As of 25 May 2018, all companies that collect any personal data from the European Union residents will need to comply with GDPR. The General Data Protection Regulation is a new law that impacts how data is collected, processed, stored, and otherwise handled. If you have been collecting information from the EU residents, you need to know what is required under GDPR.
If you are collecting data from residents of the EU, you will need to get explicit consent to continue doing so and hold onto the information you already have. Explicit consent is defined as being voluntary with the user taking the affirmative action, specific and informed. Users have to be aware of what you are going to collect, how the data will be used, and who it will be shared with.
The regulation also states that consent will need to be unambiguous. This means that terms of service cannot be overflowing with legal jargon, making it hard for the average person to understand what they agree to. There are also other aspects of consent that you need to be aware of.
This will include a positive opt-in, which means that you cannot use any pre-ticked boxes. Silence and inaction cannot be used as consent under regulations. This consent will also need to be separate from any of your other terms and conditions.
Rights To Data
GDPR has provided EU residents with greater control over how their personal information is collected, stored, and used. This means that all individuals will have a right to know where, why, and how their data will be processed. This includes the right to request a report to access their data.
Additionally, every EU resident has the right to be forgotten. This means that if the person wishes, their data will need to be deleted. This will need to be done when consent is withdrawn or when the individual contacts you directly.
GDPR also states that organizations have a duty to report certain data breaches to the relevant authorities within 72 hours. The only exceptions to this will be when the breach is harmless, and there are no risks to individuals. However, if the breach is considered to be high-risk, the company has an obligation to inform all the individuals who are impacted by this.
Appointment Of Data Protection Officers
Certain companies have to appoint a data protection officer to comply with GDPR. These are companies that regularly handle sensitive personal information such as genetic data, ethnicity, and other medical information and those that handle large amounts of personal data. All public authorities will also need to appoint this officer. The companies that handle large amounts of personal data may need to appoint more than one data protection officer.
To comply with GDPR, there are several things that you will need to do. You must understand what is required of you under GDPR and what steps you have to take.