General Data Protection Regulation (GDPR) is the comprehensive law passed in relation to the protection of personal data and privacy of individuals of the European Union. GDPR also protects the data export markets outside the EU, hence also having a say on companies all over the globe. Hence, for Indian companies, this regulation with effect from May 25, 2018, became a mandatory compliance framework. Organizations worldwide, including those in India, bound by these stringent rules, must be ready to show that they adhere to GDPR requirements for the protection of customer data from heavy penalties. Certification in the GDPR has by now become a necessity for businesses, especially if they deal with data concerning EU citizens.
GDPR Overview: Protecting Data for Individuals
It amends the earlier EU Data Protection Acts to ensure the rights of individuals themselves concerning the collection, storage, and processing of their respective personal data. The object behind GDPR is to follow principles wherein the data of the individual is treated in a fair and transparent way by corporations or organizations. These rules are applicable to any companies operating in the EU or processing the personal data of EU citizens.
The regulations placed stricter modalities of compliance and penalties for non-compliance, and companies must familiarize themselves with what the GDPR is and how it may affect their businesses. It points out how organizations should be held accountable and be transparent with and protect personal data concerning the collection, processing, and storage of such data, as well as the ramifications of compromise of such data.
Introduction to GDPR Personal Data
Personal data basically means personal information that can identify an individual alive. These two-liter units of personal information could include names, addresses, and ID numbers, but more specific identifiers like IP addresses or location data may also be included. Here, it is important to comprehend the ambit of GDPR: any data which will at some time identify a person, such as in the future or indirectly, is under the Regulation.
According to the definition provided by Article 4(1) of the GDPR, personal data shall mean any information related to an identified or identifiable natural person, commonly called ‘data subject.’ It includes ever conceivable detail that may lead to the identification of an individual: their names, identification numbers, even biometric data such as fingerprints.
Sensitive Personal Data: The Extra Layer of Protection
Apart from personal data, GDPR does provide additional protection to sensitive personal data. Such data fall under the category of personal data further requiring protection on grounds of being sensitive. Examples of such data include the following:
Racial origin or ethnic origin
Political opinions
Religious beliefs or philosophical beliefs
Membership in the trade unions
Genetic and biometric data
Health data or data on sexual orientation
More advanced security arrangements and typically a somewhat more stringent processing regime will apply, as this will be needed for the prevention of misuse and upkeep of privacy.
Whom Does GDPR Apply To?
The GDPR has two primary actors: data controllers and data processors. A data controller is one who determines the purposes and means of processing personal data. Data processors process data on behalf of the controllers and are also charged with compliance with the GDPR.
The regulation does not, however, restrict itself to organisations within the EU. Any entity processing or controlling the data of an EU citizen will reckon compliance with GDPR, irrespective of the location of the same entity. Thus, companies based in India processing the data of EU residents will fall under the purview of the GDPR, irrespective of whether they have a physical presence in the EU or not.
GDPR Responsibilities of Data Controllers
In respect to the framework of the GDPR, data controllers have a set of responsibilities which must be fulfilled by them for compliance purposes:
Data Security by Design and Default: Data controllers shall adopt appropriate measures to embed data protection by design and by default in all their data processing activities. Considering a system and methodology from a security point of view from inception is the aim.
Joint Controllers: Organizations together accountable for the processing of data will make sure that their roles and responsibilities concerning compliance are clearly defined.
Record-keeping: As part of the principle of accountability and compliance, the data controllers will maintain records of the processing activities.
The appointment of the Data Processor: To this end, in further cases where the data processor will be appointed as a processor, a contract will include the obligations of the data processor regarding the processing of personal data with the data controller.
Breach Notification: If the breach has occurred in relation to such data, the data controller shall notify the relevant authorities without undue delay and, if possible, within 72 hours and shall inform data subjects.
Key Information Protected Under GDPR
GDPR lays on the protection of identifiable information that can make an individual private issue. The following are types of information protected:
Basic details personal such as name, address, and contact, etc
Online Data such as IP address and location data
Health-related information such as medical history and genetic data
Biometric data, like fingerprints or facial recognition
Political beliefs, religious or philosophical
Sexual preferences or orientation
What Businesses are Affected by GDPR?
All companies extracting personal data of EU citizens, regardless from where the company is, come under the ambit of GDPR compliance. This means that:
Specific provisions of the Regulations apply to companies operating within the EU.
Specific provisions apply to companies that have no physical presence in the EU, yet handle personal data of EU residents.
Companies with more than 250 employees or smaller teams but having a data process that modifies individual rights and freedoms – are applicable.
Data Protection in India and GDPR Compliance
In India, there is no precise legislation equivalent to the GDPR, though the Information Technology Act, 2000 has provisions on data protection. Keeping this in mind, Indian businesses also have to be compliant with GDPR provisions while dealing with an EU person. Not conforming to the requirements of the laws may lead to heavy penalties like those ranging to €20 million or 4% of a company’s annual global turnover, whichever is higher.
Businesses need to do the following for compliance:
Review Current Data Practices: Find out what data is collected, how it is processed, and how long it is kept. Regular audits and updates to data protection measures are imperative.
Designation of a Data Protection Officer: A designated DPO must administer data protection activities and ensure the company’s compliance with GDPR.
Strong Data Security Measures: Any such organization must hold its personal data from unauthorized access through engineering measures with strong encryption while restricting access to authorized personnel only.
Prepare for Breach Notification: An organization must notify the authorities concerned within 72 hours from the time a data breach occurs.
Legal Basis for Processing: Confirm that there are legal bases for processing – including but not limited to a contract, legal obligation, or consent given.
GDPR Fines and Penalties for Not Complying
Not adhering to the GDPR specifies hefty penalties for entities. There are varying penalties between organizations depending on the severity of the breach, how many people are affected, and how cooperative they are with the authorities. Fines may differ for minor violations with penalties of up to €10 million or 2% of annual revenue to maximum fines of €20 million or 4% for severe breaches, such as opting out of consent or mishandling data.
It is mandatory for all the parties to have similar terms: GDPR Compliance.
Complying with GDPR is not just about avoiding fines for companies; it means much more than that. It is about protecting your customers’ privacy and earning their trust. Accountability, transparency, and strong data protection practices are valuable recommendations of GDPR. As it applies to any company processing data from EU citizens, ensuring compliance with the rule is important to companies worldwide, including in India. That is how, with expert legal involvement, you can remodel your complex business systems in keeping with your own country and the measures defined by GDPR against always-present predator penalties.
Consequently, consult with cyber crime lawyers or data protection professionals on ensuring proper certification for all regulatory requirements as well as organizational preparedness to offer the best assistance in the journey towards compliance with GDPR regulations.
