Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?
If you’re planning to — or already are — doing business in the EU, it’s essential that you comply with the requirements of the General Data Protection Regulation, or GDPR. Achieving GDPR compliance means you’re taking a strong stance to protect your customers’ data privacy, and without it, you could be faced with hefty fines.
The first step toward reaching GDPR compliance is to understand the eight rights protected under the GDPR and know who is covered. Read on to learn more.
The GDPR protects the privacy and personal data of EU citizens by defining how personal data is processed, stored, and destroyed. Personal data can be obvious customer details such as a person's name and location or other information, such as IP addresses and cookie identifiers.
The GDPR applies to businesses and organizations within the EU and to companies outside the EU who do business with EU customers. For instance, if your organization in California does business in the EU, you must adhere to the GDPR.
Let's look at the eight rights outlined under the GDPR.
The right to information allows customers to ask organizations what personal information they are processing and what the purpose of that processing is. Individuals also have a right to know who is processing their personal data and the duration those organizations may hold the information.
This means that your company must provide the following information when requested:
Under the GDPR, customers have the right to access personal data your company holds on them. To make it easy for customers to do this, the GDPR also requires you to have a set method for receiving and fulfilling personal data requests. Your privacy policy must include transparent, well-outlined instructions explaining how information requests can be made.
You must provide the following information when it is requested:
The right to rectification allows customers to ask that their personal data be changed if they believe the information your organization holds is inaccurate or outdated. The GDPR gives companies a month to respond to customer data edit requests if you confirm that the information is inaccurate.
Many organizations allow customers to change their personal information directly through profile- or account-management tools. Whether you go that route or accept requests and then make the changes yourself, it's important to develop a clear process your customers can use to update their personal information.
Under the GDPR, individuals have the power to ask organizations to delete their personal information. If they do, the organization is required to stop processing personal data, even if consent was given earlier.
Customers can request that a company delete their data if one of the following criteria is met:
If a customer asks that their data be deleted, you must also notify any third-party vendors you share data with.
There are a few circumstances outlined in the GDPR in which a company can deny a request to delete a customer’s information:
If your data processing meets one of the above guidelines, you can deny the request for data deletion, citing the related GDPR exception.
The right to restrict processing gives individuals the power to limit how companies process their personal data under certain circumstances:
This doesn’t mean that you necessarily have to delete the information entirely, but you will need to follow the restrictions laid out in article 18 of the GDPR. This includes establishing a method for receiving and fulfilling requests and including it in your privacy policy.
This right allows your customers to request the transfer of their personal information. Individuals can request that your company give their personal data back or transfer the information to another data controller. When data is requested by a customer, you have to provide the information in a structured, machine-readable format.
Additionally, your company will need to establish a policy outlining how you will respond to customers' requests for data return or transfer and give customers the ability to select the format in which they prefer to receive their personal data. You'll also need to update your technology to meet the requests efficiently in the approved format.
This right empowers customers to object to data processing of their personal information at any time. Notably, customers can exercise this right to object when their personal data is being used for direct marketing purposes. However, your company does not have to comply with a customer’s objection when there are legitimate legal grounds for processing their personal information. These exceptions include when a customer’s personal information is being processed for reasons of public interest or to exercise or defend legal claims.
Your company will need to establish a policy for handling your customers' written and verbal objection requests. In addition, incorporating this policy into your organizational privacy policy will enable your customers to better understand the process.
Under the GDPR, customers have the right to reject any decision made on their data based on automated processing. GDPR established this rule to prevent the processing of customer data without human involvement. To exercise this right, a customer may request you review particular data manually if the data processed produce legal effects that they deem significant.
To comply with this right, it's necessary for your company to provide customers visibility into your decision-making process. However, your company is exempt from complying with this requirement in the following circumstances:
We know that compliance with GDPR can seem like a daunting and expensive task, especially for small and medium-sized organizations.
Strike Graph offers a flexible platform that allows organizations of all sizes to achieve GDPR compliance easily. Our initial risk assessment right-sizes the compliance process for your unique business context, and our preloaded controls and automated evidence collection minimize the time and resources needed to reach GDPR compliance.
The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.
Strike Graph offers an easy, flexible security compliance solution that scales efficiently with your business needs — from SOC 2 to ISO 27001 to GDPR and beyond.
© 2024 Strike Graph, Inc. All Rights Reserved • Privacy Policy • Terms of Service
Find out why Strike Graph is the right choice for your organization. What can you expect?
Find out why Strike Graph is the right choice for your organization. What can you expect?