After posting about the privacy focused Overcast update I received a company training on GDPR.
Some interesting things I got out of it:
- Breach Notification - regulators are to be notified within 72 hours and users should be notified “without undue delay”.
- Right of Access - After receiving a written request from an individual, companies are required to provide the personal data, in electronic format, free of charge, within a month.
- Right to be Forgotten - Individuals can request that companies controlling and processing personal data erase the data and stop any further circulation of the data.
- Data Portability - Individuals can request that their data by freely transferred to another organization.
- Right to Object - Users have the right to object to their personal data being used for “profiling”, which is any form of automated processing to evaluate personal aspects of an individual.
As a user I love each one of these individual rights. From a company perspective (not the company for whom I work, I don’t speak for them.) I think it’s going to require a lot of changes to processes to be compliant.
If I were creating a new business I would design the business to be privacy first and avoid any and all personal data as much as possible.