The GDPR, acronym for General Data Protection Regulation, is the EU regulation n. 2016/679 on privacy and the Right to be Forgotten. Keep reading this guide and find out what it is, what it means, what to do and what changes for your online reputation.
The GDPR in a nutshell
The GDPR in summary consists of 99 articles which provide you the following:
- Information: you will have the right to get clearer information to personal data processing.
- Right to be forgotten: you may request the removal of damaging information showing up on an engine such as Google. Thanks to the GDPR, you can contact a qualified professional to remove them, since Google has a very long processing time.
- Limits to automated processing: Limits to automatic disclosure of data and information without your consent are set.
- Data transfer: the criteria for data transfer are established, allowing both sharing and also providing for the extension of the rules to companies based outside the EU, if they refer to subjects present in Europe.
- Sanctions: in case of infringement of the directives, the sanctions can be up to 20 million or 4% of the annual turnover of the company.
What is the GDPR
Your personal data, financial information and preferences like the purchase you make, websites you visit or a particular product you select are now exposed to the media and may be subject to inappropriate and unauthorized use.
A matter that concerns you not only as an individual, but also as a professional or entrepreneur.
It is in this perspective that the EU GDPR Regulation No. 2016/679 governs privacy and the right to be forgotten.
The GDPR brings together a set of rules enacted within the Union in order to ensure an:
“Uniform directive with regard to the data processing and the right to be in full possession of the information concerning you”.
It is a regulation, which means that it is in force for all Countries of the European Union and must be adopted by the member countries, which will be obliged to transpose EU rules into their national legislation in case of conflict of law.
For instance, the Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
When did the GDPR come into force?
The regulation entered into force on May 24 2016 and applied starting May 25th, 2018.
Today, everything related to data, information and privacy must comply with the GDPR, that is to say in compliance with the regulation.
What does GDPR mean?
The term GDPR is an acronym that indicates the General Data Protection Regulation.
What protection of personal data means
Personal data is considered to be all the information which directly and indirectly qualifies you as a natural person, owner of an activity or its direct representative, and which may concern different spheres of your social life and work.
The most relevant personal data include:
- name and surname;
- ID number;
- data held by a hospital.
There are also personal data that cannot be processed and disclosed in any way.
Among these we consider:
- ethnicity and race;
- sexual orientation;
- political opinions;
- religious convictions;
- data relating to particular health conditions;
- data relating to criminal convictions and offenses.
Google can often contain defamatory links related to you or the business you run.
Reports to the search engine are not very effective, as they require very long response times.
This is why more and more people are turning to ReputationUP to remove a link from Google within the legal framework of the GDPR.
Who processes personal data on behalf of the controller?
Article 4 of the GDPR (download the PDF) identifies who is in charge of data processing.
On the one hand, the data controller can be a natural or legal person, an agency, a company or a public authority to which that information refers.
On the other hand, the data processor is a natural or legal person, public authority, agency or other body which processes data on behalf of the data controller.
Let’s take a concrete example.
Imagine that your company produces packaging machinery and that you entrust the payment of payrolls to a specialized external company, indicating the amounts and dates on which they must be made.
In this case your company owns the data while the external company is responsible for the data.
What does data breach mean?
The data breach is a security incident – concerning your direct and indirect data – which occurs accidentally or due to an unlawful processing in which your data are disclosed, destroyed, modified or lost by an individual unauthorized to do so.
The breach can compromise your privacy and your personal data protection rights.
Causes can be divided into three macro-categories:
- Access by unauthorized parties
- Theft of devices containing your data
- Malware and virus attacks.
Who is the data protection officer?
The data protection officer is a technical consultant who deals with risk management related to your personal data.
This role is now mandatory for all public bodies and companies whose activities involve the use of personal data.
The subject can be an integral part of the organisation, if the person has the required skills or among external professionals specialized in the IT sector.
The DPO deals with:
- Consultancy: providing advice to your business and informing you about the current legislation on the right to privacy and the right to be forgotten.
- System analysis: carrying out careful risk control and analysis on your IT systems.
- Implementation of preventive measures: by drafting a specific document listing the measures to be implemented and their planning.
- Action: taking steps to counter a threat or data breach and issuing a report to the competent authorities.
GDPR: what do you need to do to comply?
Let’s see in detail what are the five things you must do in practice to stay compliant:
- Download the text of the law;
- Collect all your company data and information;
- Check which ones are used;
- Provide the users with the possibility of having “full access to their data, the right to data portability and the right to be forgotten”:
- Identify the roles defined by the regulation for the protection of privacy.
Who must do it?
Compliance is mandatory for those who:
- Established a company, firm or entity after May 25, 2018;
- Carry out an activity within the European Community which involves the data processing;
- Carry out an activity outside the European Community but process data of EU citizens.
Who must comply with it?
In the event that your company was established before May 25, 2018, you will need to adapt your systems to meet the required parameters.
How to comply with it?
The regulatory compliance must take place in different sectors, from internal organization to the actions to be taken, from the use of secure IT systems to the identification of roles.
First, you will need to inform your customers about the tools for data collection and specify their use.
It is necessary to obtain the consent in a clear and precise way and to create a register of treatments including all changes made by the data owner and by the managers.
Furthermore, it will be necessary to appoint a data protection officer and to evaluate precisely the needed steps to allow compliance to the new regulation.
Who must comply?
You must comply with GDPR if you are a natural person, as a doctor or a professional, in case you use data from third parties for business purposes.
Are there any exceptions or exemptions?
Data Protection Regulation does not apply in case:
- the subject is a deceased person;
- the interested party is a legal person;
- the use of the data is carried out by a person with no connection to a commercial, business or professional purpose.
What changes has the GDPR brought?
The introduction of the GDPR was a valid response to this information age with evermore digitalization. It marks a step forward to change the way of protecting personal data and consider their processing.
In particular, important action was taken to tackle problems that could arise, especially in the event that the user is faced with the need to repair online reputation.
Today, thanks to the new rules, you are entitled to:
- Receive an explicit consent to the data processing;
- Be informed on how your data is being used;
- Request and obtain the cancellation.
If your objective is to remove from Google that you consider negative or harmful to your online image, contact ReputationUP now and find out how to protect your reputation from haters and fake news.