key features and changes for GDPR - Coggle Diagram
key features and changes for GDPR
processed fairy and lawfully
Orgs must have legitimate grounds for collecting the data. must not have a negative effect on person or used in an unexpected. Orgs required provide transparency. Detailing what information being used for.
conducting criminal record checks on employees must be justified by law.
Organisations must receive explicit consent from their customers for their personal information to be transferred outside of the EEA.
Data should not be transferred to other countries that do not have the same level of data protection.
The data you hold on your customers should be adequate for the purpose you are holding the information. You should avoid holding more information than necessary for your customers. The best practice is to calculate the information you need in order to achieve your goals, a practice known as “minimisation”.
Privacy notices or “how we use your information” guides now need to be clearer than before. This means that mere consent is not enough; the individual must be informed of exactly what their data is being used for. Further, organisations must inform the person of their right to withdraw consent at any time.
used for purpose
Orgs must be open about their reasons for obtaining personal data and what they plan to use it for. They should only use the personal data for the purpose they originally said it would be used for.
Genetic and biometric information is now considered sensitive data, meaning that organisations may only request such information if it is required for a relevant purpose.
kept up to date
Reasonable steps must be taken to keep the information up to date and to change it if it is inaccurate. When a customer updates the information a company holds on them, the organisation must stop contacting the individual using the previously provided details. Moreover, organisations should not simply wait for individuals to contact them to update their information, rather they should be active in ensuring they have the correct information on an individual.
A proper physical and technical security system must be used to keep personal information safe and secure, and not be exposed to undue security risks. It is advisable to provide training for staff in your organisation on data protection and cyber security. Further, your information security system should be relevant to the nature of your business and the data you hold on your customers.
Companies that process over 5,000 personal records per year and employ over 250 employees are now required to appoint a Data Protection Officer, or DPO. The DPO is responsible for everything related to keeping personal data secure and cannot be easily replaced.
processed in line with rights
People have the right to access their personal data, stop it from being used if it is causing distress, prevent it from being used for direct marketing, have inaccurate data changed, and claim compensation for damaging data breaches. In certain cases, customers have the right to request that specific data be deleted or destroyed. Customers should only request information relevant to themselves. The organisation has a responsibility to establish whether the information requested by customers is relevant to the person requesting it.
A new “right to be forgotten” in the GDPR means that someone can request that online content is removed from an organisation’s database.
time it is kept for
Organisations must regularly review the length of time they retain data on individuals. Only holding on to data for the amount of time required will make it easier to manage your data and provide personal information to customers that request it. Data that is out of date or no longer necessary must be properly destroyed or deleted.