The EU General Data Protection Regulation (GDPR) was designed to blend data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy. The GDPR aims to give citizens and residents control over their personal data as well as to simplify the regulations for international business through unifying the regulation within the European Union. The GDPR states that business processes that handle personal data have to be built with data protection by design and by default. This means that personal data must be stored using pseudonymization or full anonymization as well as use the highest possible privacy settings by default to ensure that the data is not available publicly without informed consent.
It must be noted that any American company that operates a website and retrieves data from a European Citizen, is thereby subject to the jurisdiction of the GDPR. This means that currently there is a mad dash by American companies to update their website and privacy policies. Under this regulation, there is not to be any personal data processed unless it is done under a lawful basis specified within the regulation or if the data controller received an individualized affirmation of consent from the data control. The data subject may revoke this consent at any time.
How can a someone give consent? Ideally a consumer on a website will see a little dialog box pop up regarding privacy, and they will need to ‘check a box’ to provide their consent. Other notable aspects of the GDPR:
1. Consumers have ‘audit rights’, in that they can seek to inspect your servers or inquire as to where and how you store their personal data.
2. If audited, a company will have to prove they have procedures in place to protect data.
3. If company servers are hacked, this must be disclosed to authorities within 72 hours and a triage process must be in place.
For more information on the GDPR and/or how to become compliant – please contact us here at Bolimini International.