Author Archive CyberFrat

ByCyberFrat

Venkata Satish Guttula

Organisation

Rediff.com India Ltd.

Designation

Director – Security

Read More

ByCyberFrat

CyberFrat Mumbai Meet – 16 September 2017

Download Full Agenda and Speaker Profile here :cyberfrat Mumbai Meet – September 16 2017

ByCyberFrat

Simplifying GDPR

Yet another four-letter buzzword is charming the industries & Information Technology Industries. Latest four letter thrill is called GDPR (General Data Protection Regulation)

Due to drastic changes in technologies European Union has initiate the new data privacy law. European regulation for Data protection that is GDPR

The GDPR will replace the current Data Protection EU Directive 95/46/EC. It also will also replace EU national legislation on data protection, such as the UK’s Data Protection Act 1998.

GDPR is the most important change in data privacy. Like earlier Data Protection; This not a Directive; this is Regulation. 

What is the main purpose of GDPR?

To protect and provide rights to European Union data subjects (individuals whose data is being captured by organizations).

Giving regulatory authorities power to take action against companies that breach the new regulations. In this digital economy, it should be no surprise that these regulations also apply to global enterprises outside the EU.

Core Value of GDPR

GDPR builds on existing data protection principles, under the data protection principles set out the main responsibilities for organisations.

  • To strengthen individuals’ rights
  • To give increased attention to cyber security and technological capacity
  • To extend supervision and sanctions across consumer data

 Who will follow & implement GDPR?

Any company (EU and foreign) that processes the personal data of individuals residing in the European Union must adhere to these regulations, regardless of the company’s location.  For non-EU businesses processing the data of EU citizens, this includes the requirement of appointing a representative in the EU.

Less than 250 employee’s organization need not comply with GDPR. If companies processing special categories of data … or critical personal data relating to criminal convictions and offences they need to comply with GDPR”

GDPR Article 37: Designation of the data protection officer (DPO)

  • DPOs appointed in three situations:
  • Where the processing is carried out by a public body;
  • Where core activities require regular and systematic monitoring of personal data on a large scale;
  • Where core activities involve large-scale processing of sensitive personal data.
  • Position of the data protection officer (DPO)
  • DPOs will be supported by Data Controller & Data Processor
  • DPO has a large degree of independence
  • Protected role within the organization
  • Direct access to highest management
  • Tasks of the data protection officer:
  • Under GDPR company will be legally obliged to inform its data protection regulator; when security breaches occur which affect personal data.
  • To inform and advise of obligations;
  • To monitor compliance;
  • To provide advice with regard to data protection impact assessments;
  • To cooperate with the supervisory authority;
  • To have due regard to risk associated with processing operations.

Are there any penalties?

Fine: 10,000,000 Euros or 2% Global Turnover, for offenses related to:

  • Child consent;
  • Transparency of information and communication;
  • Data processing, security, storage, breach, breach notification; and
  • Transfers related to appropriate safeguards and binding corporate rules.

Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:

  • Data processing;
  • Consent;
  • Data subject rights;
  • Non-compliance with DPR order; and
  • Transfer of data to third party.

What is Personal Data?

Definition under the GDPR: Data from which a living individual is identified or identifiable (by anyone), whether directly or indirectly. Any information relating to an identified or identifiable natural person. Like IP Address, Mobile Phone, Physical, physiological, genetic, mental, economic, cultural or social identity of that person. While earlier under DPA

Personal Data under Data Protection Act 1998 (DPA1998): data which relate to a living individual who can be identified: (a) from those data; or (b) from those data and other information which is in the ownership of,

Definition of a Personal Data Breach in GDPR: or what Personal Data breach in GDPR??

  • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons
  • A breach of security leading to:
    1. Destruction;
    2. The accidental or unlawful
    3. Loss;
    4. Alteration;
    5. Unauthorized disclosure of; or access to – PERSONAL DATA transmitted, stored or otherwise processed

What will happened in case of Data Breach?

In the case of personal data breach, data controllers must notify the supervisory authority (SA) “Notice must be provided “without undue delay and, not later than 72 hours” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.

  • Notification without unnecessary delay after becoming aware
  • No exemptions
  • Responsibility for data controller to notify the supervisory authority
  • Description of the nature of the breach
  • No requirement to notify if unlikely to result in a high risk to the rights and freedoms of natural persons

Key compliance principals

Opt-in Only

In the current Privacy and Electronic Communications Regulations (PECR) all company addresses are considered to be “opt out” This means you can send an email to a company address without permission, provided you include an option to unsubscribe.

In the new regulation this won’t be the case. This has been removed as all consent must be explicit. This means that you must be able to prove that the customer agreed to receive the emails (by a selection action, not just a disclaimer).

Right to be forgotten

Moving forward, everybody will have the right to be forgotten. No longer can you mark the contact as “do not contact” in your CRM database. All personal details will have to be deleted.

Key Dates

  • On 8 April 2016 the Council adopted the Regulation.
  • On 14 April 2016 the Regulation was adopted by the European Parliament.
  • On 4 May 2016, the official text of the Regulation was published in the EU Official Journal
  • 24 May 2016, The Regulation entered into force on and applies from 25 May 2018.

Conclusion

GDPR is on the way. We have to be ready now!

While there are still 11 months before the grace period expires, organisations need to start taking action now, or they may well find themselves with inadequate time to take the necessary steps to action everything required?

References:-

Google.co.in, EU GDPR journal, Seminar on GDPR

 Pravir Kumar Sinha CPISI, CISA, CISM, PRINCE2, ITIL
in.linkedin.com/in/pravirkumarsinha