GDPR General Queries – Questions and Answers – Part 1

Thursday, June 11, 2020

We’re getting lots of queries about GDPR (General Data Protection Regulation) and it seems like individuals/companies needs more clarification on same. That’s why here we’ve put together a GDPR FAQ – a list of frequently asked questions about the regulation and our responses to same.
If you’re not sure what GDPR really is, please go to our first post of GDPR – A complete Guide.

Refer our FAQ – part 2 for FAQ around GDPR technical discussions.

GDPR full form / What GDPR stands for?

Full form of GDPR is General Data Protection Regulation.

 

What GDPR means / GDPR Meaning?

The General Data Protection Regulation or GDPR is a regulation in EU law on data protection and privacy for European citizens despite the data storage location. It protects the privacy of European citizens all over the world and makes sure that privacy of their citizen’s personal information in not compromised. It aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation.

 

GDPR which act of parliament?

GDPR is a regulation in EU law which is also being referred as Regulation (EU) 2016/679. Regulation (Eu) 2016/679 of the European Parliament and of the Council of 27 April 2016, is basically a law on the protection of natural persons (citizens of EU) with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). It is a replacement/enhanced version of Data Protection Directive, officially Directive 95/46/EC law.

 

GDPR when did it start?

The bill was prepared on 14 April 2016 and the law was implemented on 25 May 2018.

 

GDPR where to start?

You can leverage our GDPR primary Article for your GDPR journey, which will give you a brief insight about GDPR, its key highlights, definitions, principals, impacts & penalties in detail.

Rest details you can find here on Article page for all your GDPR queries and their answers. Most of your GDPR doubts will get clear here.

In case you want to deep dive further, you can download the GDPR pdf from here.

 

Why GDPR was Introduced?

At the current moment, information is probably the most valuable resource, and everyone is behind collecting and processing the information for a meaningful business gain. Now how much data a company collects from you (via cookies, webforms, third party sharing etc.) and how they process or sell same is completely hidden. Such data collection and processing should be regulated in order to prevent even the slightest possibility of abuse and misuse of personal information by any means – intentional or un-intentional.

Users should know their rights and companies should know their responsibilities. So, EU took the initiative and Introduced the Data Privacy law – GDPR, who protects the rights of end users (data Subject) about handling of their personal data (Personal Identifiable Information – PII) by other Organizations and Professionals.

 

GDPR for dummies

The European Parliament and Council of the European Union took the joint initiative and prepared a very strong law to defend personal rights of European citizens to protect their Personal Identifiable Information (PII) from being sold, shared or used without their consent, anywhere in the world. It is the strictest privacy and security law in the world which is protecting the European citizens from misuse of their information by businesses and companies which holds their data or share or sold it further to third parties.

It majorly focuses on definition of Personal data, rights of Individuals for protecting their personal data, GDPR policies for companies to follow, compliance and regulations around data usage and sharing.

 

GDPR – Who does it apply to?

Any organisation which processes and holds the personal data of EU citizens is obliged to abide by the laws set out by GDPR. This applies to every organisation, regardless of whether or not they themselves reside in one of the EU members states. Any company (irrespective of its origin country or current working location) who deals with EU citizen data (in any form – collect, store, process, share etc) is abide by GDPR law.

 

What is GDPR policy?

Under the GDPR, you will be required to draft a widespread yet simple Privacy Policy and make it accessible to all your users. Your privacy policy must contain below information:

• What personal information you collect
• How you collect it
• What you use it for
• How you keep it secure
• Whether you share it with third parties
• Any controls users have over any of this
• You must process data lawfully, in a fair way and transparently to the data subject.
• Data must be processed only for legitimate defined purpose
• Only purposeful minimum data should be collected and processed
• Organizations must keep accurate data about an individual
• You must only store a personal’s personal data as long as it is needed for that specific purpose
• Appropriate CIA triad (confidentiality, Integrity and Availability) should be maintained.
• Companies or data controller must be held responsible for implementing necessary compliance rules and demonstrating same whenever required.

 

How many GDPR principles are there?

In total there are seven principals for Data handling. These principles should lie at the heart of your approach to store, process and share personal data.

• Principle (a) – lawfulness, fairness, and transparency
• Principle (b) – purpose limitation
• Principle (c) – data minimisation
• Principle (d) – accuracy
• Principle (e) – storage limitation
• Principle (f) – integrity and confidentiality
• Principle (g) – Accountability principle

The principles lie at the heart of the GDPR. They are set out right at the start of the legislation and inform everything that follows.

 

How GDPR works?

