In order to ensure your business is GDPR compliant, it’s important to understand what your or a data subject’s rights are under the new regulation. The biggest development is the transference of control to the data subject where their data is concerned: collection, storage, usage, changes, and deletion.
Privacy by Design
Data protection by design means that measures are put in place to ensure privacy at the design stage (or the moment that the means of data processing are decided upon).
Data protection by design adjusts the scale to the rights of the citizen. It means simply that your data is collected, stored, and used in such a way that privacy is a given: it is the default setting and embedded into the design. Proactive measures are put into place, rather than reactive measures taken after an event (such as data breach or data leakage).
It also implies automatic attention to security in terms of the safety of your data. Transparency and visibility will become the norm and not the exception.
Privacy by Default
Data protection by default means that, by default, technical and organisational measures need to be taken to ensure that only personal data that is necessary for a specific purpose is processed. This obligation covers the amount of data collected, the extent of processing, storage period and accessibility. This means that, by default, the less personal data processed, the better. This obligation includes that, by default, personal data is not accessible without the data subject’s intervention.
Did you give sufficient and clear permission for your data to be collected, collated and used for the purposes that were declared to you? Under the new GDPR, it must be as easy to withdraw your consent as to give it.
Consent is provided only if you are over 16 years of age. Certain conditions will reduce this age to 13 (Article 8 GDPR).
What is your right to privacy?
The GDPR will increase individual rights of each natural person (that is an EU citizen) so that they have the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability of their data (information stored about them).
You must ensure that you can accommodate these rights if you are processing the personal data of EU citizens. This means that NO guide or tips on the GDPR can replace your full understanding of the complete GDPR documentation.
Data Subject rights
What is a data subject? A natural person, i.e you!
Right of access – allows you access to personal data being stored about you and also to know if that data is being processed.
Right to rectification – allows you to rectify, without any undue delay, your inaccurate personal data.
Right to object – allows you to prevent controllers from the further processing your personal data (as long as there are no compelling legitimate grounds for continuing it.)
Right to the restriction of processing – allows you to prevent controllers from processing your personal data while either correcting or updating information about you. They are still permitted to store your data.
Right to erasure – simply put, this is the right to be forgotten. You can request your data to be removed immediately, cease further distribution of your data (so third parties must halt processing of the data). There are exceptions to this covered under Article 17 GDPR.
Right to data portability – allows you to move your personal data from one controller to another for your own purposes. It allows you to move, copy or transfer your data easily from one environment to another in a safe and secure way, without hindrance to usability. There are exceptions to this covered under Article 20 GDPR.
Right in Relation to Automated Decision Marketing and Profiling – There are safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention: profiling or, by extension, profiling involving automated decision making.
Every natural person has the right to lodge a complaint with a supervisory authority and seek compensation against a Data Controller or Processor (only if the Processor has acted outside or contrary to the lawful instructions of a Controller). Compensation is considered if you have suffered material or non-material damage as a result of an infringement of the GDPR.
GDPR and personal data
Personal data refers to any information about a natural person. This can include “name, gender, occupation, social security number, physical address, email address, IP address, behavioural data, location data, biometric data, financial information and other types of data that is available in different forms; including alphabetical, numerical and graphical and is kept on paper or stored in computers or in any other manner.”
Quite a mouthful! It can also refer to an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR and special or sensitive personal data
Additional to personal data, special or sensitive data refers specifically to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to uniquely identify natural persons, health data, data concerning individuals’ sex life, and sexual orientation.
GDPR and your business
Your data (as a natural person)
If you sign up for a newsletter or buy a product or service as a business owner, you may need to share personal data about yourself. This data will be covered under the new GDPR, as you are known as a natural person.
Your company data (as a legal person)
The new Regulation does not deal with the rights and freedoms of legal persons, such as companies. This means any data you share about your company is not protected by the GDPR like your own personal data is. This could impact the type of transactions you do for your business, especially if you are a sole trader (one person business). As sole traders, we often use personal information (phone number, address etc.) for our business.
If you would like further in-depth information on the GDPR please feel free to download my comprehensive Guide to GDPR. You will also receive limited follow-up support and gain access to a DATA AUDIT WORKBOOK, a CONSENT CHECKLIST and a GDPR CHECKLIST.
Please note: The GDPR series of articles on this blog do not promise to be either a full synopsis or full interpretation of the GDPR. Indeed I have simply taken the most important aspects of the GDPR I feel are relevant to the small business owner. Everything you read online about the GDPR will be some kind of an interpretation, synopsis or summary of the GDPR. Unless, of course, you read the full text in itself.