With much of our personal info now floating around the internet, this new regulation under EU law is unlike its previous directive where each country had its own regulation statement. The EU has created uniform rules for protecting and processing our personal data in which companies across the board must comply.
The affected companies are not only those in EU countries, but also companies who provide products and services to EU citizens. So, if you already have a privacy statement on your business website, you might want to read it again to make sure it falls in line with what GDPR defines for EU citizens.
According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address."
If you’re a business owner, a few basic rules should be followed for client data protection, for example, always secure your customer’s private information. Don’t leave client credit cards in an open place and make sure you shred documents with credit card info. Describe your privacy policies in an online privacy statement, and be transparent with your customers. How you handle your client data is a reflection of who you are as a business owner.
Under the new regulation, unless a person has consented to let their personal data be collected, retained, or shared to a third party, their info cannot be processed unless there is a legal reason to do so, including:
- For the legitimate interests of a data controller or a third party, unless these interests are overridden by the Charter of Fundamental Rights (especially in the case of children).
- To perform a task in the public interest or in official authority.
- To comply with a data controller's legal obligations.
- To fulfill contractual obligations with a data subject.
- To perform tasks at the request of a data subject who is in the process of entering into a contract with a data controller.
- To protect the vital interests of a data subject or another person.