Key GDPR Concepts for Organizations to Comply for Better Transparency in Business Transactions

First GDPR Concept Is about the Right to be Forgotten

This concept implies that a person can exercise his right of request for his personal data to be erased. This applies to all data controllers and to companies that have made the personal data public through online forums or the social media community but there are some exceptions though. It means that it cannot supersede certain laws requiring that certain data can be maintained by some organizations like the HIPAA-required records for the US companies. As GDPR compliance becomes mandatory, it is required that the IT companies take the following steps:

  • Determine if the data erasure requests can be performed or if exemptions are required and if so, the reasons
  • Design a data erasure request process
  • Provide training for personnel to handle data erasure requests

Second Concept Talks about Obtaining Valid Consent

Data processing is the key element for organizations and this can include everything from using an employee’s data to process the payroll to using a customer’s information for targeted advertising. But now, under GDPR, the ambit of data processing has become structured and the users have to process the personal information by meeting the definition of legitimate interest. GDPR defines lawful grounds for data processing, which are as follows:

  • To deliver on either a current project or before entering into another
  • Due to legal obligation
  • To protect the interests of the all the customers

GDPR focuses on transparency and some points to be kept in mind are as follows:

  • Consent must be free and not to be clubbed with terms and conditions. The consent should not be a condition signing up for a service until it is precisely so.
  • Consent must be used only for the specified purpose and must be easy to understand with no hidden contradictions.
  • Consent must be segregated by type such as for advertising or analytics and not all inclusive.
  • The user should have the option of opting in and it should not be compulsory as in pre-checked boxes.
  • Companies have to retain all materials regarding the consent as a proof.
  • Users should have the option to be able to easily withdraw from the consent

Third Concept Is of Access to Data or Portability of Data

GDPR has introduced data portability, wherein, it means that the customers can demand that their personal data be ported to them from the data controller. When the customers provided data to the controller, provided consent to use their data, or were in a contract where the controller was automatically processing their data then such customers can port their data and reuse it for their own purposes and across different services. So, here there are some requirements to be followed by the data controllers to deliver back the data to the customers. Online data has to be in a machine-readable format and has to be such that it can be read, copied, and transferred easily. How this task is to be done is not specified by the GDPR. Since the privacy rights are with the customers, then the organizations should make it simple for the customer to port their data. Like for example, it can allow the data subject to determine which fields can be exported. Data security while exporting should be provided by the organizations and sometimes it may have to be directly exported to its competitor. Examples of data include a list of media such as songs and photos though the inferred data like the behavioral data determined from analysis would be out of scope for data porting.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store