to erasure (right to be forgotten)
According to the GDPR, in certain cases data subjects have the right to have all their personal data erased.
Right to data portability
They have the right to get from data controllers their personal data in a structured format and they have the right to transfer this data to another data controller.
Right to restriction of processing
Under the regulation, data subjects have the right of obtaining the restriction of processing of their personal data, under certain situations and/or for a certain period.
Right to object
In certain cases, data subjects have the right to object to the processing of their personal data, including for profiling or if such data has been collected for direct marketing purposes.
Right to rectification
The GDPR grants data subjects the right to rectification of their inaccurate personal data and to provide additional data to complete any incomplete personal data.
Right to reject automated individual decision-making
Data subjects have the right not to be a subject of a decision based only on automated processing.
Under GDPR, companies are required to make the name and contact details of their Data Protection Officer as well as their company contact details publicly available to allow data subjects to easily contact them for inquiries.
Processing of personal data is only possible if you have a lawful basis, which means that you must determine and document yours before collecting any PII data.
As a data controller and processor, you have the legal obligation to identity and map the personal information collect, what is the legal base and processing purpose for doing so and what data processors have access to it.
Make sure you update your Terms, Policies, Agreements & Procedures to include information regarding all processes related to personal data, explaining the reason why it is processed, who else has access to it, and what measures you are taking for ensuring its security.
Under the General Data Protection Regulation, data subjects have seven fundamental rights.
As a data processor or controller, you have the obligation of informing them about these rights, set up a mechanism for allowing users to exercise their rights, as well as to address these requests in a serious and timely manner.
Inform your users about any personal data collection activity you may perform and collect their consent for doing so in an unambiguous, informed and free way.
Let them know what categories of personal information you are collecting about them, why you are collecting it, how it will be used, for how long and what other processors you are sharing this information with.
Don't load any cookies or third party content on the website before obtaining your users' explicit consent.
Clym allows detailed consent and cookie management, consent expiry date and automatic consent deletion. Manage legal bases for all processing activities and manage specific consent.
Another requirement for GDPR compliance is that you must empower data subjects to withdraw consent at any moment, through the same mechanism they gave it in the first place.
Make sure you provide them with an easy method of doing so.
Proving compliance is as important as being compliant. You need to be able to prove that you respected data subjects’ rights, addressed their requests and collected consent before performing any processing activity governed by consent.
All the information requiring data subject consent that you display to the user must be easily accessible, concise, and most importantly, available in the data subject's preferred language.
The General Data Protection Regulation places a strong emphasis on securing data subjects' personal information, encouraging security by design and by default.
This means that organisations should build systems with security deeply integrated from the beginning, rather than add it on top, at a later stage.
Encryption and pseudonymisation are listed as good ways of ensuring adequate levels of protection for personally identifiable information(PII).
Managing data privacy made easy. These are the complementary tools that help us cater your compliance needs.
Learn More about Our Privacy Widget
See you on the safe side