In this video, Kalinda Raina explores the other key concepts of the EU General Data Protection Regulation (GDPR). Learn about data subject rights, lawfulness of processing, and the responsibilities of controllers and processors.
- Data subject rights, lawfulness of processing, and the responsibilities of controllers and processors are key concepts of GDPR. Data subject rights, or DSRs as they are often called, are rights designed to give individuals greater control over their data. As we head into an era when companies are capable of knowing which route we took to work or what time we turned our lights out at home, DSRs are designed to give individuals control over who has access to their personal data and how it is used.
DSRs are actually a benefit to each of us as individuals, so let's quickly go over these key rights. The right to be forgotten, which means individuals can ask companies to delete their data. The right to access the data a company has about you. The right to portability which allows individuals to ask companies to provide their data to another company on your behalf. The right to restriction of processing which allows an individual to require a company to stop processing their personal data.
The right to rectify or correct data a company may hold about you. And finally, the right to object to the processing of personal data about you at any time. As you can see, these rights are comprehensive and can be a bit hard to keep track of. The key takeaway, though, is that these rights are designed to put the individuals who create the data in the driver's seat rather than the companies who use it. Another key concept is lawfulness of processing.
The EU requires companies to have a legal basis for collecting, using, handling, and storing individuals' personal data. There are several ways companies can prove they are lawfully processing data, but the three most common methods are contractual necessity, consent, and legitimate interest. Contractual necessity means there's an agreement in place between a company and individual about the processing of personal data. This basis applies whenever the collection of data is necessary to fulfill a contract.
So, for example, when you contract with your cell phone company, they must collect your location in order to provide you with service. Companies can also rely on consent, but under the GDPR, that bar has been raised. In the past, consent had to be freely given and informed, but now it must also be unambiguous and followed by an affirmative action. These enhanced requirements will make it really hard for companies to prove they've obtained a customer's consent.
Finally, legitimate interest is another legal basis. It requires companies to balance the enterprise's interest against the rights and freedoms of the individual whose personal data is collected. So, for example, if you are making an online purchase, a company needs enough information about you to complete the transaction and prevent fraud. That company could therefore rely on legitimate interest as a basis for collecting your name, credit card information, and address. The company's interest in processing the transaction and preventing fraud outweighs your interest in protecting the privacy of your name and address.
The final key concept I want to discuss is controllers and processors. Under the GDPR, companies are broken into two groups. Companies that decide how personal data will be processed are controllers. If you're processing data at the direction of another entity, you are the processor. Imagine for a moment instead of talking about data here, we're talking about money. As a controller, you are responsible for keeping your money safe, deciding how to spend it, and who to share it with. If you're a processor, you're like a financial advisor.
You're holding the money on behalf of your client, keeping it secure, and only using it the way your client tells you to. As a controller, if you don't meet certain obligations set forth in the GDPR, your company runs the risk of incurring a high fine and even being sued in Europe. If a processor mishandles data or makes a mistake, a controller can still be held liable for failing to diligently vet the processor. So, this is why many companies are revising contractual agreements with customers and carefully reviewing the privacy and security promises of their vendors.
If your vendor gets it wrong, under the GDPR, your company may also be on the hook. As we evolve towards a data-driven economy, the winners will be the ones who embrace GDPR as an opportunity rather than a burden.
DISCLAIMER: Neither LinkedIn nor the instructor represents you, and they are not giving legal advice. The information conveyed through this course is not intended to give legal advice, but instead to communicate information to help viewers understand the basics of the topic presented. Certain concepts may not apply in all countries. The views (and legal interpretations) presented in this course do not necessarily represent the views of LinkedIn or Lynda.com.
- Define GDPR.
- Explain key concepts and requirements of GDPR.
- Describe privacy by design.
- List data subject rights.