The GDPR is a piece of legislation that came into effect on the 25th of May, 2018. It affects all companies that gather information on citizens from the EU, and its impact is considerable. In the simplest terms, any company that gathers information that can be used to identify a person, whether by itself or in coordination with other pieces of information, has to be gathered only with the explicit consent of the EU citizen. On top of that, EU citizens must have expedient access to any information gathered on them, and the information must be removed upon the request of the citizen. Below are some of the more important topics in the GDPR.
Data Controller and Data Processor
The data controller and the data processor are two main entities within the legislation. The data controller is the entity which determines how personal data is used and for what purposes. The data processor is the entity which stores and manages the data on behalf of the controller. In other words, the data controller would be the marketing firm, and the data processor would be the cloud storage service which stores all user data (this could be a service such as the AWS).
Data Protection Officer
In the wake of the GDPR, small businesses are left wondering if they need to hire a Data Protection Officer (DPO) in order to be compliant with the GDPR. The answer is no. Only companies or entities that process personal data in a large capacity are required to hire a DPO by the legislation.
In cases where personal data is processed in a manner that no longer makes it personally identifiable to a user within the EU, the controller is allowed to manage and store said data freely. This is known as pseudonymization. However, this practice is still in its infancy, and it may come with certain risks.
Rights under the GDPR
Under GDPR, rights such as the right of information, of access, to rectification, to cancellation and to object, are reinforced. You also have new rights such as the right to be forgotten, right to data portability, and right to restriction of processing. Basically, with these new rights in place, users have complete control over all personal data pertaining to them. They may request that you reveal the personal data you have gathered, delete it, manipulate it and transmit it to a different entity
The GDPR has two cornerstones: personal data, and explicit user consent. If you are not a big data controller, all you need to be in compliance is explicit consent from users, before you handle any of their information. However, big companies will have to hire DPOs and restructure their backend so that they are better able to respond to any user’s request regarding his or her personal information.