As you have probably heard, the EU commission signed the General Data Protection Regulation (GDPR) back in April 2016. The legislation is designed to help companies handle efficiently the data challenges of the 21st century and give strict guidelines as to how to work with massive flows of digital information. It is set to protect web users (data subjects) from malicious use and loss of their personal info and, also, to give people greater control over how their records are processed.
GDPR is to take effect on May 25, 2018.
Company runners still have time enough to modify organizational processes to comply fully with new security rules, and today we will explain how they should start.
First off, it outlines how companies that work with EU personal data should obtain client’s consent. It gives instructions on how they should collect/store/process personal information, and urges firms to report, in case of a hack or system failure, any data breaches.
It also puts an obligation on companies to prove accountability – every business should be able to demonstrate, vividly, that it’s compliant with the GDPR and that it grants extensive rights (concerning data) to both its customers and employees.
This piece of legislation is to be enforced upon every firm that works with the personal data of EU citizens, not just businesses that reside in the EU.
GDPR is to be enforced upon every firm that works with the personal data of EU citizens.
Click To Tweet
Secondly, it affords data subjects:
- A right to be informed as to the purpose of the collection of their personal data
- A right to get a copy of that information in its entirety and in a portable format
- A right to have the personal records corrected
- A right to restrict data processing
- A right to have personal information erased from a company’s database (not an absolute right; if there’s a legal ground for a company to keep your data, it might, lawfully, reject such a request)
- A right to object to automated personal data processing
The currently active Data Protection Directive, too, has outlined a comprehensive system for securing personal information. But, adopted in 1995, it lacks regulatory policies for handling the vast data flows of the digital world.
Also, it is merely a directive. The EU state members themselves (not the EU parliament) decide how to translate the guidance and integrate it with their country laws. Therefore, the security framework a European country ends up with often varies greatly from that in a neighboring state.
The 1995 Data Protection Act does require companies in countries outside the EU, be they data controllers or processors, to provide a satisfiable level of security. However, since there’s been no enforcement, many businesses have chosen to neglect it.
The post What GDPR is and How to Comply with It: A Brief Guide appeared first on Software Development Company Perfectial.