After implementation of GST in India, the globe is busy reading about the General Data Protection Regulation (GDPR) rules of the European Union . The rules are expected to be formally applied this spring and roll out in 2018. Thus it gives enough time to the member states to successfully ramp up their preparations to comply with the norms on time. This article is for users who are responsible for everyday data protection.
If you are residing in the EU or your organization is handling the personal data of any EU citizen, you will have to confirm with the GDPR or risk being hit with cost of non-compliance! It would result in a fine of 4% of your company’s annual revenue or up to €20 million, whichever is higher. The government has confirmed that the UK’s decision to leave the EU will not affect the application of the GDPR rules.
The new law and the rights that follow, are essential to businesses and to individuals to understand.
Does GDPR apply to you?
It applies to ‘controllers’ and ‘processors’. If you are currently subject to the DPA, it is most likely that you
will also be subject to the new rules.
For the Processors :
– The rules have specific legal obligations. E.g.- One is required to maintain records of personal data and all the processing activities. Also, processors shall have significantly more legal liability if they are proven to be responsible for a breach.
For the Controllers : The GDPR rules place further obligations on the controller to ensure the contracts with relevant processors are in compliance with the rules.
The GDPR applies to entities operating within the EU as well as to entities outside the EU who offer goods/services to individuals residing in the EU.
It does not apply to the listed activities like :
– As covered by the Law Enforcement Directive
– Processing for national security purposes
– As carried out by individuals purely for personal/household activities.
For further reading, refer this link.
GDPR applies to what kind of information?
The definition in the GDPE is more detailed. It also includes the IP addresses which is an online identifier which encompasses changes in technology. All the information which was in the scope of DPA, shall fall under the GDPR Rules. It applies to automated as well as manual personal data.
Sensitive personal data
Some special categories of data fall under this head. E.g. Unique data sets like Genetic Data, Biometric Data etc.
Read Article 10 for more insights.
Read more on the application of GDPR here
Key Points of the GDPR
Privacy By Design: The most important component of the new rules is to build in privacy from the beginning in all the systems—called Privacy By Design—provided by default for all end users.
Data Custodianship: Moreover, improved data custodianship rules form a part of the rules. It dictates that entities should only keep the data they absolutely need for only as long as they need it. Once that data is no longer needed, the data should be destroyed or anonymized.
Right To Erasure: It ensures the that users can request for their Personal Data to be deleted from an organization for any reason. E.g. probable non-compliance with the rules. Also, explicit consent, which must be given freely, is required for the processing of Personal Data, and organizations must provide users with the same ease of consent withdrawal should the user wish to do so.
Breach Notification Requirements: The rules also require mandatory and stringent data breach notification norms. In the event of Personal Data breach, stringent reporting norms would include informing the Supervisory Authority of the EU member states within 72 hours of the breach’s discovery. Depending on the severity of the data breach, the organization may also need to notify the affected users as well.
3 ways to Becoming compliant with the GDPR rules
1. Understand your internal and external network and value chain. Also, keep in mind the scope of the data
2. Next, one should assess the strength of internal controls, policies and procedures.
3. Formalize and practice notification processes with the use of new tools like VComply etc. This shall help the organization to integrate all the compliance procedures on a single integrated platform.