GDPR (Law enforced by EU) outlines the rules of gathering and usage of the user’s information despite the location of data storage and processing or the collecting company origin location. GDPR stresses the importance of accountability in the process of building and maintaining trust between users and the company. It urges every company to follow its guidelines of proper and legitimate data handling and demonstrate the compliance with the updated regulation. GDPR introduced a system of rather harsh fines for violating the guidelines. The way of imposing the fines is considered on a case by case basis and dependent on the level of the perpetration and the amount of damage done by the violation.

 

What is GDPR compliance?

The EU General Data Protection Regulation has fundamentally transformed how businesses handle personal data. Any company that does not follow these new norms face severe fines, potentially up to €20 million or 4% of annual global revenue, depending on the severity and circumstances of the violation. So, every company have to follow the guidelines of GDPR as per the regulations defined by EU govt.

 

GDPR Compliance Checklist / checklist for GDPR compliance

• Conduct an information audit for EU personal data
• Inform your customers why you’re processing their data
• Assess your data processing activities and improve protection
• Make sure you have a data processing agreement with your vendors
• Appoint a data protection officer (if necessary)
• Designate a representative in the European Union (non-EU organizations)
• Know what to do if there is a data breach
• Comply with cross-border transfer laws (if applicable)
• Have a legal justification for your data processing activities
• Provide clear information about data collection, processing, and legal justification in privacy policy
• Must follow “Data Protection by design and by default” approach to secure user data.
• Make sure someone in your organization is accountable for GDPR compliance
• Provide the rights (as per GDPR law, i.e. right to be informed, right to erasure, right to forgot etc.) in easy way to end users. So that they can use same whenever required in easiest way.

 

Being compliant with GDPR

Make sure to follow all the rules and guidelines of GDPR (as mentioned in above checklist too) to become GDPR complaint. Non-compliance may face severe fines, potentially up to €20 million or 4% of annual global revenue, depending on the severity and circumstances of the violation.

 

GDPR privacy rights in the constitution

The right to privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, secrets, and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others and to control the extent, manner, and timing of the use of those parts we choose to disclose

As per GDPR, below is a rundown of data subjects’ privacy rights:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

No one can overrule these rights and everyone including government must follow Data Subject’s consent before taking any action on his personal data.

 

GDPR rights to be forgotten

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.

• The right to erasure is also known as ‘the right to be forgotten’ and vice-versa.
• Individuals can make a request for erasure verbally or in writing.
• You /companies have one month to respond to a request.
• The right is not absolute and only applies in certain circumstances.
• This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.

Individuals have the right to have their personal data erased if:

• the personal data is no longer necessary for the purpose which company originally collected or processed it for;
• Companies are relying on consent as thier lawful basis for holding the data, and the individual withdraws their consent;
• Companies are relying on legitimate interests as their basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
• Companies are processing the personal data for direct marketing purposes and the individual objects to that processing;
• Companies have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
• Companies have to do it to comply with a legal obligation; or
• Companies have processed the personal data to offer information society services to a child.

 

What does “privacy by design” mean?

The term “Privacy by Design” means nothing more than “data protection through technology design.” Behind this is the thought that data protection in data processing procedures is best adhered to when it is already integrated in the technology when created.

Privacy by design means developing every part of your solution in a way that it ensures the highest level of data privacy at every stage. In other words, you have to think of protecting the privacy of your users/subscribers/customers all the time while planning the processing of their personal data.

 

GDPR – Who owns the data?

At its core, the GDPR rests on a relatively simple premise – that each person has the fundamental right to privacy and to control what happens to information about them. PII is information related to a natural person that identifies that person, including not just obvious data, but also information about location (including a user’s computer IP address) and any information related to their genetic, economic, health, or social identity that could identify them personally. Owning and controlling their data means that individuals have the right to determine what happens to that information, both immediately and over the course of time.

It subsequently goes on to affirm that “Natural persons or Data Subject should have control of their own personal data”. Under GDPR law, the individual owns the rights to their data, with a few exceptions. Earlier, once the data was shared by individuals, the Data owner (who collects and maintain the data) or data processor (who process the data) had different rights to play around with data and end data subject (whose personal information is being processed) didn’t had any control on the data afterwards. Data was shared across business and sold for profits; and data subject could not do anything for same. But with GDPR, Data subject has complete rights from collection to destruction of data and can control how his data is being used. So, he is the actual owner of data now, while previously it was companies who once collected the data.

Refer our FAQ – part 2 for FAQ around GDPR technical discussions.

 

Data Classification:
This Website/document does not constitute any professional advice. The information in this document has been obtained or derived from different sources believed by dataprivacyacts.com to be reliable but dataprivacyacts.com does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of Dataprivacyacts.com at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. Dataprivacyacts.com neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.
© dataprivacyacts.com. All rights reserved.