Since 2018, the General Data Protection Regulation (GDPR) is being enforced.
The GDPR protects the data and privacy of all citizens living in the European Union (EU) and the European Economic Area (EEA). In addition, the GDPR protects the transfer of data to a region outside of the EU/EEA. The GDPR protects all the data that can be used to identify a person, both directly and indirectly. Protected examples include photos, names, people’s religious status, (e-)mail addresses, birth dates, medical or financial information, employment records, and even social media posts.
The GDPR is put in place to give people control over their own data. Consequently, you now have to give consent before an organization can use your data. The GDPR also gives you the right to revoke your consent whenever you want. Finally, because of the GDPR you can request a transferrable copy of the data that an organization has collected about you and, in some cases, you even have the right to have your data erased.
The GDPR states that organizations that process personal data must explicitly notify their data subjects, state the duration that they retain the data for, specify whether the data is shared with third parties and whether the data will remain within the EU/EEA, and declare the purpose and the lawful basis of their data collection. In addition, they must employ both organizational and technical measures to ensure that the personal data is protected. For example, an organization could use “anonymization” or “pseudonymization” across their personal dataset to hide people’s real identities. Consequently, it must be impossible to use this data to identify someone without complementary information (which may not be stored in the same place).
Also, the GDPR states that an organization’s privacy settings must be put on the highest possible standards by default to ensure that personal data is not available to the public without a person’s consent. Furthermore, if a data breach affects people’s privacy, the organization has 72 hours to report this publically. Finally, if an organization processes personal data regularly or systematically as part of its core activities, it must hire a data protection officer to guarantee the organization’s GDPR compliance.
When does my organization need to be GDPR-compliant?
The unification of EU regulations pertaining to personal data through the GDPR universalizes the regulations for all organizations. Consequently, your organization has to abide by the GDPR if it does business in the EU/EEA or if it possess, processes, or controls (e.g. a cloud service) data of an EU/EEA citizen, regardless of the location of its headquarters. However, for a “purely personal or household activity, and thus with no connection to a professional or commercial activity,” you don’t have to abide by the GDPR.
Data protection outside of the EU/EEA
Although the GDPR is not an entirely new or European idea per se, it is the most comprehensive regulation of this moment. With the GDPR, the EU/EEA takes a step forward to protect people’s privacy and guarantee personal data control. It is not surprising, then, that many international companies have adopted the GDPR’s privacy standards as well. Also the United Kingdom’s Data Protection Act 2018 is similar to the GDPR, which means that when the UK leaves the EU, their organizations will still have to abide by the UK’s act and thus ensure that people’s data and privacy remains secured. However, when data is transferred to the UK after it leaves the EU, the UK will be regarded as a “third country,” which organizations must then state explicitly to their data subjects.
Besides the UK, the EU considers the following countries’ data protection to be adequate as well: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, the U.S.A., and Uruguay.
Your own GDPR-proof website or application
Are you still not entirely sure how to approach the GDPR for your own website or application? At Rocket Minds we can help you. We have gathered the expertise to judge whether your website or app actually needs to be GDPR-compliant, and how to achieve this in the development of our products. In addition, we also offer checks for old websites and applications to see if they are already GDPR-compliant, or whether they need any changes to comply with the current laws revolving around privacy and data control. Thus, if you have any questions regarding this topic, simply contact us for a free introduction meeting so we can discuss the privacy issues pertaining to your digital product together.
Do you have a question or do you want a quote for your own GDPR-compliant website or application? Contact us via:
Rotterdamsedijk 417A, 3112AP, Schiedam
+31 (0)6 156 447 86
ma-vr: 09:00 uur tot 17:00 uur