Simplifying GDPR

ByCyberFrat

Simplifying GDPR

Yet another four-letter buzzword is charming the industries & Information Technology Industries. Latest four letter thrill is called GDPR (General Data Protection Regulation)

Due to drastic changes in technologies European Union has initiate the new data privacy law. European regulation for Data protection that is GDPR

The GDPR will replace the current Data Protection EU Directive 95/46/EC. It also will also replace EU national legislation on data protection, such as the UK’s Data Protection Act 1998.

GDPR is the most important change in data privacy. Like earlier Data Protection; This not a Directive; this is Regulation. 

What is the main purpose of GDPR?

To protect and provide rights to European Union data subjects (individuals whose data is being captured by organizations).

Giving regulatory authorities power to take action against companies that breach the new regulations. In this digital economy, it should be no surprise that these regulations also apply to global enterprises outside the EU.

Core Value of GDPR

GDPR builds on existing data protection principles, under the data protection principles set out the main responsibilities for organisations.

  • To strengthen individuals’ rights
  • To give increased attention to cyber security and technological capacity
  • To extend supervision and sanctions across consumer data

 Who will follow & implement GDPR?

Any company (EU and foreign) that processes the personal data of individuals residing in the European Union must adhere to these regulations, regardless of the company’s location.  For non-EU businesses processing the data of EU citizens, this includes the requirement of appointing a representative in the EU.

Less than 250 employee’s organization need not comply with GDPR. If companies processing special categories of data … or critical personal data relating to criminal convictions and offences they need to comply with GDPR”

GDPR Article 37: Designation of the data protection officer (DPO)

  • DPOs appointed in three situations:
  • Where the processing is carried out by a public body;
  • Where core activities require regular and systematic monitoring of personal data on a large scale;
  • Where core activities involve large-scale processing of sensitive personal data.
  • Position of the data protection officer (DPO)
  • DPOs will be supported by Data Controller & Data Processor
  • DPO has a large degree of independence
  • Protected role within the organization
  • Direct access to highest management
  • Tasks of the data protection officer:
  • Under GDPR company will be legally obliged to inform its data protection regulator; when security breaches occur which affect personal data.
  • To inform and advise of obligations;
  • To monitor compliance;
  • To provide advice with regard to data protection impact assessments;
  • To cooperate with the supervisory authority;
  • To have due regard to risk associated with processing operations.

Are there any penalties?

Fine: 10,000,000 Euros or 2% Global Turnover, for offenses related to:

  • Child consent;
  • Transparency of information and communication;
  • Data processing, security, storage, breach, breach notification; and
  • Transfers related to appropriate safeguards and binding corporate rules.

Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:

  • Data processing;
  • Consent;
  • Data subject rights;
  • Non-compliance with DPR order; and
  • Transfer of data to third party.

What is Personal Data?

Definition under the GDPR: Data from which a living individual is identified or identifiable (by anyone), whether directly or indirectly. Any information relating to an identified or identifiable natural person. Like IP Address, Mobile Phone, Physical, physiological, genetic, mental, economic, cultural or social identity of that person. While earlier under DPA

Personal Data under Data Protection Act 1998 (DPA1998): data which relate to a living individual who can be identified: (a) from those data; or (b) from those data and other information which is in the ownership of,

Definition of a Personal Data Breach in GDPR: or what Personal Data breach in GDPR??

  • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons
  • A breach of security leading to:
    1. Destruction;
    2. The accidental or unlawful
    3. Loss;
    4. Alteration;
    5. Unauthorized disclosure of; or access to – PERSONAL DATA transmitted, stored or otherwise processed

What will happened in case of Data Breach?

In the case of personal data breach, data controllers must notify the supervisory authority (SA) “Notice must be provided “without undue delay and, not later than 72 hours” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.

  • Notification without unnecessary delay after becoming aware
  • No exemptions
  • Responsibility for data controller to notify the supervisory authority
  • Description of the nature of the breach
  • No requirement to notify if unlikely to result in a high risk to the rights and freedoms of natural persons

Key compliance principals

Opt-in Only

In the current Privacy and Electronic Communications Regulations (PECR) all company addresses are considered to be “opt out” This means you can send an email to a company address without permission, provided you include an option to unsubscribe.

In the new regulation this won’t be the case. This has been removed as all consent must be explicit. This means that you must be able to prove that the customer agreed to receive the emails (by a selection action, not just a disclaimer).

Right to be forgotten

Moving forward, everybody will have the right to be forgotten. No longer can you mark the contact as “do not contact” in your CRM database. All personal details will have to be deleted.

Key Dates

  • On 8 April 2016 the Council adopted the Regulation.
  • On 14 April 2016 the Regulation was adopted by the European Parliament.
  • On 4 May 2016, the official text of the Regulation was published in the EU Official Journal
  • 24 May 2016, The Regulation entered into force on and applies from 25 May 2018.

Conclusion

GDPR is on the way. We have to be ready now!

While there are still 11 months before the grace period expires, organisations need to start taking action now, or they may well find themselves with inadequate time to take the necessary steps to action everything required?

References:-

Google.co.in, EU GDPR journal, Seminar on GDPR

 Pravir Kumar Sinha CPISI, CISA, CISM, PRINCE2, ITIL
in.linkedin.com/in/pravirkumarsinha

About the author

CyberFrat administrator

This post is posted on behalf of the original author mentioned in the post above by CyberFrat, which is an Enterprise Risk management community with motive to help people understand the risk of operating in digital world – providing the ability to detect, investigate and respond cyber threats. Our member base is diverse and includes everyone from inquisitive students to CXOs from reputed organisations who share their learning with each others.

4 Comments so far

Raviraj UmardandPosted on8:11 pm - Jun 6, 2017

This is a very helpful article for many IT Companies. If my Indian IT Company provides live chat software service to customers of EU and US, then do my Indian IT Company needs to be compliant with GDPR?

Pravir Kumar SinhaPosted on12:03 pm - Jun 7, 2017

Thanks Raviraj; Regarding your questions if your Indian IT company processing Personal data of Europe users then you have to comply this Regulation; over & above if your customer is asking to comply GDPR also you need comply it; even if you are not processing personal Data. hope i have answered your questions

jobs tipsPosted on5:54 am - Jun 26, 2017

Aw, this was an exceptionally good post. Spending some time and actual effort to generate a really good article… but what can I say… I hesitate a lot and never seem to get nearly anything done.
jobs tips http://employmenthint.eu/

college educationPosted on2:55 pm - Jun 28, 2017

With havin so much content do you ever run into any issues of plagorism or copyright infringement? My blog has a lot of completely unique content I’ve either created myself or outsourced but it appears a lot of it is popping it up all over the web without my permission. Do you know any ways to help reduce content from being stolen? I’d certainly appreciate it.
college education http://learningclue.eu/

Comments are closed.