The general data protection regulation entered into force on May 25, 2018. Since that date, all companies that manage personal data are subject to their obligations.
What Is The GDPR?
The European data protection regulation is a European directive which obliges all companies and administrations to respect certain rules concerning the processing of personal data.
In other words, since May 25, 2018, all companies that manage personal data processing are required to be in compliance with the GDPR.
The peculiarity of this regulation is that it concerns all companies which process the personal data of European citizens.
Not just in France or in Europe.
None of the countries carrying out processing operations on the personal data of European citizens can derogate from this.
It is directly applicable in a uniform manner in all countries of the world.
What Are The Objectives Of The GDPR?
But why such a regulation?
The purpose of such a regulation is to protect European citizens against malicious use of their personal data.
European citizens are me, you and all the members of your family.
Do you know how many companies hold your personal data?
Do you know what they do with it?
This general data protection regulation is therefore there for us (our generation and future generations) to protect all against malicious organizations on a larger or smaller scale.
You will therefore understand the need for it.
Also Read: How To Collect Reviews On Amazon?
In Which Case Does The GDPR Apply?
The GDPR GDPR applies to all processing of personal data of European citizens.
The only exception is your personal phone book.
All other handlings of personal data of European citizens are subject to it.
It is, therefore, necessary to take an interest in all the data processing that you carry out in the context of your activity.
What Are The Obligations Imposed By The GDPR?
- Protect your data from the moment it is designed, called data protection by design.
- Protect your data by default, that is to say, have a data protection mindset, in any case, a code of ethics and train your employees and collaborators on the protection of personal data.
- Keep an internal processing register, which groups together all the processing operations carried out during execution, or scheduled for the future. This register will be presented to the CNIL in the event of an inspection.
- Perform a privacy impact assessment for certain sensitive processing operations.
- If you process so-called sensitive personal data, you are required to carry out a privacy impact assessment before carrying out the processing.
- This impact assessment must be attached to the mandatory register so that it can be presented to the CNIL controller.
- Consult the CNIL before carrying out any processing concerning sensitive data
- Check the compliance of your subcontractors
- And for some companies, depending on their size and the data processed, appoint an IT correspondent or Data Protection Officer.
What Are My Other Obligations Under The GDPR?
Collect Data Intelligently:
- You must collect data explicitly from European citizens.
- This means that any collection of personal data from citizens must be coupled with a clear and precise explanation of the purposes of this collection.
- You can no longer ask citizens for permission to share their personal data with your partners, without being specific about the identity of these partners and the purpose of the sharing. This is called opt-in harvesting.
Limit The Data Retention Period:
- In the interest of European citizens and to limit the risk of violation, ethics encourages you not to keep data longer than the time necessary for processing.
- Any scheduled data processing must therefore include the retention period for personal data.
- This, again, for data security. Deleted data is no longer at risk of being violated.
Respect The Exercise Of The Right Of Opposition, Rectification, Direct Access, Portability And Erasure Of Data
Any citizen whose personal data you hold has the right to ask you, at any time and by the means he prefers:
- To provide him with all the data you have on him.
- To rectify certain data which will appear incorrect in your database.
- To have you enforce his right to data portability if he decides to change service provider.
- To ask you to permanently delete all the information concerning him in your database and you are obliged to execute his order.
Also Read: What Are The Criteria For Choosing A VPN