In this article, we continue with our topic of the GDPR.
The Conditions Under Which A Business Can Process PII
Any business that is bound by the GDPR cannot hold or further process the PII datasets. Instead, there are stringent guidelines under which it can be done. Examples of this include the following:
- The business has received very explicit permission from the EU or customer that they can store their personal information and data. This includes such things as being part of an opt-in email list, or the storage of credit card information or other financial information to make repeated shopping easier.
- If the business has to engage in a specific contract with a customer or third-party vendor to close a deal.
- You need to meet a legal obligation of some sort. For instance, if a security breach has impacted the business, then it would have to comply with court orders to disclose to some extent or another, the customers, or employees whose PII datasets have been impacted.
- The processing of data is needed to save the life of a particular individual. This statute is primarily meant for healthcare organizations and medical practitioners.
- You intend to perform a public service that is deemed to be in the best interest of the community, city, etc.
- If you have a real and legitimate reason to process PII datasets. This is deemed to be one of the much-relaxed statutes of the GDPR; thus, it is murkiness has led to confusion as to what “legitimate” really means.
The Clarity Of Consent
The concept of “consent” (or permission) of the PII is a central theme of the GDPR, and therefore, very specific standards as to what constitutes have been released, which are as follows:
- The permission that has been provided by the EU citizen or customer “. . . must be freely given, specific, informed, and unambiguous.” (SOURCE: 1).
- The individual has the right to withdraw the storage or processing of their PII datasets at any time he or she wishes to, and the business must adhere to this under all conditions, no matter what.
- The business in question must keep clear documentation on the consent it has received, either in a hard copy or electronic-based format (examples of this include Email or selecting the checkbox on the contact form of the website which states that you consent to having your PII stored).
Overall, this article series has just touched upon the surface of the GDPR. For example, many other areas need to be considered as well, which include privacy rights, data security, accountability, the principles of the protection of the PII datasets, etc. These topics will be covered in future articles. But keep one thing in mind: If you are a business with offices in the EU, or you are located in any other geographic region in which you store and process EU citizen data, the financial penalties are quite steep for noncompliance:
Either 4% of total revenues, OR 20 million Euros ($23,587,800.00 USD), whichever is the greatest!!!
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.