Personal data of citizens has always been under certain protection. However, since the technological revolution started, more and more data is being collected and processed by various companies, which poses new threats to people’s security.
It’s not surprising that everyone wants their personal information to be used only where needed and many companies have not been that good with protecting their clients. With the Data Protection Directive being a little too old for the modern standards, the EU General Data Protection Regulation will be directly applicable in May, 2018. Here’s a complete guide to the protection of personal data in the company.
Who is responsible for data protection?
Compliance with the GDPR is obligatory to all companies collecting and processing data of EU citizens. With the GDPR there are two main parties that the rules apply to – the controllers and the processors. Controller, according to Article 4 of the EU GDPR is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Processor is then “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
After making sure that the role of a controller and processor in the company has been established, it’s time to implement all the rules that the EU GDPR is setting for all companies to follow. First of all, companies must be aware that they must follow the rules of EU GDPR whenever they are dealing with personal data of EU citizens. This comes as a news to the companies that didn’t need to follow European regulations if their offices weren’t physically placed within the EU.
One of the most discussed rules that the GDPR is implementing is the “Privacy by design” rule. This means that it is now a legal requirement that security must be built into products and processes from day one. Also, GDPR gives individuals the right to transmit their data from one controller to another.
This means that organizations and companies must be able to provide an individual’s personal data in a commonly used and machine readable format. This rule is also connected to the new “right to be forgotten”. If a citizen requests the company to delete their personal data, they must do so. It will not, however, just be deleted – the company can no longer share the data with third parties and those parties are also obligated to stop processing it.
Are you interested in data protection in your company/organization? Try ins2outs and implement new standards.