What exactly is GDPR ?
It is a regulation passed by the EU government which applies to dealing with the data of all EU citizens, irrespective of where the data is stored or sent to. Even if we pass data from India to Europe, we have to respect GDPR. They have brought GDPR into effect in order to protect the right of any EU citizen to privacy and security of their personal data. Even if we fully operate EU user data outside EU, we have to follow the legislation.
So for whom is GDPR applicable ?
GDPR is applicable to any business located within and outside Europe. It applies to any business which collects data, organise and store them, and perform some operations over this data. Companies have to be responsible and accountable for the user data, this is where GDPR applies.
How a software should be GDPR compliant
Following are the principles of GDPR that any company should deal with when they handle EU citizens personal data :
Data must be processed by following the laws and also very
transparentlyAll data about the user must be correct and it should be up
to date. (Accuracy)No unwanted or additional data than for the purpose of it
should be collected from the user (Purpose limitation)Collected data needs to be always relevant about what is
needed for processing (Data minimisation)Collected data must be processed safely without any
security breach. (Data integrity and confidentiality)Data must be maintained in a state that it should be not
available when it is no longer needed. (Storage limitation)
User rights over personal data
Below mentioned are the rights that the user have over their personal data :
Access and update their personal data
Request personal data deletion whenever the user needs
Be informed about what data the business is collecting
Download the personal data in any format like json, xml etc.. whenever the user needs them
Restrict processing of data whenever they need.
Please follow the link which contains the checklist for making a SaaS product GDPR compliant - https://www.cloudways.com/blog/saas-gdpr-checklist/
Top comments (2)
Very nice article, a succinct covering of the topic, but one correction must be made as it is a far too common myth:
If you don't have a physical presence in the EU, then you are not subject to the GDPR or any other EU laws and regulations. It doesn't matter if the visitor to your site is an EU citizen, the site isn't going to them, they are coming to the site. As the operator of the site, you are only subject to the laws and regulations of where you reside and where your site is physically hosted. If neither of those are inside the EU, then the EU has exactly zero authority over anything you do, digital or otherwise.
Of course you should respect the privacy of your users, but don't be fooled by the overly grandiose wording of the GDPR and other recent regulations; no nation can make laws that apply to people outside their borders.
Thanks for the update , it should be meaningful