Date : April 03, 2018

Category : Gdpr

Basically, GDPR protects user data in just about every conceivable way. The GDPR operates with an understanding that data collection and processing provides the basic engine that most businesses run on, but it unapologetically strives to protect that data every step of the way while giving the consumer ultimate control over what happens to it.

In order to be GDPR-compliant, a company must not only handle consumer data carefully but also provide consumers with myriad ways to control, monitor, check and, if desired, delete any information pertaining to them that they want.

Companies that wish to stay in compliance must implement processes (and in many cases, add personnel) to ensure that when data is handled, it remains protected. To comply with this requirement, GDPR promotes pseudonymization, anonymization and encryption.

Anonymization is the encryption or removal of identifiable information so that it can never be tied back to a user. Pseudonymization is somewhere between identified and anonymous. With pseudonymization, the data components are anonymized and separated but can be put back together. For example, a system might assign a user one identifier for location and another for browser that can only be tied back to the user if it is put together with their date of birth, which is kept separately. The regulation promotes pseudonymization over anonymization.

According to GDPR, companies must ensure that customers have control over their data by including safeguards to protect their rights. At its core, the protections have to do with processes and communications that are clear and concise and are done with the explicit and affirmative consent of the data subjects.

How do the regulations seek to protect consumers?
Broad jurisdiction. The GDPR applies to all companies that process personal data of EU citizens, regardless of where the EU citizen resides.

Strong penalties. Breaches can cost companies up 20 million Euros or up to 4 percent of their annual global turnover. Some infractions are less expensive but still represent a significant penalty.

Simplified and strengthened consent from data subjects. Consent must be given in an easy-to-understand, accessible form, with a clear written purpose for the user to sign off on, and there must be an easy way for the user to reverse consent.

Mandatory breach notification. Any data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be reported within 72 hours of its discovery. Data processors will also be required to notify their customers “without undue delay” after first becoming aware of a data breach.

A reiteration of important consumer rights. This includes the data subject’s right to get copies of their data and information on how it’s being used and the right to be forgotten, also known as Data Erasure. Additionally, it will also allow customers to move their data from one service provider to another.

Better systems. In order to comply with the core foundation of “privacy by design,” GDPR requires processes to be built with data protection in mind, rather than treated as an afterthought.

Specific protection for children. Since kids are generally more vulnerable and less aware of risks, GDPR includes guidance that includes parental consent for children up to age 16.