The new General Data Protection Regulation (GDPR) is going to affect any company that deals with customers in the European Union.
What will GDPR mean for you? This informative post will give you a rundown of what GDPR means and how it affects your company, as well as include an overview of what the law actually says. Fomoco News has some more information about GDPR, the next big thing for data protection
The General Data Protection Regulation is a new European regulation that replaces the 1995 data protection directive and harmonizes data privacy laws across Europe, making it easier for companies to do business within EU member states. In essence, it gives citizens more control over their personal data.
GDPR gives consumers the right to know how their information is being used, to correct or delete information that is inaccurate, and to encrypt certain data. It also requires companies that handle data on behalf of others—such as banks and search engines to also abide by GDPR standards.
1. Who does it affect?
Any company that collects or processes personal data of anyone in the European Union will be affected by GDPR. That includes any public or private organization engaging someone outside of the EU. It also covers companies based outside of Europe if they interact with citizens in the EU via an online presence.
2. What is personal data?
According to GDPR, personal data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
3. What is a data controller?
A controller is a person or organization that determines the purposes and means of processing personal data.
As a business you are most likely going to be the controller in most situations. However, depending on how you collect data from customers, you could also be a processor.
4. What is a data processor?
A processor is a person or organization that processes personal data at the behest of the controller. Processors are merely tools that carry out your instructions on their own servers or hardware.
As an example, if you buy personal data on email addresses of potential customers from some company, that company is most likely the processor and you are the controller.
5. What does it mean for businesses?
Imagine a customer wants to buy an item from your online shop, and you ask him/her to enter their phone number so you can send the information about the order. That data is now under GDPR protection and this means that:
Companies collecting data must be completely transparent with how they will use that data and they must obtain explicit consent from the person it belongs to before using that data. They must also allow customers to access and correct it at any time.
If several companies hold the same data, then the data cannot be sold or passed between them without explicit consent from each owner of the data.
Companies are no longer allowed to sell or transfer data without explicit consent from the customer. However, you are allowed to do this if there is a contract with the customer that states otherwise.
When companies collect personal data, they must inform customers what information is collected, where it is being collected from, why they are collecting it and for how long they will keep it. You must also explain all security measures in place to protect the personal data against unauthorized access by third parties.
As a business owner you need to be very careful with data protection when using external IT service providers. The service provider can only access your data if you provide them with a business contract between you and the provider.
6.What does it mean for customers?
As a customer, GDPR protects your personal information from being used improperly or abused in any way. This means that:
You have the right to know how personal data about you is being used. If a company is going to collect and process your data, they must be completely transparent with how they will use that data and they must obtain explicit consent from you before using that data.
You can find out what information is collected by navigating a website in a normal way without any specific interaction from the user side.
If companies use your personal data for marketing purposes, you have the right to stop this immediately. You can also request that they delete your personal data.
You have the right to prevent your personal data from being processed if it is no longer needed.
You have a right to access and correct any inaccurate information that a company has about you. However, a company may only deny you the right under very specific circumstances such as national security, preventing fraud or other serious reasons.
In general, you can at any time make a correction or request not to be contacted at all if the information is incorrect, inaccurate or out of date.