Page 53 - Payout Magazine Online Volume 8.7
P. 53
key Points Covered in the gdPr Subjects can request the data be removed
by removing their consent for a business to use
1. data Portability
it, and if the data has been made public, then
the controller is obligated to take all reasonable
All clients and customers have the right to
download their data and transfer it to another steps to have other processors remove the
provider should they wish to do so. The GDPR data. For example, an untrue story that may
states that your business must be able and have been published and appears in numerous
willing to supply any requests in this regard. locations.
2. Privacy by design There are a few exceptions where data
may not have to be erased, which includes a
The GDPR requires that all applications and banks legal requirement to keep data for seven
systems be built from the ground up with privacy years, reasons of public interest in the area
in mind, rather than applying band-aid solutions of public health, historical research, scientific
to existing systems. The GDPR further clarifies significance, or public interest for archiving
this concept in article 23, which declares that purposes.
data controllers must only hold information that
is vital to carrying out their duties and that only 6. scope
necessary personnel should have access to
said data. The GDPR covers all companies processing
personal data of EU residents, whether that
3. notification of breaches
company resides in the EU or not. The concept
of personal data covers anything which can
In the past, many companies have waited
weeks before notifying customers about data identify an individual directly or indirectly such
breaches giving unauthorized access to their as pictures on Instagram, Facebook posts, and
personal and security information. The GDPR personal addresses. It also includes business
makes notification mandatory within 72 hours material such as documents, files, resumes, and
of a business becoming aware of the security contracts.
breach.
7. the right to information
However, it further stipulates that the
breach must “result in a risk for the rights and A business collecting information which
freedoms of individuals.” Simply put, this means complies with the GDPR will need to inform
that notifications are mandatory only if the data their customers about not just how their data
breach leaks information that is not anonymized. is collected, but also how it is being used, and
how it is being kept secure. In most instances,
4. Consent this information will be relayed when asking for
consent at the start of the relationship.
Businesses are not allowed to ask for
consent in long drawn out legalese that may be However, your customers also have the right
easy to misinterpret, or difficult to understand. to be kept in the loop, so your business should
Permission must be requested in easy to
be ready to divulge the information in a concise
understand language. If your business requires and easy to understand format whenever it is
the data be used in a specific way, then the requested.
consent must address that situation using clear
and specific terms.
While the GDPR is not a U.S. law, its far-
reaching effects can undoubtedly impact any
5. the right to be forgotten or the right to
Erasure business with ties to the EU, which will include
almost every company with an online presence.
The right to be forgotten sounds simple, but
it is more complicated than it appears. Article GDPR may provide compelling business
17 of the GDPR states that individuals have advantages, as complying will help your business
the right to request removal of their personal adopt best practices for improving control and
data from the systems of data controllers and security of your company’s information and
processors. enhance the integrity of the data you maintain.
PayOutMagazine 53
