The regulation, launched by European Union on 25th of May, is a replacement for the 1995 Data Protection Directive, which has until now set the minimum standards for processing data in the EU
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy for all individuals within the European Union and the European Economic Area. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. (1)
Main Features of the Regulation are as follows:
- Rights of Individuals-Makes it easy for an individual to not only find the data you have on them but to also edit, add or remove that data
- Right to be Informed-Businesses need to make sure people understand who is collecting their personal data and the purposes for which data controllers are processing it. They need to update their privacy policy accordingly
- Right to Erasure or Right to be Forgotten-Allows individuals the right to request that their data be erased
- Employing Data Protection Officer-Businesses will be required to appoint a DPO to help them comply with all their obligations under GDPR
- Obligation of Data Processors and Data Storage Units-The processor will have a responsibility for implementing appropriate technical and organisational measures for the security of personal data during its processing activities
- Data Protection Impact Assessment and Data Breach Response-Businesses will need to carry out assessments where the processing of personal data is prone to a high risk to the rights and freedoms of individuals (2)
Who’s covered?
GDPR affects every company especially that hold and process large amounts of consumer data such as technology firms, marketers, and data brokers. If companies rely on consent to process data the consent now has to be explicit and informed to the stakeholder. (3)
Is this worldwide?
GDPR applies only to the EU and data processed there, but given the scale of the market, many companies are deciding it’s easier to apply its terms globally.
Moreover, entities native to foreign countries carrying out their business activities in EU also need to follow the regulations imposed under the latest law. (4)
If taken casually then?
The costs of non-compliance are quite high indicating the seriousness by the lawmakers for condemning the regulation:
-> Fines of up to 20 million or 4% of global turnover, whichever is higher
Companies with 250 or more employees or those processing large data sets have to appoint data protection officers and notify authorities of any data breach within 72 hours.
The penalty depends on various aspects such as the nature, gravity and duration of the infringement, intentional or negligent character of the infringement, any action taken by the organisation to mitigate the damage suffered by individuals , previous infringements, types of personal data involved etc (5)
Takeaways for India
Becoming GDPR-compliant will be an opportunity for IT organizations to pursue new avenues in the EU region and also for renewing existing contracts.
Any Indian company processing personal data in context of activities of an establishment of a controller or processer in EU, in all likelihood will fall within the ambit of GDPR
It would be essential for all Indian IT companies to plan for:
- GDPR Compliance measures like creating awareness, making gap analysis etc.
- Hardening the Security and Storage
- Obtaining Cyber Insurance Cover
- Auditing suspected data breach incidents
- Incurring the expenditure on penalties if any
GDPR will compel IT companies stationed in EU to update their company policies as per the requirement of the European countries. The only possible way to tackle the situation is by employing updated personnel and upgraded infrastructure. (6)
Courtesy: (1) Wikipedia, (2)edge.com,(3) theguardian.com, (4) www.itgovernance.co.uk, (5) DQ India,(6) Deloitte India and (7)PWC website