General Data Protection Regulation (GDPR) - A Summary
In this article, we summarize the rights and responsibilities of those affected by GDPR, as well as provide a high-level overview of enforcement information.
GDPR applies to a wide scope of territory -- it includes non-EU based services/companies that possess data on EU residents.
Notifications and Consent
Before you collect personal data from your end users, you must obtain their consent to do so. When requesting consent, your notifications must:
- Be clear and easy to understand
- State the purpose of the data involved and how it will be processed
You must also:
- Explicitly request consent
- Make it as easy for your end-user to revoke their consent as it is to grant consent
Rights of Individuals
Your end users, as individuals, have the right to:
- See the data the company has about them
- Know how their data will be processed or used
- Be forgotten (the individual may ask the controller of their data to erase the data in question, cease disseminating the data, or halt further data processing)
- Portability (the individual can ask for their data in a standard, machine-readable format and can transit their data to another data controller)
- Not be subjected to automatic decision making (a process typically called profiling)
Privacy by Design and Privacy by Default
As the data controller, you must design your app to abide by both privacy by design and privacy by default principles.
Privacy by design means that each new implementation that uses personal data must take the protection of such data into consideration.
Privacy by default means that the strictest privacy settings automatically apply once the end user acquires a new product or service (that is, without any manual change required on the part of the user).
Requirements for Data Processors and Controllers
As the data controller, you must:
- Do due diligence to ensure that your data processors provide adequate protection of provided data
Auth0, as the data processor, must:
- Comply with instructions provided by data controllers
- Maintain adequate documentation
- Implement adequate security
- Conduct data protection impact assessments
- Appoint a data protection officer or establish a privacy office
- Comply with rules on international data transfers
- Agree to and sign a written data processing agreement that meets GDPR requirements
- GDPR mandates that data controllers release notifications regarding data breaches within 72 hours of the incident
- Fines for non-compliance are much higher and are determined using a tiered system
- Supervisory authorities in the European Union have greater investigative powers
- Organizations controlling data must appoint a Data Protection Officer, while organizations processing data should have a Data Privacy Office