7 things Cloud Analogy need to take care with the GDPR
It is a long time since consumers have wondered about what all are the personal data accessible by the technology giants such as Facebook and Google. But, so far there was very little that got to hear from these tech giants – even for merely a simple question like “Why do I see this ad?”.
Europe has acted as the trailblazer on various issues whether that be privacy or protection of data. But on May 25, 2018, everything changed all of sudden – thanks to the European Union’s new Privacy Laws that provides a restriction on how personal data is collected and handled. This is where we speak in terms of the comprehensive privacy laws came into play named as General Data Protection Regulation (GDPR).
In this post, we will provide some insights on how Cloud Analogy will take care of its overseas clients – in terms of GDPR.
First, let us find “What is GDPR ?”.
- What is GDPR?
It is about the protection of the personal data online for the member countries of the EU.
It is basically a package of new legislative rules. It is not an EU directive that will require further actions from the member nations for enacting them. It is regulation and that became legally binding by the member states fro May 25, 2018.
Second. We need to answer “Why to require the General Data Protection Regulation ?”.
- Why Require GDPR?
If you are in a business which collects, stores or make use of personal information then the business processes of your enterprise are sure to be impacted by GDPR. But, what was the necessity to enforce GDPR? The answer is that due to the rapid advancement of technology, an effort is made by EU to keep privacy law relevant to the world of technology – where a massive amount of data is now collected.
Moreover, EU wanted some kind of uniform law that existed across all 28 member states in the EU. In fact, GDPR helps to not only expand the privacy rights of the individuals but also places new obligations on organizations to handle new information.
Third. We will come to “What kind of data is covered under GDPR?”.
- What kind of Data is Covered under GDPR?
All kind of individual data will be under the purview of GDPR. Examples to cite on these data are uniquely identifiable information – the equivalent to Social security numbers in the U.S as well as Social Insurance numbers in Canada. This will include other routine types of data as obtained by websites – IP addresses, home address, and date of birth of individuals, physical device information like Mac address of your computer.
It covers online financial transaction histories under GDPR. It covers medical records as well – all that is transmitted online. Not only the above type of data comes under the scope of GDPR. but, all social media posts such as tweets, Facebook. It covers even personal images that are uploaded on any website.
Next, we come to the non-compliance issue with GDPR.
- What happens for non-compliance with GDPR?
The companies have to bear with heavy consequences, with non-compliance with GDPR. There is a process that is followed – the first step comes in the form of a written warning, to be issued in the event of any form of unwitting violations. The law cannot be broken on grounds of ignorance of the law.
The next stage is to regularly undergo data integrity audits for companies who are found to be violating for GDPR. This amounts that the company needs to surrender any form of sensitive, confidential as well as proprietary information to an auditor.
After the above forms of sanctions are over, if there are any form of data breach/violations that occur for GDPR, then the client can be imposed with a fine that is equivalent to 20 million pounds ( approximately $ 23.5 million USD) or even 4 % of the worldwide company turnover – the greater of the two is considered.
Fifth is the affirmative consent as handled by GDPR.
- What is Affirmative Consent for GDPR?
The affirmative consent lets individuals give permissions to a company so as to add a person to the email list. The affirmative consent is strengthened under the GDPR. This is termed as the opt-in process. The GDPR states that the EU nationals must be provided with easy-to-comprehend opt-in processes. GDPR further states that the permissions must be given by these EU nationals – before the company can store, process or use data. So, far as the EU nationals under the age of 13 are concerned, affirmative consent needs to be collected from the parents – for the same purpose of collecting, storing and processing data.
Sixth. Do we need to hire a Data Protection Officer for GDPR?
- Do we need to hire a Data Protection Officer to comply with GDPR?
GDPR is a regulation that needs to be strictly enforced. However, it is not legally binding to hire a Data Protection Officer for the organization. But, the company is bound to comply by the Data Protection law – in order to collect, store and process data by the EU nationals despite the number of failures that the companies undergo.
Finally, we come to the enforcement of GDPR.
- What is “Pseudonymised Data” in GDPR?
The GDPR data comprise not just social security numbers, but religious, political as well as philosophical beliefs even biometric or genetic beliefs – DNA and fingerprints. The companies need to take measures for pseudonymization of data. This will remove the data points completely. These pseudonymization measures will prevent large-scale data breaches for the same data.
Article 22 in GDPR states that EU nationals have every legal right to appeal or question how their personal information is used by the algorithms used by Google. It pertains to user profiling and the use of algorithms. It is contended that there must be some sort legislative oversight – when algorithmically generated data is under consideration.
In case of any violations/data breaches, the responsibility lies with the Data Controllers or the Data Protection Officers. These people are supposed to report any incidence of data breaches, within 72 years of any such detection. If there is a higher risk, the data controllers must immediately report the matter to the data protection authorities – as soon as possible.