GDPR is an important regulation that defines the rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
Even though this data legislation primarily applies to European-based organisations, it is also applies to businesses dealing in data resilience, data sharing, data management, and data analytics of EU citizens globally.
This means that it also applies to Australian Businesses, which is why it is imperative to understand what GDPR is and how it will affect the data governance policies and processes of companies using data of an EU citizen.
What Is GDPR?
GDPR stands for General Data Protection Regulation which is an European Union (EU) law. It was established in May 2018 and has affected the way companies handle and manage data of EU citizens, globally.
GDPR Regulation & Principles
GDPR law dictates how to process data of EU citizens.
Processing data refers to the use of personal data by a company. For example, collecting, recording, organising, storing, or performing any operations on personal data.
Data protection regulation under GDPR law states six core principles for companies using EU citizens data.
These principles are outlined below:
1. Lawful, Fair & Transparent Processing of Data
The data processing conducted by a company should be compliant with the law, fair in all means and it should be transparent. This means that the company should inform its users before collecting their data. This will ensure fair participation of the users in data sharing.
2. Use Data for Specific Purpose
The company should possess a legitimate and lawful reason to collect data and a specific purpose of why they’re collecting data and what they are going to use it for. Data secured for a specific purpose should not be used for further business which is not stated beforehand. This provides EU citizens with the assurance of their data protection & proper data regulation.
3. Adequate Data Collection
This principle commands that companies only collect the amount of data which serves the purpose or reason. The companies should not collect data which is more than the requirement. Data processed should be adequate, relevant and limited to the specific purpose of collecting it.
4. Accurate & Up-To-Date
Companies are directed to collect accurate data (based on defined requirements) and also to keep personal data up-to-date. Companies need to ensure that the data processed by them is correct and does not contain errors. It also offers the citizens a right to ask for their information, and the company is obliged to provide it. If the data is found incorrect then the company should erase it without any delay (within 30 days).
5. Data Timescale Regulation
After personal data has served its purpose, it should be deleted. However, personal data can be stored for archival purposes in the public interest, scientific or historical research purposes or statistical purposes.
6. Protection from Data Breach
Data security should be a high priority for companies dealing in data management of EU citizens. This principle directs the companies to protect the data from unlawful or unauthorized processing of data, accidental loss, or data destruction.
GDPR is an important Data Regulation put forth for EU citizens which should be complied with by organisations globally.
If you’re a person or organization dealing in data management of EU citizens, then you should carefully assess how you process their data.
For further clarification on your GDPR obligations or help establishing a Data Resilience Framework, you can always count on the Data Resilience team.