GDPR Compliance

The GDPR is built on these privacy principles:

Lawfulness, Fairness, and Transparency: Businesses must disclose the intended use of data so consumers can clearly understand how their data is being collected and processed.

Purpose Limitation: Organizations shall only use data for the original intent the subject consented to.

Data Minimization: Only collect, process, and retain the data necessary to fulfill its original purpose.

Accuracy: Data must be accurate and kept up to date.

Storage Limitation: Organizations must disclose how long they will retain data. The data must be destroyed after it has been used for its intended purpose.

Integrity and Confidentiality: Organizations are responsible for protecting data integrity, including only giving access to those who need it.
Accountability: Organizations must demonstrate they are protecting consumer privacy and complying with GDRP regulations.

Data Subject Rights: The GDPR gives people the following rights regarding their data:

• The right to access information on the existence, use, and disclosure of their personal information.
• The right to request their data be deleted
• The right to have their data transferred
• The right to fix any inaccuracies in the personal data held about them
• The right to restrict specific processing of their data
• The right to restrict or object to the processing of their data
• The right to object to automated decision making

Lawful Basis of Processing: Organizations must have one of the following to process personal data.

• Consent: Clear consent was given by the individual for you to process their data for a specific purpose
• Contract: Data processing is necessary due to a contract you have with the individual, or they have requested specific steps be taken before entering into a contract
• Legal obligation: Data processing is necessary to comply with legal requirements
• Vital interests: When data processing could protect someone’s life
• Public task: The data processing is in the public interest and the task or function has a clear basis in law
• Legitimate interests: Data processing is necessary for the organization’s or a third party’s legitimate interests unless there is a good reason to protect the individual’s data which overrides those legitimate interests

Privacy and Protection by Design and Default: The GDPR emphasizes privacy and protection by design and default. Privacy by design is the concept of incorporating data protection and privacy measures into the design and development of products, systems, and processes at all stages. Data protection by default requires that organizations only process the data necessary to achieve a specific purpose.

Specific Breach Notification Requirements: Organizations must report a breach to the supervisory authority within 72 hours. The following information must be included:

• A description of the nature of the data breach including the number of people impacted, the categories of data, and the amount of personal data records involved
• Contact information for a point of contact where more information can be obtained
• The anticipated consequences of the data breach
• A description of the response of the organization to mitigate the impact of the breach

Information Security Requirements: To protect the personal information they hold, organizations must establish security processes and procedures. Security requirements include:

• The pseudonymization and encryption of personal data
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing