Guardso GDPR Compliance
Brief information about GDPR compliance requirements and Guardso's initiative in this regard.
What is the GDPR?
The European Parliament adopted the General Data Protection Regulation (GDPR) in April 2016 which standardizes the data protection law across 28 EU countries and carries provisions that require the businesses to protect the personal data of their users for the transactions that occur within the EU member states and exportation of personal data outside the EU imposing strict rules on controlling and processing personally identifiable information (PII).
GDPR has replaced the 1995 EU Data Protection Directive and has come into force on May 25, 2018.
GDPR gives certain rights and responsibilities to both the citizens or the users of services and the business situated in EU or the ones providing services to the citizens of the EU.
The GDPR strengthens the existing rights while at the same time providing for new rights and gives citizens more control over their personal data. These include:
- easier access to their data which gives more information to citizens how that data is being processed;
- right to data portability making it easier to transmit personal data between service providers;
- right to erasure - ’right to be forgotten’ when an individual no longer wants their data to be processed and there is no legitimate reason to keep it the individual can ask for the data to be deleted;
- The individual has the right to know when their personal data has been hacked, the companies and organizations have to inform individuals and the relevant data protection supervisory authority promptly of serious data breaches.
Rules for businesses
The GDPR is designed to create business opportunities and stimulate innovation through a number of steps including:
- companies based outside the EU must apply the same rules when offering services or goods, or monitoring behavior of individuals within the EU;
- Businesses are to guarantee that data protection safeguards are built into products and services from the earliest stage of development;
- impact assessments — businesses will have to carry out impact assessments when data processing may result in a high risk for the rights and freedoms of individuals;
- SMEs are not required to keep records of processing activities unless the processing is regular or likely to result in a risk to the rights and freedoms of the person whose data is being processed.
What is personal data under the GDPR?
The types of data considered personal under the existing legislation include the basic identification information such as name, address, photos, and ID numbers
- Web data such as location, IP address, cookie data, and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Guardso Journey to GDPR Compliance
Guardso is committed to providing our clients with guarantees to implement appropriate technical and organizational measures which will meet GDPR’s requirements for the protection of their personal information.
Guardso has taken concrete measures for the same:
Data Subjects Requests. Guardso allows the clients to configure settings so as to monitor and control their employees’ access to the data registered in the system and their capacity to edit, delete or restrict their personal data.
Security Measures. Guardso makes sure that the data entered in the system by all users are protected against any unlawful destruction, loss, alteration, unauthorized disclosure making the data processing GDPR compliant. Guardso is committed to the security, confidentiality, availability, processing integrity and privacy controls of the user data.
Data Breach Notification. As controllers, the clients are required to notify the competent supervisory authority on becoming aware of any incident of a personal data breach, not later than 72 hours under GDPR.
Similarly Guardso will notify its clients of any data breach incident, included in the purview of GDPR compliance that may affect the clients’ personal data, without any undue delay and provide appropriate assistance to meet the data breach notification obligation by providing the necessary information concerning such data breach.
GDPR implies a duty on all the organizations to report any kind of data breach incidents that involve unauthorized access or loss of personal data of its users and clients to the relevant supervisory authority or the clients if needed in certain cases to restrict and minimize the damage.
Such breach incidents include ones that may risk the rights and freedom of the individuals and cause discrimination, financial loss, put the confidentiality at risk or cause any other economic or social disadvantage.
The communication shall be by means of breach notification, delivered directly to the affected clients and shall not be communicated by means of a press release, on social media or the company website and shall only be limited to one-to-one correspondence with the individual clients.
To know more about GDPR:
Official GDPR Regulation: http://data.europa.eu/eli/reg/2016/679/oj
GDPR portal: https://www.eugdpr.org