GDPR summary

GDPR Summary

What exactly is the GDPR all about? It's meaning for information subjects and organizations? What do you need to do? And why should you?

Hopefully, this Article helps make sense of the regulation, and all the buzz words you may have been hearing.

When the GDPR (General Data Protection Regulation) came into effect on the 25th of May 2018, it was the first major update to European data protection law for over 20 years. The regulation gives individuals known as data subjects much greater control over, how organizations process or control the processing of their personal data. It consists of information such as names, location data, email addresses, health records and photos to name a few. 

Essentially anything that could identify a living person. In the UK the GDPR is also supplemented by a new data protection act which fills in sections of the regulation that were left to individual member states to interpret and implement and which applies the GDPRs provisions to certain areas that are outside the regulations Scope. Failing to comply with the GDPRs requirements will leave organizations open to considerably higher penalties, than they faced under the 1998 Data Protection Act, with maximum fines of up to 20 million Euros or 4% of yearly worldwide turnover whichever is more prominent. But it's not all about increased obligations and penalties, there are incredible favorable circumstances to GDPR consistency to the new law advances more noteworthy, straightforwardness and responsibility and means to build open trust by giving people more power over their information by getting information. 

Security right associations will improve their notoriety and manufacture better confided involved with existing and potential clients also by actualizing and keeping up the specialized and hierarchical estimates required by the GDP our organizations will benefit from greater levels of information, governance and cyber resilience which will help them mitigate the daily onslaught of cyber attacks. You if your organization still falls short of compliance it's by no means too late to take steps to ensure your compliance with a law, so what you need to do.

First, it's important to understand some of the terminologies the regulation uses-

“The GDPR defines personal data is any information relating to an identified or identifiable natural, person- including names, identification numbers, area information, online identifier x' and at least one components explicit to their physical physiological Genetic mental economic cultural or social identity”.

Processing is any operation or set of operations that are performed on personal data whether by automated means or not. Data processors are responsible for processing personal data on behalf of data controllers and data controllers determine the purposes and means of the processing.

Data controllers are responsible for and must demonstrate compliance with six data processing principles.

• 1.    Individual information must be prepared legitimately decently and in a straightforward way
• 2.     A way gathered for determined unequivocal and authentic purposes
• 3.     Sufficient applicable and limited to what is necessary
• 4.     Precise and where vital stayed up with the latest
• 5.     Retained only for as long as necessary and
• 6.     Prepared in a suitable way to look after security

 There are also six lawful bases for processing except for special categories of personal data who are protesting is prohibited except under certain circumstances, personal data can only be processed if it's necessary, 

• contractual obligations entered into by the data subject
• To comply with the data controllers legal obligations
• For tasks in the public interest or exercise of authority vested in the data controller
•      For the motivations behind authentic interests sought after by the information controller
•          If the data subject gives their explicit consent
• To protect the data subjects vital interests

Many people focus on consent, but it's arguably the weakest lawful basis for processing because it can be withdrawn at any time. it has to be as easy for individuals to withdraw their consent as it was to give it and they can withdraw their consent via any medium. When consent is withdrawn your organization will be obliged to erase the individual's data if they request you to unless you can demonstrate a lawful reason to retain it's for the motivations behind authentic interests sought after by the information controller can apply.

In many cases, organizations will be able to rely on legitimate interests. As the most adaptable of the six legal bases for preparing it could hypothetically apply to any type of processing carried out for any reasonable purpose although the onus will be on you to balance your legitimate interests against the interests rights and freedoms of the data subjects. Whichever lawful basis for processing you deem appropriate for each processing activity your organization must keep a record of it. This will also help you in writing privacy notices which must be provided to data subjects as part of their right to be informed when their personal data is collected whether it's collected directly or indirectly.

As well as the right to be informed data subjects have a number of other rights which data controllers must be able to facilitate.

These are   

A.    The right of access

B       The right to rectification
C.     The right to erasure the right to restrict processing
D.    The right to data portability
E.     The right to object and
F.     The rights in relation to automated decision making and profiling.

Data security is an important part of GPP compliance. Among other requirements your organization must implement appropriate and proportionate technical and organizational measures to protect personal data, as will any third-party organization the process is data on your behalf and if your organization suffers a data breach reporting it is now mandatory. Data processors must report all breaches of personal data to the data controllers and data controllers are required to report retest at the Information Commissioner's Office. Inside 72 hours of their disclosure, if there is a hazard to information subjects rights and opportunity, Data subjects themselves must be notified without undue delay if there is a high risk to their rights and freedoms. If the data is anonym zed or encrypted to the extent that it is no longer possible to identify data subjects, there is no risk.

GDPR compliance is not just a matter of ticking a few boxes. Demonstrating compliance with the regulations data processing principles involves taking a risk-based approach to data protection ensuring suitable arrangements and systems are set up to the arrangement with arrangements for transparency, accountability and individuals rights and building a workplace culture of data privacy and security.

10 Tips you need to know       
            

New GDP laws have come about is because the last time data protection laws were created was in the nineties since then there's been a boom of technology like things like the internet and people feel that they've lost control of how their information is being utilized and put away, so the GDPR laws a positive thing because they're allowing the everyday person to take back control of what data people have on them to make sure you're compliant with GDPR

Ø Tip one store all of the data you have on your employee's suppliers and customers in an organized fashion

Ø Tip two is to make sure that data is safely secured so what measures have you got in place to make sure that nobody could leak hack or of how their information is being utilized and put away

Ø Tip three for being GDPR compliant doesn’t hold on to date up unnecessarily. So this is a big one that's coming to their new laws you can't hold on to data if you don't know.

Ø Tip four is you want to have a really clearly written fair processing policy this is something you're likely to already have in this form of a privacy policy so something you might be familiar with all it is is it's a document that really clearly explains

Ø Tip five if somebody asks what information do you have on me do you have a process so that you can easily give that to them so with the new law you have to be able to supply people with what information you have on them

Ø Tip six have a process in place where if someone asks you to delete all their data you can so if someone asks you to delete all they don't so you have to that's part of the new law so make sure you know where all of the information you have on them is so you can easily wipe that

Ø Tip seven allow people to positively opt-in to you having their data and using it for marketing purposes so what does this mean it means that if you're going to use someone's data for marketing

Ø Tip eight-try layered opt-in forms this is something the GDP is of simplifying with and something I really like so they look a little bit like this layered opt-in form allows users to have easy access to understand their information

Ø Tip nine if you're using people's information to send their marketing make it really easy for them to opt out of it if you're using emails you need to make sure people can unsubscribe same with things like text messages and call services

Ø Tip ten is make sure all your team know about the new GDPR laws, you must actually put this in an email again just to show GDPR that you'll be in very conscious of the laws train all of your employees on everything

So, in short, you are going to contact everyone and they are going to have to positively opt back in for you to keep their data secure. I hope you found these Tip and new GDPR summary useful, please comment your thoughts below if this is helpful.