Whilst these laws were written for the citizens in the European Union, every organisation outside the EU which must comply to GDPR regulations if they offer goods or services to, or monitor the behaviour of, EU data subjects. Organisation which fail to do so can severe face penalties.
What sort of penalties does an organization face if they fail to comply?
Non-compliance can result in a fine up to 4% of the annual global turnover. The maximum fine is €20 Million, which is typically imposed for severe . is the maximum fine that can be imposed for violations such as insufficient customer consent to process data or violating the core of Privacy by Design concepts. A company can get fined up to 2% for not complying to Article 28, which requires records to be in order, failing to identify and report a breach to the supervising authority and data subject, or not conducting impact assessment.
‘Personal Data’ refers to any information which can directly or indirectly lead a third party to identify the particular individual. Some examples of ‘personal data’ may be an individual’s name, address, place of work, identification number or ID an account details. Personal data should be carefully used in any circumstance, but what constitutes as personal data can vary depending on the organisation’s intended use and the context of which it is used in.
The conditions for consent have been strengthened, as companies are no longer able to utilise long illegible terms and conditions full of legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
No, there is no certification that is issued by the EU for GDPR. EngageRocket will be sure to update you if this rule changes.
The right to be forgotten: If you are no longer customers and therefore choose to unsubscribe for our mailing list or withdraw consent to use your personal data, then you have the right to have your data deleted from our database.
The right to data portability: You can transfer your personal information from one service provider to another. However, note that the service provider should be commonly used and in a machine readable format.
The right to be informed: Being ‘informed’ includes anything where you need to opt and consent for EngageRocket’s collection of your data, and for EngageRocket to inform you before we gather your data. Consent must be explicit; it should not be assumed.
The right to have information corrected: It is required for your data to be updated if it is out of date, incomplete or incorrect.
The right to restrict processing: EngageRocket’s customers may request for their data to not be used for processing. Note that your record will still remain in place, but it will not be used.
The right to object: This is our customer’s right to prevent their data to be processed for direct marketing. This rule has no exemptions. Once your request is made and received by our side, any processing will be halted immediately. EngageRocket is ensuring that all our customers aware of all their rights before any agreements are made.
The right to be notified: You will be informed within 72 hours in the case of a breach in security which endangers any of your personal data and information.
Privacy for design is an approach which aims to increase awareness of the importance of privacy and data protection. It shows an organisation’s serious commitment to data protection. Some examples of privacy by design includes collaborating with an external party for data sharing or building new security systems which store or access personal data.
Having a ‘fair processing notice’ means that we have to inform our customers on how we process their personal data as part of our work.
GDPR regulations standardised data and information security laws across the EU in a way that impacts all organisations globally. As a result, it eradicates the need for individualised data protection laws which differ depending on region. It also makes the laws for data security and privacy much stricter, with more severe punishments for non-compliance and explicit rules to abide to.
A Data Controller refers to the organisation which determines what is the purpose and importance of processing the personal information of the individuals concerned. On the other hand, a Data Processor is an external party which processes personal data on behalf of the Data Controller. The data processor processes the data based on instructions from the data controller. Under the GDPR regulations, the data processors have more responsibilities to keep the processed data secure and private.