- Before collecting a customer’s personal data, you must obtain consent.
- Personal data includes anything that can be used to identify a user. Such as email and name.
- After obtaining consent, the user must have an easy way to opt-out of your use of their personal data.
- The user must also have an easy way to download all of the info you have on them, and the ability to delete all of their data from your servers as part of their “Right to be Forgotten.”
- Once you’ve gotten consent to use a person’s data in a certain way, you then cannot use that same data in a different way. You will have to obtain new consent in order to change the way you use their personal data.
- Each company will have to appoint an employee to represent them in the EU. This employee will act as the contact for the EU’s DPA (Data Protection Authorities.
- These DPA’s will have the power to investigate and enforce the GDPR rules on companies operating with user’s personal data.
- Companies that suffer a breach of their user’s personal data must immediately inform those users that their info was stolen.
- Both the company collecting personal data, and the third-party that the company is selling your personal data to are legally responsible for any mistakes that are made.
Here are a few links with more info: