If you hold or process personal data of EU citizens, there are GDPR requirements to ensure your business protects their personal data and privacy. The business advantage of having the regulation in place is significant: You’ll have a clear legal environment to conduct business. And making data protection law identical throughout the EU market should improve trust in the digital economy.
So, what is personal data exactly? The GDPR’s definition of personal data is, “Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer’s IP address.”
The data subject must perform an affirmative action – like clicking in a box or selecting certain settings, for example – to give consent for their personal data to be processed. The controller should keep a record of that consent.
Data subjects can ask for clarification from the controller regarding their rights related to the processing of their personal data
Your business will now be required to provide in-depth information on the processing of data, including:
- Controller’s contact information
- Reason for processing
- Proof of its lawfulness
- Period of processing
- Possibility of withdrawing consent
- Possibility of complaining to a supervisory authority
- Indication of whether the processing is part of profiling the data subject
Data subjects have the right to have their information deleted. If requested, controllers are obligated to delete their personal data and make sure other parties processing the data do the same.
This is about the data subject’s right to have their information handed over by the controller. The data should be in a structured, machine-readable format. This gives data subjects an easy overview of their information and the ability to transfer it to another service provider, if desired.
This ensures that data subjects are not profiled for actions like e-recruiting or credit ratings. But with their consent, profiling is permitted for marketing purposes and other reasons.
GDPR fines aren’t insignificant. For example, noncompliance with controller or processor duties can result in a penalty of 2 percent of the company’s global annual turnover or €10 million, whichever is highest. There’s also a penalty of 4 percent of the global annual turnover or €20 million for noncompliance with the principles, the rights of the data subjects and data transfers to countries outside of the EU without legal basis or failure to comply with orders from the supervisory authority.