Introduction to GDPR
European Union has introduced GDPR Regulation to protect the fundamental right to privacy for every EU citizen. In simple words, the data subject (EU citizen) will be made aware of on the 5 ‘W’s’ of When, Where, What, Who, Why and also the ‘H’ for ‘How’ their personal data is being used, processed, stored and disposed.
GDPR extends and transcends beyond the EU – meaning any collection / usage of anEU citizen’s personal data handled outside of the union by any entity has to adhere to GDPR. GDPR regulation has been in effect since 25th May 2018 and hence any organisation that works with EU citizen’s personal data in any manner, irrespective of location, is under the obligation to protect the personal data.
So that brings us to two basic words that covers the whole GDPR
- Personal Data
Inclusions in “Personal Data”
The ambit of ‘personal data’ now extends to physical, physiological, genetic, mental, economic, cultural or social identity of a person.
Besides confidentiality, the ambit of ‘Protection’ now extends to maintaining privacy of personal data.
The regulation outlines the various principles based on which personal data can be collected, stored, used and retained. The application of these principles provides for many things in relation to upholding a citizen’s right to privacy
- Protect from unlawful access
- Report breach
- Allows citizen to access what data about them has been collected and used.
- Allows citizen to correct the data about them
- Honour their request of not to use their data for marketing
- Honour their request to permanently delete data or transfer their data to another service provider
- And above all most importantly, obtain their consent to store, process or transmit or transfer their data
Important Questions that GDPR requires us to ANSWER
- Are we storing personal data?
- If Yes WHERE are we storing personal data?
- For WHAT is that data being used ?
- WHEN do we use it ?
- WHY do we need it?
- WHO all in the company internally/externally has access to the data?
- HOW long do we retain it?
- Did we get consent from the data subject for dealing with their personal data?
- Have we clearly communicated to Data Subjects that we are storing this data?
- Do we give them a clear choice to opt in or out at any time?
- Can any of it be eliminated?
- Do we audit access to this data?
- Do we encrypt/ mask any of the personal data
- Do users have an easy way to access, correct, copy or get it deleted ?