The General Data Protection Regulation (GDPR) protects individuals within the European Union (EU) against the unlawful collection of personal data. Data privacy is at an all time high as people want control over their information. Under GDPR, anything that is personally identifiable can only be collected with the full consent of a user. And such data may only be used for legitimate purposes that comply with GDPR regulations.
At its core, GDPR protects the individual and gives users control over their personal information. Gone are the smokescreens of big data collection as GDPR demands companies remain transparent about data usage. Consent forms and clear privacy policies are the new standards.
The 7 Key Principles
7 Key Principles define the lawful processing of personal data under GDPR.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Each key represents the best practices for protecting data privacy. Every organization must comply with these principles if they wish to lawfully process data.
To read the full breakdown of these principles please visit the GDPR informative webpage.
Who Needs To Comply With GDPR Regulations?
GDPR is applicable to all businesses operating inside or outside of the EU who have customers and/or employees within the EU.
When a business operates within a country outside the EU, the privacy rights of an EU based customer or employee remain under GDPR.
Furthermore, data processing regulations may vary by country as some nations choose to add laws on top of GDPR. Further regulations are up to the discretion of each country, but they must always comply with GDPR.
As a result, organizations have rewritten their data processing procedures across the board to meet regulations set by GDPR and other nations. To monitor their own compliance organizations need a Data Officer. The Data Officer is responsible for maintaining an organization’s privacy upkeep and ensuring rules and regulations are enforced appropriately.
Who Does GDPR Protect?
GDPR protects all persons within the EU who interact with websites and services that collect data. GDPR formally identifies these individuals as Data Subjects.
Practical Law UK defines a data subject as “A natural person about whom a controller holds personal data and who can be identified, directly or indirectly, by reference to that personal data.” This is the average individual who uses the internet and has their data stored across various sites.
How Does It Work?
Your data is processed whenever you browse a website or download a new application. Before GDPR, companies farmed data without asking for consent. This information includes locations, names, emails, bank information and so much more.
Under GDPR, terms and conditions must outline every data point being collected. Users must be made aware of how their information is being used. Once the conditions are outlined they must consent before an organization can begin storing data.
Additionally, users should be able to deny access and/or wipe data when they desire. And there needs to be settings in place that allow users to remove consent.
There’s a legal obligation to ensure the safety of every user under GDPR. Any business, software, or service that collects personal user data is subject to GDPR rules.
GDPR requires legitimate purposes for personal information. Data must be limited to what is relevant and necessary for your site, application, and/or company.
The University of the Highlands and Islands defines data processing as “the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.”
Personal data may include:
- Your name
- Home address
- Phone number
- Social Security Number
- Credit card information
- Financial/banking information
- Location data
- Uploaded photos of yourself
Regulating Data Processing
GDPR’s 7 Key Principles are the guidelines for data collection.
Important attributes include:
- Data processing may begin after gaining a user’s permission
- Secure data processing only
- Information needs to be accurate and up-to-date
- It can only be kept for as long as needed
- Users must have the option to withdraw consent
If an end-user consents, an organization can legally collect data. But why would they need it in the first place?
GDPR requires a business to outline legitimate reasons to warrant collection.
- Ensuring a user doesn’t break company policies
- Make sure your users avoid dangerous websites that could create issues within your network and possibly affect other users
- Understand what users are accessing
- Helps refine user experience
- Prevent users from using malicious sites or software
Data collection is not limited to businesses or corporate enterprises. Many public institutions or organizations that work in government, healthcare, and science source personal information.
- Scientific, Historic, and Archival purposes
- Institutions such as museums and scientific research facilities may log user data for various social and scientific reasons
- Government Organizations
- Need data for public security or legal purposes. Such as addresses to send mail, phone numbers to maintain contact, and names for proper identification
- Health Institutions
- Require certain data to maintain your health records. Update prescriptions, and medical conditions. They may need your address to know which clinic or pharmacy is closest to you. Doctors may have a legal obligation to contact someone.
GDPR breaks down further details of legitimate data with their second key “purpose limitation”
“(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)”
GDPR in the Enterprise
GDPR’s guidelines are typically user-focused, with an emphasis on protecting the public. However, GDPR also works to prevent the misuse of employee data as well. For enterprises that leverage shared devices and networks, GDPR helps ensure employee information is safeguarded.
The restrictions and rules outlined in GDPR are exactly the same for both employees and customers.
There are countless examples of mega-corporations being hacked and exposing data on thousands of people. Over the years these issues have increased, and it is the main factor in why GDPR is so important. While consumer data is usually in focus, employee data is just as sensitive.
Organizations store data on employee bank accounts, addresses, social security numbers and so much more. When an enterprise is targeted or misusing employee data, their privacy is at risk.
At BlueFletch we adjusted our products to include prompts for consent and an option to turn off personal information saving. Therefore, organizations don’t really need to worry about consent, they can just capture some peripheral data, such as device data instead of user data.
For countries where GDPR is in effect, having configurations that allow organizations to disable personally identifiable information can make employees feel safe.
Employee Leaving the Company
In a case where an employee leaves a company, there must be a process to purge and erase their data. Data erasure is critical to maintaining the privacy of an employee beyond their time at your organization. Employees want to feel comfortable knowing their company will not be hoarding or continuing to collect personal data after they leave. As stated in GDPR’s key principles, data must be up-to-date and necessary for legitimate reasons. If an employee is no longer in service to an organization, their data should be purged.
Understanding GDPR begins with a business knowing why they need to store user data in the first place. Companies need to outline the legitimate reasons why said data would benefit their customers and business processes. GDPR highlights the importance of legitimate use cases for data, because when individual privacy is threatened our livelihoods are at risk.
Secondly, organizations should build tool sets that grant full control over collected data. With the implementation of GDPR, a lot of companies had to change the way they process data. This means including safety features like the ability to securely store, export, and erase data when necessary. Tools need to be set in place to protect users, clients, and employees alike.
GDPR provides a foundation for safety and security in an age of growing concern for privacy. The principle keys and guidelines of GDPR are a safeguard against data corruption, misuse, and theft. It’s important to familiarize yourself with these tools and maintain a sense of urgency when handling sensitive data.
For further discussion on GDPR, please tune into our Enterprise Mobility Roundup Podcast platform. If you found this article interesting we encourage you to subscribe and to stay up to date on future episodes.
To read up on other articles revolving around enterprise mobility, be sure to visit our resource page.