05th Jun, 2018
Denave, Team, Designation
Q. What exactly is GDPR?
Ans: GDPR is an abbreviation for General Data Protection Regulation, and it is a is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was proposed in January 25, 2012 as a comprehensive reform of the EU’s 1995 data protection rules to reinforce online privacy rights and also to enhance Europe digital economy. It is a systematic data protection law passed across all 28 EU countries by imposing stringent new rules on controlling and administrating the personal identifiable information (PII).
The goal of GDPR is to simplify the regulatory environment for various sectors of business so that the people and the companies can fully leverage the digital economy. The regulation has come into effect from May 25, 2018.
Q. What type of information does GDPR pertain to?
Ans: According to the Data Protection Act, EU GDPR applies to “personal data”. It can be relatable with any identification such as:
- Basic information like name, location data and ID proofs
- Online identification such as location, IP address, cookie data and RFID tags
- Health and genetic related data
- Biometric data
- Political data and the list goes on.
GDPR is a law that comprises a set of rules applied to the businesses which processes and holds the personal data of subjects residing in the 28 EU member states. Subsequently, India is yet to pass a full-fledged privacy law, but eventually, there lies a golden opportunity to adopt the high security standards of Europe so as to protect the Indian companies against any future security concerns – for instance, Cambridge Analytica-style kind of attacks.
Q. What rights will individuals have under GDPR?
Ans: Identification of individual’s control over his/her personal data is the primary accomplishment of the GDPR. Thus, in order to ensure the fundamental principles, GDPR defines a set of well-structured regulations and rights for every individual so as to execute them effectively. Let’s have a look into them:
- The right of transparency and modalities
- The right to be informed
- Rights with respect to automated decision making and profiling
- The right to access
- The right to data portability
- The right of rectification
- The right to object
- The right to be forgotten
- The right for notification obligation
- The right to restrict processing
Q. How does it impact the already existing business operations in EU?
Ans: With the implementation of GDPR, businesses are compelled to execute technical and organizational measures to demonstrate that they have integrated data protection into the core of all their data processing activities. Also, they must focus on protecting the network security, reliability and data security command, as well as breach notification processes.
In short, the new regulations allow the consumers to be in the driver’s seat, therefore, complying of a task in line with these regulations fall upon businesses and organizations.
Also, this new rule applies to the entire businesses and organizations conventional in EU, despite the fact that data processing is taking place in the EU or not.
Along with this, even those business which offers goods and services to the citizens of EU will be subjected to GDPR.
Q. What will the consequences be for failing to comply with GDPR?
Ans: There are tough penalties for those businesses and companies who fail to comply with GDPR.
The penalties can be seen as 2-tiered:
- First one will concern up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
- The second one is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
Q. How will the non-compliance to GDPR be determined?
Ans: Fines are administered by individual member state supervisory authorities. Following criteria is used to define the amount of penalty (as stated in the previous question):
- Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing
- Intention: whether the infringement is intentional or negligent
- Mitigation: actions taken to mitigate damage to data subjects
- Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
- History: Past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
- Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
- Data type: what types of data the infringement impacts; see special categories of personal data
- Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
- Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
- Other: some aggravating or mitigating factors may include financial impact on the firm from the infringement
Q. In terms of data-handlers, what is the difference between a processor and a controller?
Ans: According to the ICO, there are various guidance published to differentiate between the data controller and data processor. And it is important for an organization to understand their role and function particularly when there is a data breach.
Essentially, under the act – data controller is the one who practices control over the processing and carries data protection responsibility for it. They are the key determiners with regards to data processing. On the other side – the data processor processes the data on behalf of the data controller.
Q. How will GDPR impact data-driven organizations?
Ans: GDPR acts as a breather for client data protection. With the introduction of new legislative requirements, it meaningfully impacts the way businesses collect, achieve, guard and share both structured and unstructured data. Let’s have a brief look at some of the important points in this:
Valid and Verifiable agreements
GDPR groups out strict requirements for obtaining an agreement for the processing of personal data from the customers. Therefore, according to the new legislation, companies are directed to make the process of withdrawing the agreement as easy as providing a consent. Also, the agreement should be well structured with complete transparency – for the future purpose.
