GDPR - What to do!!

I am not an expert on GDPR but here is what I have understood.

The GDPR is a European Union (EU) privacy law and will come into effect from 25th May 2018 and you are wondering what is it about!!

It regulates how anyone or anybody uses the personal data of people located in the EU. Personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

Anything you do with this data is called data processing. The definition of data processing is again very broad. Basically it covers almost everything and anything under the sun that you can think of doing with data!!

There are two important pieces to this:

Consent: You need to have consent to process any EU citizen's personal data. This consent must be specific and verifiable. As per GDPR, the definition is: “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”

Verifiable consent would mean that you have records of when and how you got the permission from the subject to process the data.

• So no pre-ticked boxes!! A pre-ticked is taken as the subject did not specifically give consent to you.
• You should be able to prove by written records, that you have this permission.
• The consent has to be specific, meaning that the language of consent should not be ambiguous and should clearly identify, for what the subject is giving consent for.
• Consent should not be hidden anywhere. It has to be visible (very visible!!)
• Give complete details of how you would process the data of the subject.
• Be specific about how long the consent is being given for. A refresh request should go out in case you want to extend the consent, or the data should be simply deleted.

Individual Rights: GDPR also provides information on Individual rights.

• If the subject requests to be forgotten, you will have to delete their data immediately.
• The subject can ask for ways their data is being processed anytime and you will have to comply with that.

Please add on anything that I have missed. Hope this helps to get upto speed!!