What is GDPR?
On May 25, 2018, a European privacy law, the General Data Protection Regulation (GDPR), came into effect. The GDPR imposes new rules on companies, government agencies, non-profits, and other organisations that offer goods and services to people in the European Union (EU), or that collect and analyse data tied to EU citizens. The GDPR applies no matter where you are located. Keeping users’ information safe and secure is among our highest priorities at Veterans With Dogs.
In Europe, though, GDPR represents one of the most robust data privacy laws in the world. It gives people the right to ask companies how their personal data is collected and stored, how it’s being used, and request that personal data be deleted. It also requires that companies clearly explain how your data is stored and used, and get your consent before collecting it. “Personal data,” in this case, refers to things like a person’s name, email, and IP address, but also pseudonym information that could be traced back to them.
GDPR aims to make data protection regulations:
Updating EU data protection standards to make them more suitable for today's world
Remedying some of the perceived deficiencies of the current Data Protection Directive
Achieving a better, more harmonised standard of data protection throughout the EU
What does GDPR change?
GDPR means significant change, but it’s a great opportunity for companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.
While many organisations already do the right thing when it comes to personal data, GDPR requires organisations to document and be able to show how they comply with data protection requirements. This means additional documentation of systems, processes and procedures.
On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, and the right of erasure.
Privacy by design
Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start (and throughout) the systems and product design process.
What does GDPR mean?
Although GDPR might seem scary at first, many see it as a positive step forward for data protection.
Some of the key areas GDPR covers are:
- personal data about EU-based people (absolutely all of it)
This includes our customers, employees, suppliers and any other individual we collect personal data from. Personal data includes names, contacts, medical information, credit card or bank account details and more.
- how we collect personal data
We can only collect personal data if we have a legal reason to do so. We might need it for an applicationt, for example. In all cases, we must make it clear what the personal data will be used for – and only use it for that purpose.
- user contracts and terms and conditions (on websites, for example)
These need to be simple, clear and easy to understand – with no complicated legal text.
- the right to know
Individuals can ask a business what information is being held about them. This isn’t a new right, but organisations must now respond within one month and can’t charge a fee (which they used to be able to do).
- the right to erasure
People can ask a company to delete all stored personal data about them, unless the company needs to keep that information for legal reasons, such as tax.
- data portability
Individuals can request a digital copy of their personal data to use however they like, including transitioning to a new service provider.
- data breach
We’re obliged to report certain types of data breach to the Information Commissioners Office.