Join the DZone community and get the full member experience.Join For Free
Organizations transfer personal data all the time, which get processed in a second country or after an onward transfer to a third country or international organization. Under the GDPR, certain conditions have to be met before an original data transfer or an onward data transfer to a third country or international organization can take place.
If the commission decides that the receiving country or international organization ensures an adequate level of protection, the transfer does not need any specific authorization.
Otherwise, a controller or processor must provide appropriate safeguards, and show that data subjects have effective legal remedies available.
After that, you would need to gain approval from the data subjects or meet other conditions that might be difficult.
Consent is very specific and required under the GDPR. No more pre-checked boxes, sneaking consent for one thing in with others or assuming consent. When consent is necessary for processing, the data subject must freely consent to the processing of personal data through a clear action, so no more so-called "opt-out consent" either.
For sensitive data, data subjects must give explicit consent, and you must give them an option to withdraw or refuse consent.
That means you too, marketers. Under the GDPR, all individuals have the right to object to direct marketing and profiling related to direct marketing. And under the GDPR, you must inform them that they have that right.
And you know how sometimes you want to unsubscribe from something, and you can't figure out how? Under the GDPR, you must make withdrawing consent as easy as giving consent.3. Prepare Data Breach Notification Processes
Under the GDPR, companies must notify individuals without delay that there has been a breach of their personal data. When possible, you must deliver this notification within 72 hours of becoming aware of the breach, unless it is unlikely to impact the rights and freedoms of individuals. Data processing companies also have the onus of reporting breaches to the company that collected and controls the data they process.
Data subjects must give explicit consent for sensitive data, and you must give them an option to withdraw or refuse consent.4. Support the Right to be Forgotten
If personal information is compromised, an individual has the right to have his or her personal data rectified and a "right to be forgotten" where the retention of the data does not comply with the regulation or with an applicable union or member state law. This right is particularly relevant when the data subject gave consent as a child and later wants to remove such personal data, especially on the Internet.5. Retain Privacy Data Properly Throughout the Lifecycle
Privacy procedures must include privacy by design, and development and deployment concepts, including, but not limited to:
- Awareness and training for data privacy.
- Data mapping, flow, and access control.
- Privacy data protection mechanisms requirements.
- PIA/DPIA mechanisms, frequency, retention, and governance effectiveness.
- Data Storage and processing locality.
Up Next in Part 4: Products and Services
Published at DZone with permission of Robert Hawk , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.