Another four-letter buzzword is charming the industries & Information Technology Industries. Latest four letter thrill is called GDPR (General Data Protection Regulation)
Due to drastic changes in technologies European Union has initiated the new data privacy law. European regulation for Data protection that is GDPR.
The GDPR will replace the current Data Protection EU Directive 95/46/EC. It also will also replace EU national legislation on data protection, such as the UK’s Data Protection Act 1998.
GDPR is the most significant change in data privacy. Like earlier Data Protection; This not a Directive; this is Regulation.
What is the primary purpose of GDPR?
To protect and provide rights to European Union data subjects (individuals whose data is being captured by organizations).
Giving regulatory authorities power to take action against companies that breach the new regulations. In this digital economy, it should be no surprise that these regulations also apply to global enterprises outside the EU.
Core Value of GDPR
GDPR builds on existing data protection principles, under this data protection principle set out the primary responsibilities for organizations.
- To strengthen individuals’ rights
- To give increased attention to cybersecurity and technological capacity
- To extend supervision and sanctions across consumer data
Who will follow & implement GDPR?
Any company (EU and foreign) that processes the personal data of individuals residing in the European Union must adhere to these regulations, regardless of the company’s location.
For non-EU businesses processing the data of EU citizens, this includes the requirement of appointing a representative in the EU.
Less than 250 employee’s organization need not comply with GDPR. If companies processing special categories of data … or critical personal data relating to criminal convictions and offenses they need to meet with GDPR.”
GDPR Article 37: Designation of the data protection officer (DPO)
DPOs appointed in three situations
- Where the processing is carried out by a public body
- Where core activities require regular and systematic monitoring of personal data on a large scale
- Where core activities involve large-scale processing of sensitive personal data
Position of the data protection officer (DPO)
- DPOs will be supported by Data Controller & Data Processor
- DPO has a large degree of independence
- Protected role within the organization
- Direct access to highest management
Tasks of the data protection officer
- Under GDPR company will be legally obliged to inform its data protection regulator; when security breaches occur which affect personal data.
- To inform and advise of obligations;
- To monitor compliance;
- To provide advice about data protection impact assessments;
- To cooperate with the supervisory authority;
- To have due regard to a risk associated with processing operations.
Are there any penalties?
Fine: 10,000,000 Euros or 2% Global Turnover, for offenses related to:
- Child consent
- Transparency of information and communication
- Data processing, security, storage, breach, breach notification
- Transfers related to appropriate safeguards and binding corporate rules
Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:
- Data processing
- Data subject rights
- Non-compliance with DPR order
- Transfer of data to the third party
What is Personal Data?
Definition of the GDPR: Data from which a living individual is identified or identifiable (by anyone), whether directly or indirectly. Any information relating to an identified or identifiable natural person. Like IP Address, Mobile Phone, Physical, physiological, genetic, mental, economic, cultural or social identity of that person.
While earlier under DPA, Personal Data under Data Protection Act 1998 (DPA1998): data which relate to a living individual who can be identified: (a) from those data; or (b) from those data and other information which is in the ownership of,
Definition of a Personal Data Breach in GDPR: or what Personal Data breach in GDPR??
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons
- A breach of security leading to:
- The accidental or unlawful
- Unauthorized disclosure of; or access to – PERSONAL DATA transmitted, stored or otherwise processed
What will happen in the case of Data Breach?
In the case of a personal data breach, data controllers must notify the supervisory authority (SA) “Notice must be provided “without undue delay and, not later than 72 hours” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
- Notification without unnecessary delay after becoming aware
- No exemptions
- Responsibility for data controller to notify the supervisory authority
- Description of the nature of the breach
- No requirement to report if unlikely to result in a high risk to the rights and freedoms of natural persons
Key compliance principals
In the current Privacy and Electronic Communications Regulations (PECR) all company addresses are considered to be “opt out” This means you can send an email to a company address without permission, provided you include an option to unsubscribe.
In the new regulation, this won’t be the case. This has been removed as all consent must be explicit. This means that you must be able to prove that the customer agreed to receive the emails (by a selection action, not just a disclaimer).
Right to be forgotten
Moving forward, everybody will have the right to be forgotten. No longer can you mark the contact as “do not contact” in your CRM database. All personal details will have to be deleted.
- On 8 April 2016, the Council adopted the Regulation.
- On 14 April 2016, the Regulation was adopted by the European Parliament.
- On 4 May 2016, the official text of the Regulation was published in the EU Official Journal
- 24 May 2016, The Regulation entered into force on and applied from 25 May 2018.
GDPR is on the way. We have to be ready now!
While there are still 15 months before the grace period expires, organizations need to start taking action now, or they may well find themselves with inadequate time to take the necessary steps to action everything required?