Yet another four-letter buzzword is charming the industries & Information Technology Industries. Latest four letter thrill is called GDPR (General Data Protection Regulation)
Due to drastic changes in technologies European Union has initiate the new data privacy law. European regulation for Data protection that is GDPR
The GDPR will replace the current Data Protection EU Directive 95/46/EC. It also will also replace EU national legislation on data protection, such as the UK’s Data Protection Act 1998.
GDPR is the most important change in data privacy. Like earlier Data Protection; This not a Directive; this is Regulation.
What is the main purpose of GDPR?
To protect and provide rights to European Union data subjects (individuals whose data is being captured by organizations).
Giving regulatory authorities power to take action against companies that breach the new regulations. In this digital economy, it should be no surprise that these regulations also apply to global enterprises outside the EU.
Core Value of GDPR
GDPR builds on existing data protection principles, under the data protection principles set out the main responsibilities for organisations.
Who will follow & implement GDPR?
Any company (EU and foreign) that processes the personal data of individuals residing in the European Union must adhere to these regulations, regardless of the company’s location. For non-EU businesses processing the data of EU citizens, this includes the requirement of appointing a representative in the EU.
Less than 250 employee’s organization need not comply with GDPR. If companies processing special categories of data … or critical personal data relating to criminal convictions and offences they need to comply with GDPR”
GDPR Article 37: Designation of the data protection officer (DPO)
Are there any penalties?
Fine: 10,000,000 Euros or 2% Global Turnover, for offenses related to:
Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:
What is Personal Data?
Definition under the GDPR: Data from which a living individual is identified or identifiable (by anyone), whether directly or indirectly. Any information relating to an identified or identifiable natural person. Like IP Address, Mobile Phone, Physical, physiological, genetic, mental, economic, cultural or social identity of that person. While earlier under DPA
Personal Data under Data Protection Act 1998 (DPA1998): data which relate to a living individual who can be identified: (a) from those data; or (b) from those data and other information which is in the ownership of,
Definition of a Personal Data Breach in GDPR: or what Personal Data breach in GDPR??
What will happened in case of Data Breach?
In the case of personal data breach, data controllers must notify the supervisory authority (SA) “Notice must be provided “without undue delay and, not later than 72 hours” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
In the current Privacy and Electronic Communications Regulations (PECR) all company addresses are considered to be “opt out” This means you can send an email to a company address without permission, provided you include an option to unsubscribe.
In the new regulation this won’t be the case. This has been removed as all consent must be explicit. This means that you must be able to prove that the customer agreed to receive the emails (by a selection action, not just a disclaimer).
Moving forward, everybody will have the right to be forgotten. No longer can you mark the contact as “do not contact” in your CRM database. All personal details will have to be deleted.
GDPR is on the way. We have to be ready now!
While there are still 11 months before the grace period expires, organisations need to start taking action now, or they may well find themselves with inadequate time to take the necessary steps to action everything required?
Google.co.in, EU GDPR journal, Seminar on GDPR