What is GDPR?
General data protection regulation is a law created by the European Union. GDPR emphasizes the basic rights of an individual user over the data.
Why does GDPR exist?
To protect people’s fundamental rights which include rights of privacy.
When does it start?
It has implemented from 25 May 2018
Who should care about GDPR?
Any organizations that do anything with data about people.
Where is GDPR actually applicable?
GDPR applies to all the organizations based in the EU and any organization processing the personal data of living persons in the EU. Basically, any website irrespective of where it is located if it deals with the personal data of people who belong to EU countries then GDPR will come into play.
How to implement GDPR?
GDPR empowers the user to have the following rights,
- Right to be forgotten
- Right to Portability
- Right to Access
- Right to Rectification
a.) A “Data Processor” is a natural or legal person, agency entity or other reference points that process personal data as a contractor for the Responsible Party.
b.) A “Third Party” is a natural or legal person, agency, entity or other points of reference, with the exception of the affected person, the Responsible Party, the Contracted Processor and the individuals, who under the direct or indirect liability of the Responsible Party or the Contracted Processor have the authority to process the personal data.
c.) “Data” or “Personal Data” is all information that relates to an identified or identifiable natural person (hereinafter referred to as the “affected person”). A natural person is considered identifiable if this person, directly or indirectly, can be identified, in particular through the allocation to identification such as a name, an identification number, location data, an online identification or to one or several special characteristics, that are expressions of the physical, psychological, genetic, psychic, economic, cultural or social identity of such a natural person.
d.) A “Responsible Party” is the natural or legal person, agency, entity or another point of reference that is solely or jointly with others in a position to make decisions as to the purposes and resources of processing of personal data. If the purposes and resources for this processing are defined in European Union Law or the laws of EU member states, the responsible party or the specific criteria for this person’s appointment may be governed by European Union Law or the laws of the EU member states.
e.) “Data Processing” is any transaction or any series of such transactions that are performed with the assistance or without the assistance of automated processes related to personal data, such as the collection, recording, the organization, the sorting, the archiving, the adaptation or modification, the exporting, the actuating, the use, disclosure by way of transmission, distribution or any other form of making available, the reconciliation or the linkage of data or the restriction and deletion or destruction of data.
f.) “Violation of the Protection of Personal Data” is a violation of the security of the data, whether it was accidental or unauthorized that results in the destruction, loss, modification, unauthorized disclosure or the unauthorized access to personal, which has been transferred, archived or processed in any other way.
g.) “Technical and Organisational Security Measures” means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
h.) “Data Controller” means the organization that decides to get and process data. It is an entity that determines the purposes & means of the processing of personal data. Here the office portal is the data controller.
i.) “Sensitive personal data” are data such as defined as “special categories of personal data.” The special categories of data include racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health, genetic and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing.
Seven core principles of GDPR
The GDPR sets out seven principles for the lawful processing of personal data. Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data. Broadly, the seven principles are
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
How Office Portal stick to the core principles of GDPR
Lawfulness, fairness and transparency:
Transparency – We at Office Portal clearly defines what we are going to do with the user data
Fair – We at Office Portal properly balance the fundamental rights & freedoms of the person whose data it is, with the rights of entity processing the data
Purpose limitation – Data is used only for the purpose of what it meant for. At any point in time, data will not be used for other purposes
Data minimization – We at Office Portal only collect the data which is only the utmost required. Apart from that, we don’t collect any other data which are not required.
Accuracy – Data collected from the user can be corrected by them to provide correct and up to date
Storage limitation – If a user is deleted from the system the user complete history will be deleted. No more details of the particular deleted user are preserved
Integrity and confidentiality – We at the Office portal maintain a stringent policy to protect the user data. We make sure the protection of data against unlawful processing or accidental loss, destruction or damage.
How to claim your GDPR rights
List of rights that can be claimed by a user and step by step method to claim the provided rights are given as follows,
- Right to be forgotten
- Right to Portability
- Right to Access
- Right to Rectification
Right to be forgotten:
Office Portal is designed to ensure that a user can be deleted, and once if a user is deleted then no traces of that particular deleted user are preserved in the system.
Right to Portability:
Office Portal empowers the user by providing all the data pertaining to the user. User can request Office Portal to provide all the data related to the user, upon the request all the data related to the particular employee can be provided.
Right to Access:
We at Office Portal provide Employee self service option which allows the user to change their own information and it can also be customized by a higher authority to what to change and what to not
Right to Rectification:
All “Personal Data” provided in Office Portal can be edited at any point in time. Office Portal allows the user to have a control over the data for managing the changes.
Myths about GDPR
Does data need to be in the EU data center alone?
Absolutely Not. GDPR emphasizes that data can be either in EU countries or it can also be anywhere outside the EU countries. GDPR only mandates transfers of the data must be legitimized through any of the mechanisms provided in the regulation.
Does the Data Protection Officer is mandatory in any organization?
No. GDPR insist to have a Data Protection Officer (DPO) only if you fall in the following categories,
- You are a public authority.
- Your activities consist of large-scale, methodical observation and online behavioral tracking, etc.
- Your activities involve large-scale processing of special data categories e.g. criminal conviction data.
- An organization that doesn’t fall under this category doesn’t require to have a Data Protection Officer.
Does Biometric data is sensitive data under the GDPR?
This is the most understandable misconception that has developed regarding the GDPR. Biometric data that a company collects just like any other data, it is sensitive only if it is actively used for identification purposes. It is predominantly collected for purposes of identification but if that is not the case then Biometric data doesn’t have to be treated as sensitive data.
Does small business are exempt from implementing GDPR?
There is no exclusion under current GDPR for businesses with only a few employees. “GDPR doesn’t care about your firm’s size”. Any organization which deals with the personal data of an EU citizen then it will be applicable.
GDPR compliance on Office Portal
What information do we collect?
We do collect the following data,
- Personal data (First and last name, date of birth, citizenship, …)
- Communication data (address, e-mail, phone numbers, …)
- Social network profiles (LinkedIn, Facebook, Twitter, …)
- Open text fields for text entry (text entry fields for individual use)
- File attachments (contracts, curriculums vitae, forms, …)
All contents are stored in the UK Azure data center. We don’t share any information. We will use some third parties email service providers to send the email to our clients and users such as sendGrid, but we don’t share your information for marketing purposes.
What can the Office portal do to protect your data?
As a Data controller we are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR.
Technical & Organizational measures:
- Role-based restricted access to the server
- Strict password policies
- Protocols to be followed by employees
- “Need to know principle” followed by employees
- Avoid exchange of devices
- No login credentials sharing
- Frequent password change policy
- Uninterrupted power supply
These are the few technical and organizational measures that have been followed by the Office portal.
Do we share your information?
We may share your information with our third parties to provide better services. These third parties are authorized to use your Personal Information only as necessary to provide these services to us (Office portal). These services may include the provision of
- email services to send marketing communications
- customer service or support
- providing cloud computing infrastructure
How do we use your details for marketing purposes?
As part of the Services, you may choose to opt-in to receive occasional emails and/or other communications from Office portal, such as communications relating to promotions, new product release, new feature update, all other form related to marketing
What happens in the event of non-compliance?
GDPR applies to all the organizations based in the EU and any organization processing the personal data of living persons in the EU. In the event of non-compliance with fines of up to either €20,000,000 or 4% of global turnover – whichever is higher.