Note: this post is designed to be an informational resource only and does not constitute legal advice. We encourage you to speak with your legal counsel for any questions about how GDPR will affect your organization. You can also visit the GDPR website for more info.
Effective May 25, 2018 the EU's General Data Protection Regulation (GDPR) will come in to effect. Optix has taken all necessary measures to comply with this regulation as a 'data processor'. As a 'data collector' you may also need to take some steps to ensure you are compliant with this new regulation.
What are the major changes under GDPR?
A major component of this regulation surrounds the means through which users can provide and revoke consent for hosting their personal information. It must be just as simple to revoke consent as it is to provide it in the first place. The language used to gather consent must be clear and plain (no more rambling legalese).
The second component is enhanced rights for data subjects. These include the right to be notified of data breaches, the right to data portability and data acccess and the right to be forgotten. Organizations hosting or processing data are also required to take additional measures to ensure privacy by design and adequate protection measures.
How is 'personal data' defined under GDPR?
Personal data is defined very broadly as any piece of information that can be used to directly or indirectly identify a person. Name, photograph, email address, social media posts, and banking information are all examples of personal data.
Do I need to worry about this if my organization is based outside of the EU?
Yes. GDPR applies to any organization that collects data on any EU resident or citizen, regardless of where the company is geographically located.
What is changing in Optix to ensure compliance with GDPR?
We have made a number of changes to ensure we are compliant with the new regulations. These include:
- Updating our data breach procedure
- Additional mechanisms for logging and tracking user consent to hosting of their personal data
- Implementing a process by which users can request all their personal data be deleted from our servers
- Supporting user data export requests to comply with user's new right to data portability