Any data identifying with a living, distinguished or identifiable individual constitutes personal data. It can be anything from a name, a photograph, an email address, bank details, medicinal data or an IP address.
The European Union has taken monumental steps towards ensuring the fundamental right to privacy for all EU residents through the General Data Protection Regulation (GDPR) which comes into effect from May 25, 2018. The GDPR empowers EU residents by placing them in control of their personal information and upholding strict protocols for organizations who collect and process this information.
Any organization - whether private business or public authority, irrespective of the location - that collects, stores or shares personal data of EU residents will need to comply with the GDPR in the interest of preserving fundamental rights of EU residents. Non-compliance could lead to heavy fines. This affects businesses that deal directly with the personal details of EU residents (data controllers) or those that process the data on behalf of other businesses (data processors).
Transparency and trust are Mettl’s core values and we are committed to our customer’s data privacy and security. The GDPR aligns with this vision and we have improved our existing systems and processes for GDPR compliance.
With a clear mandate and business priority from our management team, Mettl has formed a dedicated cross-functional Compliance Team which has defined our GDPR roadmap. As of 25th May 2018, we are GDPR compliant and we continue to further improve our systems and processes in this regard.
Here’s some brief information about our approach to GDPR compliance:
• Management driven cross-functional Compliance Team leading the initiative for GDPR compliance
• EU-compliant contractual protection for data transfers outside EU
• Policies and processes to enable Data Subject Rights
• Data Breach Management systems and processes with a clearly defined turn-around time and escalation matrix for any data breaches
• Detailed data inventory of data in-flows and out-flows in our system
• Enable explicit consent, consent management and withdrawal
• Access controls and rights
• Strengthen our data encryption and anonymization practices
• Privacy by design and default principles to ensure new projects and processes are in alignment with our commitment to data privacy and security
Co-Founder & COO,Mettl
We at Mettl, see GDPR as an opportunity to reinforce our values of transparency and customer focus. It is these values which are driving us to build robust systems to ensure our customer's data privacy and build trust.
A controller is the entity that decides the reasons, conditions and methods for processing of personal data, while the processor is an entity which actually stores and processes personal data on behalf of the controller. Both 'Controllers' and 'Processors' of information need to comply with the GDPR.
GDPR with its objective to expand the data privacy rights of individuals in various imperative ways, subjects both data controllers and processors that fail to comply with the GDPR requirements to potentially heavy fines.
No, the GDPR does not require EU individual information to remain in the EU, nor does it put any new confinements on exchange of personal data outside the EU.
Data Transfers from the EU to outside can be legitimized through various means including:
· EU-US Privacy Shield
· Model or Contractual clauses
· Binding Corporate Rules (BCR)