Off is “Personal Data”, the information which can

Off the Record Music Sales,

            The
General Data Protection Regulation (GDPR) was set by the Council of the
European Union and the European Parliament to strengthen and unite data
protection for all the individuals in the European Union (EU). The GDPR
concentrates to give the control back to citizens and residents over their
personal data and to simplify the regulation for International Business by
combining the regulation with the EU. The regulation documents the thought that
individual’s personal data must be protected
because it is the primary right to own security and justice among the market.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

 

The regulation was adopted on 27
April 2016, so you must follow the regulations for the customers of OTR in the
European Union.

 

The primary information that must
be protected by the Off the Record Music Sales (OTR) for the customers of the
European Union is “Personal Data”, the
information which can be used to identify an individual as a person by any
means. The information is

§  Name

§  Personal
Identification Numbers

§  Medical
Information

§  Shipping
and Billing Address

§  Gender

§  Credit Card
Information

§  Social
Security Number

§  Order
History

§  Phone
Numbers

§  Email
Address

§  IP and MAC
Addresses

 

 

 

Data Processing:

            Data can be
processed if there is a minimum one lawful basis to do so. The lawful basis to
process the information are

§  The
information subject has given consent to process the data for specified
purposes.

§  Processing
is critical for compliance with the legal obligation to the user.

§  Processing
is critical to protecting the important
assets of the customer or of another person.

§  Processing
is important for the performance of the task administrated within the public
interest or within the exercise of official authority within the controller.

§  Processing
is important for the legitimate interests pursued by the controller or by a 3rd
party.

 

Consent

            In
accordance with the GDPR, data processing is based on consent the controller
must determine that the data has consented to the processing of personal data. You must receive the consent for the
person through a “freely given, specified, informed and unambiguous indication
of the data’s subject agreement to the processing of personal data relating to
him or her, such as by a written statement, including by electronic means, or an
oral statement” (Art. 1 (32)). The person has right to withdraw the consent at
any time. The withdraw will not affect the lawfulness of processing data based
on the consent before its withdrawal.

 

Controller and Processor

            According
to Article 4 of the EU GDPR, Controller is a natural or legal person, public
authority, agency or another body which,
alone or jointly with others, determines the purposes and means of the
processing of personal data”. The processor
is a natural or legal person, public authority, agency or another body which processes personal data on
behalf of the controller”. The controller is responsible to demonstrate
compliance with the principles related to the processing
of personal data. The processing is carried out on behalf of a controller, the
controller shall use processer by providing guarantees to implement technical
and organizational measures to meet the requirements of GDPR.

 

Data Breach and Notifications

            Data
processors must report personal data breaches to data controllers. Data
controllers must report the data breach to the superior authority in 72 hours
and in some cases, affected individuals. Data controllers must have an internal
breach register.

GDPR Penalties

            Penalties
for infringement will be considered on a case by case basis and will take many criteria
into consideration, like intentional nature, number of subjects affected and
previous infringements by data controller or processor.

            The
lower level of fine up to €10
million or 2% of the company global annual turnover. This includes
infringements relating to:

§  Data
protection by design and by default.

§  Previous
records of processing activities.

§  Involvement
of superior authority.

§  Data breach
notification to the superior authority.

§  Communication
between the customers.

§  Data impact
assessment.

§  Consultation.

§  Certification.

 

Data relating to criminal convictions

            Data
processing of personal data relating to criminal offenses should be carried out under the control of Official
Authority or under Union or State member authorization providing safeguards for
the rights and freedom of data subjects.

Recommendations

            To ensure
that GDPR is implemented, there are necessary measures to be implanted to
prevent issues, breaches, and offenses.

§  All the data
storage devices at OTR must be encrypted with multi-factor authentication.

§  Data
backups must be implemented on site and off the site. The data backups must be
encrypted, and multi-factor authentication must be implemented on the backups.

§  Authorized
employees must be able to access the data of the customers under the GDPR
standards.

§  The
employees handling the customer’s data
must be trained and aware of the standards of processing the information upon
customers request.

§  If a
customer data is compromised, it is the company responsibility to notify the
customer within the given 72 hours of the breach as per the GDPR standards.