Data security by design and default
With the requirement of technical and organizational measures to protect personal data, now companies will implement GDPR to validate that the data protection measures are endlessly reviewed and updated.
Data Protection Impact Assessment (DPIA)
In order to ensure certain issues like identification, comprehension, and mitigation of any risk that arises during the development of a new solution, DPIAs are customised by organisations that involve the processing of customer data through data analytics, BI, Data warehouses, data lakes, and marketing applications. Thus, GDPR has made it mandatory for all the firms to conduct a DPIA in order to inhibit any risk.
Q. Is there a need to appoint a Data Protection Officer (DPO) for your business?
Ans: According to ICO, there is no mandate to appoint a Data Protection Officer (DPO) unless one falls under the appended categories:
- If he/she is a public authority (excluding the courts)
- An undertaking of large-scale organized monitoring of individuals
- Carrying out large-scale processes of special sets of data or data related to criminal convictions and offenses.
Although, even if there is no requirement of Data protection officer, yet under the Article 29, Working Party (WP29- a group comprised of data protection regulators from all EU Member States) has illustrated that organizations may sometimes discover the usefulness of DPO on the voluntary basis.
Q. What are the specific rules that businesses should be following in order to ensure compliance?
Ans: To ensure compliance under GDPR, there are six stages to be followed:
Identification of the individual in an organization who will be solely responsible for coordination of the projects, including meeting deadlines on reporting.
Identification of Data through data mapping to ensure and review the core functional areas across the entire business.
Completion of self- assessment questionnaires to classify the “cracks” in current processes vs GDPR constraints.
Compilation of the list of actions to be taken to focus on the cracks and assigning responsibilities for the accomplishment of the actions identified.
Ensuring those accountable for obtaining, processing and securing personal data are alert to their responsibilities under GDPR by offering training.
Safeguarding continuous supervision of the implementation of policies and procedures and also to ensure that data protection is retained under senior management’s agendas.
Q. What will be the overall global implications of GDPR?
Ans: GDPR is all set to bring up the new challenges to businesses in coming 2018. With its full effect from May 25, 2018 onwards, GDPR will renovate how businesses practice and handle personal data on behalf of EU citizens.
Going forth, it will have a fluctuating effect on organizations depending on the size, operations and the way data is managed and preserved for the business purposes. Let’s say for example, the companies with more than 250 employees would be entitled to create a documentation which will outline why and how people’s information is being collected and stored, counting on how long the data will be stockpiled and what security measures are in place to shield the data.
Overall, being GDPR compliant, there will be a positive impact on the reputation of businesses as it will reinforce the customer’s trust. Having a good GDPR process in place will eventually reduce the risk of cyber-attacks and other breaches related to data protection.
Q. What are the key takeaways for Indian organizations w.r.t GDPR?
Ans: India is not lagging in placing itself on a digital transformation voyage with the emerging magnitudes through citizen’s biometric data platform of Aadhaar, e-governance initiative of digital India, nurturing presence-less, paperless and cashless services for the citizens.
Also, with the strong protection measures, India is stepping towards this digital journey at a blazing speed, ensuring the inclusive protection of data. However, empowering citizens to have a control over their own data will be a supreme step to be implemented by the government.
Moreover, data protection cannot be in the government domain alone. Businesses in India will have to take awareness steps with the aim to bring in strong data protection measures like GDPR, which will enable their development in the long run.
For instance, the goods and services tax or GST effect has enforced the businesses to maintain electronic invoices in the cloud. Thus, India could tie-up with an over bending data protection command by building on GDPR.
Some of the key takeaways could be:
- The public and private sector would require working hand in hand in order to bring strong data protection measures similar to GDPR enabling their growth in the longer run.
- Indian citizens should enable the claim penalties if businesses fail to attain the clear consent to use their personal data.
- With an immediate effect, personal data like name, email id, phone numbers should be treated as sensitive data, involving strong governance and compliance measures.
- In the context of digital marketing, the marketer should leverage technology to categories data based on various rules.
All in all, GDPR is a step which will strengthen the data protection of several enterprises and will empower them as well as their customers. Essentially, businesses functioning in other geographies as well, may be expected to stand out better after adopting GDPR standards.