As a business leader, it is beneficial to use GDPR-compliant services, both for regulatory and data security reasons. Several aspects of the GDPR relate to the subcontractors your company uses, detailing your responsibilities as a data controller.
Watch an explanatory Video!
If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:
Processing must be lawful, fair, and transparent to the data subject.
You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
You should collect and process only as much data as absolutely necessary for the purposes specified.
You must keep personal data accurate and up to date.
You may only store personally identifying data for as long as necessary for the specified purpose.
Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
You are a data controller and/or a data processor. But as a person who uses the Internet, you’re also a data subject. The GDPR recognizes a litany of new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organizations. As an organization, it’s important to understand these rights to ensure you are GDPR compliant.
Individuals have the right to be informed about the collection and use of their personal data.
Individuals have the right to request the restriction or suppression of their personal data.
Individuals have the right to access and receive a copy of their personal data, and other supplementary information.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
An individual has the right to have inaccurate personal data rectified, or completed if it is incomplete.
Individuals have an absolute right to stop their data being used for direct marketing.
Individuals can make a request for erasure verbally or in writing. The right to erasure is also known as ‘the right to be forgotten’.
Automated individual decision-making is a decision made by automated means without any human involvement.