You are currently viewing General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

  • Post author:

The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It came into effect on May 25th, 2018, replacing the 1995 Data Protection Directive. GDPR strengthens and updates EU data protection laws and applies to any company processing the personal data of EU citizens, regardless of where the company is based.

GDPR sets out rules for how personal data must be collected, stored, and processed. It also gives individuals more control over their personal data and how it is used. Some of the key provisions of GDPR include:

  1. The right to be informed: Individuals have the right to be informed about the collection and use of their personal data.
  2. The right of access: Individuals have the right to access their personal data and to know how it is being used.
  3. The right to rectification: Individuals have the right to have inaccurate personal data corrected.
  4. The right to erasure: Individuals have the right to have their personal data deleted in certain circumstances.
  5. The right to restrict processing: Individuals have the right to limit the way their personal data is used.
  6. The right to data portability: Individuals have the right to receive their personal data in a format that allows them to easily transfer it to another organization.
  7. The right to object: Individuals have the right to object to the processing of their personal data in certain circumstances.
  8. The right to be informed in case of data breaches: Individuals have the right to be informed if their personal data has been compromised in a data breach.
  9. Appointment of Data Protection Officer: For certain organizations, it is mandatory to appoint a Data Protection Officer (DPO)
  10. Organizations that fail to comply with GDPR can face significant fines and penalties, so it is important for companies to ensure that they are compliant with the regulation.

How software application be GDPR compliant?

To be GDPR compliant, a software application should have the following functional requirements:

  • Data Minimization: The software should only collect and process the minimum amount of personal data necessary for the specific purpose it is being used for.
  • Data Anonymization: The software should have the capability to anonymize personal data so that it cannot be traced back to an individual.
  • Data Security: The software should implement appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, and destruction.
  • Data Retention: The software should have the capability to delete personal data when it is no longer needed for the specific purpose it was collected for.
  • Data Access: The software should provide the data subject with the ability to access their personal data and to request that it be corrected or deleted.
  • Data Portability: The software should provide the data subject with the ability to obtain a copy of their personal data in a structured, commonly used, and machine-readable format.
  • Data Breaches: The software should have the capability to detect, report and investigate a personal data breach.
  • Consent management: The software should be able to obtain and manage explicit consent for the processing of personal data.
  • Right to be Forgotten: The software should allow the data subject to request that their personal data be deleted.
  • Auditing and reporting: The software should have auditing capability to track and report on personal data processing activities.

Steps involved in GDPR compliant process

  1. Appoint a Data Protection Officer (DPO) if required.
  2. Conduct a data protection impact assessment (DPIA) if necessary.
  3. Ensure all data processing activities are covered by a legal basis.
  4. Implement technical and organizational measures to ensure a level of security appropriate to the risk of the processing.
  5. Implement procedures for data breaches.
  6. Implement procedures for handling subject access requests.
  7. Provide transparent and easily accessible information to data subjects about the processing of their data.
  8. Obtain explicit and informed consent for any processing of sensitive personal data.
  9. Implement mechanisms for data subjects to exercise their rights under GDPR.
  10. Regularly review and update the above measures to ensure ongoing compliance.

Personally Identifiable Information (PII)

PII stands for Personally Identifiable Information. PII data refers to any information that can be used to identify a specific individual. Examples of PII data include:

  1. Name: first and last name, middle name, or initials.
  2. Contact Information: address, phone number, email address.
  3. Identifiers: Social Security number, passport number, driver’s license number, or national identification number.
  4. Demographic Information: age, gender, race, or ethnicity.
  5. Financial Information: bank account or credit card numbers, salary information.
  6. Biometric Information: fingerprints, facial recognition, or DNA data.
  7. Online Identifiers: IP address, cookie data, or device identifiers.
  8. Medical Information: health records, prescription information, or medical history.
  9. Employment Information: job title, company name, or employment history.
  10. Educational Information: school name, diploma, or academic records.
  1.  

How to Protect PII data?

Ways to protect PII data, but not limited to:

  • Data Encryption: Encrypting PII data makes it unreadable to unauthorized parties, even if the data is intercepted or stolen.
  • Access controls: Implementing access controls, such as usernames and passwords, to limit access to PII data to authorized individuals.
  • Network security: Implementing firewalls, intrusion detection and prevention systems, and other network security measures to protect PII data from cyber threats.
  • Physical security: Implementing physical security measures to protect PII data stored on servers or other physical devices from unauthorized access.
  • Data backup: Regularly backing up PII data to protect against data loss or corruption.
  • Data retention: Implementing policies to retain PII data only as long as it is needed and dispose of it securely when it is no longer needed.
  • Third-party security: Ensuring that third-party service providers who may have access to PII data, such as cloud storage providers, have appropriate security measures in place.
  • Employee training: Training employees on how to handle and protect PII data, and implementing policies to ensure they understand their responsibilities.
  • Incident response plan: Having an incident response plan in place to quickly detect and respond to data breaches.
  • Regular security assessments: Regularly assess and audit the organization’s security measures to identify and address vulnerabilities.

Simplified Solution is helping organisations to develop GDPR compliant application. Contact us for more initial consultation.

Tags: , , , ,