The Internet has been changing every day and so are the ways we use it. The biggest change the internet has encountered considering its data protection in the past 20 years is GDPR.
General Data Protection Regulation or GDPR as it is often abbreviated to, was implemented on May 25th, 2018. It is a set of rules that applies to websites and organizations, about how the personal data of the subjects should be handled.
GDPR applies to citizens who reside in the European Union or organizations that deal with controlling, processing or transferring the data of EU data subjects. It places stricter policies regarding how user data is handled by the organizations.
GDPR gives us a better understanding of the different types of data that fall under the category of personal data. The name, address, email, etc. that can directly identify with an individual. The IP address, location, etc. can indirectly relate to an individual. And then comes the sensitive data like medical records, genetic information, etc. Under GDPR all these data must be safeguarded by the organizations or they will be held accountable for the same.
When users are providing their personal information to the websites, they need to be aware of their rights. GDPR intends to make sure all websites honor these rights of the user, which are as follows:
The Right To Be Informed
Under this right, the website needs to let its users know what type of data is processed, why the website need those data, how long will it be stored, would the data be shared anywhere and what the data subjects rights are.
The Right To Access
GDPR allows users to ask for access to their personal information shared on any website. The users should know the purpose of their data being processed and of any third parties with whom the data may be shared by the website.
The Right To Rectification
The website must allow the users to make changes to the data submitted by them in the case of incompletion or change of data. The data collected must be up to date and the data subjects must be able to rectify it when needed.
The Right To Erasure
This right is also called the right to be forgotten. When the user no longer wants to be part of a website. The website, must comply with their wishes and erase all data and stop any processing of the same with an immediate effect.
However, depending on certain circumstances the website has the power to decline the request of the user.
The Right To Restrict Processing
The users can restrict the processing of their data and usage of the same if they intend to do so. The data can remain in the records but still remain unused.
The Right To Data Portability
Under this right, the users can transfer data from one service to another. The website must honor this right of the user and let them do so if they intend to.
The Right To Object
Similar to the right of users to restrict processing, users can object to the usage of their personal information in various circumstances, especially in the case of direct marketing. As soon as such a request is received any ongoing processing will be withheld and the user’s data won’t be used anywhere. This right is to be made clear to the users before any collection of data is subjected.
The Right To Object To Automated Decision Making
Automated processing of data of users can be carried out only when needed by law. In any other case, the user must be informed immediately, they need to informed of simple ways to challenge the decision.
Read the rights of data subjects in GDPR to know more about each right.
Legal Basis for Processing of Data in GDPR
The processing of data is lawful only under the following conditions:
- The data subject has given their consent for the processing of their data for one or more specific purposes.
- The data subject is subjected to follow a contract which allows the process of their personal data.
- The processing of the data subject’s personal data is necessary for compliance with the legal obligation to which controller is subject.
- The processing of data subject’s data is necessary to protect the vital interests of the data subject or of another related subject.
- The processing of data subject’s personal data is important for the performance of a task in public interest.
- The processing of the data subject’s data is necessary for the purposes of the legitimate interests pursued by the controller or by the third party. However, exceptions can be made when such interests override with fundamental rights of the data subject which require protection, mostly when the subject is a child.
How to Know Your Website is GDPR Compliant?
We have discussed the rights the user subjects have, every website should honor these rights and make sure the following points are taken care of:
The terms and conditions specified on the website must be clear and written in simple words. The users must understand what’s written and explicitly given their consent, with the choice to freely withdraw from it any time.
Notifications in Case of Data Breach
The users must be notified within 72 hours of data loss or breach, failing which can lead to fines.
Providing User’s Their Data
The users can request to get their data as they have the right to do so. The website must provide them with a fully detailed and free e-copy of the same. The website must also mention how their data is being used.
The users can request to delete their data from the website as per their rights if they wish to no longer be a part of the website.
Privacy by Design
The website needs to have a design that s safe and have security protocols in place. The privacy of all its users should be the top priority of the design.
If your website doesn’t comply with GDPR rules and deviate from providing users their privacy, you can get penalized. Failure to comply with GDPR can result in fines that will range from €20million or up to 4 percent of the offending organization’s annual revenue — whichever is greater. You can learn more about the fines on What are the Fines for Not Complying with GDPR.
Hence we can see that GDPR brings about a new level of data transparency. All websites need to be less secretive and more open about their process. GDPR may be a complex topic but it sure is important. It not only protects the users but also the organization from overstepping their boundaries.