GDPR: Data Consent is Like Romantic Consent

GDPR Is Now In Effect

Last Friday, May 25, was the deadline for the European Union’s General Data Protection Regulation (GDPR). This regulation is what's behind all those privacy  and "terms of service" updates you've been getting from apps and online businesses.  Companies who don't comply are risking fines which can be at least 4% of their worldwide annual revenue.  Facebook has already received a 4.5 billion dollar lawsuit.

GDPR presents complex problems for companies around the world. Companies could face fines running into tens of millions of Euros if they breach the new directive. Companies that aren’t in Europe, but hold data belonging to anyone living or working within the EU must comply with the GDPR.

So, do you want to know more about how GDPR works?

Free Seminar in Frederick, MD

Amira Armond, CISSP, is giving a free GDPR seminar in Frederick, Maryland on June 19^th.  

Join her at 10 am at 539 Metropolitan Court, FITCI, Frederick, MD 21703. 

Can't make it?  We offer an affordable online GDPR course for all hands. It's been getting rave reviews.
 

With GDPR as with Romance, Consent Is Important

GDPR aims to give internet users in the European Union control over their data.  Think of data consent as similar to romantic consent. Before GDPR, social media and big tech companies were the unwanted attention at the bar that didn’t understand personal space. Now, before they can make a move on your personal data, they have to make sure that you’re okay with that.

To comply with GDPR, a digital data partner must tell you exactly what data it wants, give you an option to walk away at any time, and update you (within 72 hours) if it loses your private information.  

Individual Rights 

Under GDPR, a data subject (someone whose personal information has been collected) has the right to request these actions:

•    Information:  Information about whether their personal data has been collected, what processing was done with it, who has access to it, how long it will be retained, and the purpose of processing. If the data has been transferred to a non-EU country, information about how their data is safeguarded.

•    Access: A full copy of their personal data will be provided upon request.

•    Rectification:  The ability to fix incorrect data, or to add data that is missing.

•    Be forgotten:  The ability to have their personal data erased.  

•    Restrict processing:  The ability to withdraw consent just for processing, without erasing data. 

•    Objection: The ability to restrict specific types of processing (such as direct marketing) while allowing other types (such as a credit score calculation).

•    Appropriate decision making: The ability to protest decisions, get an explanation, and have a human review if processing significantly affects their life (such as a mortgage application).

In some cases, organizations are allowed to keep or process data despite subject’s objection. For example, keeping data used to prosecute criminal wrongdoing. 

GDPR requires that organizations accommodate each of these rights within one month.  If a request is particularly hard to respond to (such as a large number of requests are filed at the same time), the organization can notify the requester of the delay and respond within three months.  It’s vital that requests be addressed in a timely manner.  If a request is ignored, the organization may face huge fines and penalties. 

For more information, or to see a demo of our GDPR course, please contact us.