GDPR: The Future of Data Privacy

Aviv Lazar & Co.
Even if you live or operate your business outside of the EU, you should become familiar with the General Data Protection Regulation (the GDPR) for its universal implications. In a world that’s increasingly technologically and data oriented, the GDPR aims to give individuals knowledge and control over their own information -- how and when it’s used, stored, and organized.

The GDPR has imposed strict regulations on businesses regarding data collection and use. It’s important to ensure your company is GDPR compliant, even if you work or operate outside of the EU, because it sets forth a new standard of conduct and expectations for companies and it signals what will eventually come universally. According to an SAS survey, 73% of Americans surveyed claim their concern over their personal data privacy has increased in the past few years. Further, 66% of respondents have independently taken steps to control and secure their data against corporations, such as changing settings, deleting an app, or removing an account, and 83% want the right to block an organization from sharing or selling their information . The public is clearly ready for more stringent privacy controls; contact Aviv Lazar & Co. for assistance in becoming GDPR compliant today.

What is the GDPR?
The General Data Protection Regulation is an European Union regulation adopted on 14 April 2016 and enforceable as of 25 May 2018. It is a directly binding regulation with eleven chapters detailing the rights of individuals with personal data (formally, data subjects), duties of data controllers, and remedies, liabilities, and penalties for a breach of these newly delineated rights.

What rights does the new GDPR give an individual?
Chapter 3 of the GDPR gives data subjects eight basic rights:

(1). The right to be informed
Data controllers must inform subjects who is collecting their information, for what purpose, what type of information you’re processing, who it will be shared with, how long you’ll be storing their data, and what the user’s rights are over their data. Finally, data controllers must provide a lawful basis for holding and processing data -- one or more of the six following bases:

If the subject has given informed consent (not tacit)
To fulfill contractual obligations to the individual
To comply with the data controller’s or business’s legal obligations
To perform a public interest undertaking
To further a legitimate interest of the controller or a third party, if those interests are not inconsistent with the data subject’s rights
In protection of the vital interests of an individual, including the data subject
This information must be provided in clear and plain language so that every individual can easily understand; the best way to do so is by having a Privacy Policy.

(2). The right of access
Users are given the right to request and receive any information related to the use of their personal data. Controllers must provide an electronic copy of the used data if requested.

(3). The right to data portability
To avoid being locked in with one provider, data controllers must provide an individual’s information in a portable, easily transferable, commonly used format.

(4). The right to be forgotten
Users may withdraw their consent at any time, for any reason, and request that their data be erased from all users.

(5). The right to restrict
Users have the right to consent to controllers using their data in only certain ways, or to request their data be no longer processed but remain in place.

(6). The right to object
Data subjects have an absolute right to reject data use for direct marketing and other non-service related purposes. This right must be clearly delineated to subjects.

(7). The right to be notified
If the data controllers experience a security breach, they must let their subjects know within 72 hours of their learning of the breach.

(8). The right to rectification
Users retain the right to accurate data and to correct or update any inaccurate data.

This list is non-exhaustive; there are other rights the GDPR grants the individual -- right to anonymization, for example -- not listed here. There are also some exceptions to these general principles: if the matter concerns national security, law enforcement, or personal and household activities, for example.

Corona Corner