None of this is considered legal advice. I strongly advise you to speak to your legal representation to understand how this affects you.
In 2016, the EU passed legislation that protects all European Union citizens, starting May 25, 2018. What does this mean?
The law takes protections from the previous Data Protection Directive and extends it to provide a directive to how data can be handled and stored through data Processors and Controllers.
The nature of the GDPR is the right for a citizen to become forgotten on the internet. It can be easy enough to comply if a person uses proper user experience practices.
Example - Use affirmative opt-in for email list signup.
The above means that a person needs to explicitly request placement on specific email newsletters, including 3rd party offerings. Your wording needs to be clear and distinct.
Some key points to the GDPR include:
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
- Privacy by Design
- Data Protection Officers
Within 72 hours of learning of a security breach, users must be given notice so they can take proactive care of their personal information.
Right to Access
Data subjects can request the data controller confirmation as to whether or not personal data concerning them is processed, where and for what purpose. The information processed must be made available via electronic format for free from the data controller.
Right to be Forgotten
Known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her data.
Introduction of Data Portability means the data subject can request a machine-readable format of their data to transfer to another data controller.
Privacy by Design
Privacy by design calls for the inclusion of data protection from the beginning of designing systems, not later as an afterthought.
Data Protection Officers
Internal record keeping requirements as further explained below, and the DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations that require monitoring data subjects.
Is there a simple way to break this down?
I have found two resources I have found helpful that make it easier to learn if you are compliant and what that means.
www.eugdpr.org This site provides an overview of the GDPR legislation.
gdprchecklist.io This site provides a checklist that might help you learn about your compliance.
Contact your legal counsel
I cannot stress enough using legal counsel to ensure your protection. The fines can be quite steep and particularly significant if you are dealing with user information in any manner with a citizen of the European Union.
I am not providing legal advice in any matter - only bringing awareness of the GDPR.