GDPR - General data protection regulation

EU GDPR –

GDPR stands for General data protection regulation. GDPR is a data privacy requirement that every company has to follow which is storing, processing or, transferring data of EU citizens. Any data related to PII, PHI, financial information on individuals.

 

GDPR applied to all org’s. which are outside of the EU but doing business or providing/offering services/products to EU citizens.

 

GDPR strengthen data subject’s rights and govern how a company is processing the data.

So, quickly coming to some requirements that a company should follow to remain GDPR compliant.

1.       Company needs to inform end-users about fair data use policy (nature and purpose of data usage).

2.       Companies can’t hold any information for too long about data subjects without their proper consent.

3.       End users can ask anytime to delete the information that a company holds about themselves.

4.       End users can ask a company to show the type of data that they’ve stored about them.

5.       GDPR also provides children data protection under the age of 13. Their parents have to give consent to the company which is going to hold/store the information about children’s.

6.       DPIA (Data Protection Impact Assessment) needs to be conducted by an org. who is going to store PII (Direct or Indirect information which can identify any individual) or PHI (Health records) related information about any individual residing in the EU.

7.       Organizations have to minimize data collection and retention and gain consent from consumers when processing data; in other words, they must minimize the collection of consumer data, minimize with whom they share the data, and minimize how long they keep it. The goal is for organizations only to collect or store information they need for the purpose intended, particularly with regard to personal data.

8.       Companies need to inform end-users in case of any data breach within a time period of 72 hours.

9.       There are two roles defined with the GDPR regulatory i.e., Data Controller and Data Processor.

Data Controller:

Any business that determines the purposes and means of processing personal data is considered a “controller.”

Data Processor:

Any business that processes personal data on behalf of the controller is considered a “processor.”