Running a business can be extremely daunting, especially when dealing with legal aspects and accompanying legislation such as the GDPR. However, thanks to technological advancements such as the internet, help is never more than a few clicks away.
Here are all the need-to-knows about this piece of European legislation and how it may affect you, even if you don't operate within the Union.
Personal data
The first thing worth noting is that the GDPR only applies to personal data. Personal data here refers to any data relating to an identified or identifiable natural person, such as a name, ID number, house, or email address (Article 4(1)). If your company does not store or make use of any of the client's personal information or data, it will not apply to you.
Transparency
This is a major concern of the GDPR. There must be transparency in data processing (which includes almost all and any handling or use of the data), accumulation of data (how and why the company collects data), access (who has access and why they have access), rectification and erasure as well as restrictions on the processing of certain personal data (such as those relating to one's medical information, ethnic origin, etc.), potential changes to the product and the effects thereof on their privacy.
Erasure
Data subjects have the right to request to have specific and all of their personal data erased (Article 17). This request must be adhered to to prevent intervention by the supervisory authority ( an independent public authority established by a Member State pursuant to Article 51). Where personal data is no longer being used by the company for the purpose/s that it was collected, it should be erased.
Third countries or international organizations
Where there is a transfer of data to such an organization (operating outside of the Union), data subjects should be informed about all appropriate safeguards related to the transfer (Article 46). If the company is, itself, a third country or international organization, a representative of this organization should be established in the Union (Article 27). Unless certain exceptions apply (see below).
Judicial precedent and legislation
The GDPR recognizes and makes provisions for using and applying these under Article 45. These will be especially important for third-country organizations. Pay attention to these within your country as they will act as extensions of the GDPR and will be equally as binding.
The right to object
Data subjects always have the right to object to the processing of certain personal data (Article 21) and to withdraw their consent to have all or some of their personal data used. This may occur at any time and must be complied with.
Exceptions
These are found under Article 27, are regarding appointing and establishing a representative in the Union and apply if the data processing:
Is occasional.
Does not include, on a large scale, the processing of special categories of data like racial or ethnic origin, political opinions, religious or philosophical beliefs, or processing of personal data relating to criminal convictions and offenses.
It is unlikely to risk the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing. The controller or processor must comply with all these criteria described above to be exempt from the obligation to appoint a representative.
Beyond that, I hope you have found some clarification and hopefully put some of your concerns about the GDPR to rest.
This was written by my brilliant colleague, Seana.
Disclaimer - Seana is not a legal professional. This blog merely contains suggestions based on her interpretation and understanding of the GDPR as well as research that she has done. I urge you to do your own research and to possibly even consult a legal professional if you have any pressing concerns related to the GDPR.