GDPR – understanding the personal data protection and privacy legislation

What is GDPR?

GDPR (General Data Protection Regulation) is a European Union regulation on personal data privacy, which entered into force in 2018.

According to the GDPR, personal data of individuals may include their name, address, photo, medical information, bank details, updates on online platforms, social networks, computer IP, etc.

GDPR rules should be adhered to by companies which, regardless of where they are located, possess personal data of individuals that are based in the European Union.

Simply put, if you have a customer from an EU country and collect their data as a result of a business transaction, you are subject to GDPR rules. There are no exceptions based on the size or scope of the enterprise, which means that any business with an online presence is potentially subject to this law.

Who does GDPR affect?

The GDPR applies to any organization operating within the EU, as well as any organization outside the EU that provides goods or services to organizations or individuals in the EU. This means that if any of these scenarios apply to you, you need a GDPR compliance strategy.

If you have a website, web application or ecommerce store, chances are you are affected by this legislation, as your site can be visited online by people from EU countries.

GDPR legislation is implemented by two kinds of users:

  • Data controller: Is a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.
  • Data Processor: Is a legal or a natural person, agency, public authority, or any other body who processes personal data on behalf of a data controller.

What rights does GDPR grant?

The GDPR empowers individuals to excercise rights over their personal data, to avoid being abused by companies and any other uncertainty that comes from online data dissemination. These are the eight privacy rights granted by GDPR:

The right to access

Individuals have the right to request access to their personal data, and to ask regarding how it is being used by the company that possesses it. The company must provide a copy of the personal data it holds, free of charge and in electronic format, if requested.

The right to be forgotten

Individuals have the right to withdraw their consent to a company using personal data, and request their deletion from the company's systems.

The right to data portability

It allows individuals to move, copy or transfer personal data easily from one IT environment to another safely, without affecting their usability.

The right to be informed

Individuals have the right to be informed when a company collects or wishes to collect their personal data. Individuals should opt-in to having their data collected, and consent should be given explicitly, rather than be implied.

The right to correct information

Individuals have the right to update their personal data when they change, are incomplete or incorrect.

The right to restrict personal data processing

Individuals have the right to request that their data be stored but not used or altered by the company with which they are interacting.

The right to object

This allows individuals to stop the unauthorised use or processing of their personal data for marketing purposes. There are no exemptions to this rule, and any such use or processing must stop immediately when the request is received.

The right to be notified

If there has been a breach that compromises an individual’s personal data, the individual must be notified of the event within 72 hours. The individual must then be provided with detailed information regarding the breach.

GDPR in Albania

Businesses that only interact with companies or individuals within Albania and countries that are not part of the European Union, need not worry about GDPR rules.

However, when an Albanian company interacts with businesses or individuals located in the European Union, then it must comply with GDPR rules.

Albanian data protection legislation is currently undergoing a process of approximation with European Union legislation. This process is happening as Albania is in the phase of negotiations for EU membership.

How to comply with GDPR regulation

Below we have listed some initial steps your business can take, in order to comply with GDPR rules.

Map your company’s incoming data

Map where all the personal data that could be used by your business come from, and document what you do with it. Identify where the data resides, who might have access to it, and whether there is anything that could compromise it. This is not only important for GDPR; it will also help you improve customer relationship management.

Determine what data you will store

Do not store more information than necessary, and do not store data that you will not use. The GDPR encourages businesses to be trained in data selection, so that they can carry out this process in a careful manner.

Have data security measures in place

You need to put in place some technical and physical security measures, to prevent the leakage or corruption of individuals' personal data. Moreover, you'll need to take quick action to notify individuals and authorities in the event of a breach.

Review your agreements and documentation

Review all contracts and statements related to privacy, and make updates where necessary.

Establish procedures for handling personal data

Establish procedures and policies for addressing each of these issues:

  • How can users give their consent for the storage of personal data in a legal manner?
  • What procedure will be followed when a user requests that their data be deleted?
  • How will you make sure that user data is deleted from all your systems?
  • How will you facilitate the transfer of data, when it is requested by a user?
  • How will you confirm that the person who requested to have their data transferred is the person who they claim to be?
  • What are the communication and settlement plans with an individual, when their personal data has been breached?

Get expert advice

If your company has a large number of employees, or if you perform processing of sensitive data, you are required to maintain a detailed list of your processing activities. You should also prepare a list to show to regulators upon request.

When dealing with data protection, make sure that someone in your organization is responsible for GDPR compliance. This person will be in charge of evaluating data protection policies and their implementation.

If you do not want to hire someone full-time, you can get legal advice or expertise from a lawyer.

Follow the GDPR checklist

The checklist can help you better understand the requirements of the GDPR, and the steps your business needs to take to implement this regulation. These requirements can be summarized in the following categories:

  • Lawful basis and transparency
  • Data security
  • Accountability and governance
  • Privacy rights

For more information visit: https://gdpr.eu/checklist

How GDPR affects business

GDPR compliance comes with significant costs for your business, which vary depending on the size of the business, the amount of personal data you possess, and the reasons why you use that data.

Despite these costs, GDPR compliance also provides your business with some benefits. It helps you communicate to your customers that you are a reliable company, making them want to interact with you without objecting to sharing their personal data.

On the other hand, it protects you against lawsuits, as in cases where you do not comply with GDPR rules, it is easier for someone to take legal action against you.

Summary

GDPR is a European Union regulation on the privacy of individuals' personal data. It should be implemented by all companies, regardless of their location, that provide services to organizations and individuals located in the European Union.

This legislation helps individuals to have control over their personal data, so that it is not misused or corrupted. Despite the costs, not complying with the GDPR puts you at risk of lawsuits and fines.

GDPR compliance is important, as it increases customers' trust in your company, and consequently improves your relationship with them.

Subscribe to our newsletter

You'll receive content of interest to online businesses and website owners.

Message envelope