The General Data Protection Regulation (GDPR) is the new data protection law in European Union’s (EU) that will come into effect on 25 May 2018.
Applied all over the EU, it will govern all businesses operating within the union and implant a more consistent approach to data protection. All the organizations transacting trade with EU based businesses will also be affected by GDPR and will have to comply with the changes.
These regulations introduce an enormous array of changes. The main aim of the regulation is to safeguard its citizen’s private and confidential information. The GDPR strengthens right to privacy of individuals and imposes enhanced data protection by implementing stringent rule for the business deals with the data.
Applicability of GDPR
The GDPR will apply to companies processing personal data in the context of an EU establishment, companies offering goods or services to EU residents and companies that monitor the behaviour of EU residents.
Therefore, if your organization controls and processes data on people living the European Union-even if your organization is not located in the EU-it applies to your organization.
Compensation for Breach of the General Data Protection Regulation
Complying with GDPR is not optional. If your organization controls or processes personal data on natural persons in the European Union, GDPR almost certainly applies to you. It will attract huge sum of penalty in case of non-compliance with the regulations. If you meet the test of applicability for the GDPR, you cannot opt out of complying.
Data Protection Commissioner may impose fines in the event of a data breach which may be up to €20 million or 4% of annual turnover, whichever is greater. This 4% turnover is calculated at a group level, not by subsidiary.
How RCIC can help you in achieving the GDPR Compliances
With RCIC team you will receive consistent advice, tailored to you through out your GDPR journey ranging from data protection frameworks, policies and procedures, data processor management, information security, international data transfers to various compliance documentation.
Trainings: An effective data protection awareness and training program is essential to make sure employees follow your defined guidelines and prevent data breaches.
Bridging GDPR and current data privacy compliance (GDPR Gap Analysis): Analysis of the various processes are required to fill in the gap between the current data privacy compliance and GDPR.
We at RCIC prioritize the key areas to be addressed, Process to be analysed, requirement of appointing a Data protecting officer and Scope of compliance required. Each process must comply with the Principles of GDPR (as per Article 5 to 11).Whether, any processes for which a data protection impact assessment (DPIA) is mandatory, and for which processes might a DPIA help establish data protection by design and data protection by default? We clearly define the scope within which an organization has to operate by taking Personal Data into the account. Whether it is processed lawfully, fairly and in a transparent manner, collected for specified, explicit and legitimate purposes, adopting steps to ensure accurate and up to date data. We also have to identify all the important databases that hold personal data, as well all extra-territorial/trans-border processing.
Auditing Data Life-cycle: The life-cycle audit will highlight all the:
- Data entry points:
- Consent & Notices:Precondition for lawfully processing personal data, the subject must give consent for the specified purpose.Individuals can withdraw their consents at any given time. Under the GDPR, privacy notices must state the processing ground relied upon, and if relying on legitimate interests, state the nature of the legitimate interest.Conditions applicable to child’s consent in relation to information society services is provided separately in GDPR. There are certain categories of data which is prohibited for processing unless explicit consent is not provided such as personal data revealing racial or ethnic origin, political opinions, religious.(Art 5, 6, 7, 9, 10, 85-91)
We at RCIC review your existing grounds for lawful processing and confirm that these will still be sufficient under the GDPR. We analyse all the points of data entry and recommend changes which may be required for obtaining new consents.
We also ensure that there is a system in place which can accommodate withdrawal of consent at any given point of the life cycle of the data processing.
- Data Transparency: There is an emphasis on transparency in the GDPR. Notices must concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. Employees must be trained on all data processing activities and data transfers in accordance with information as mentioned in the Articles 13 to 14. Criminal records can no longer be processed unless authorized by member state law. (10, 12-14)
We at RCIC review and update, where necessary, employee notices are GDPR compliant
- Data processing & Data storage: The GDPR requires organizations to maintain a detailed record of all processing activities, including purposes of processing, a description of categories of data, security measures, comprehensive data flow map, etc. A number of stakeholders will need to be involved in creating and maintaining this data record (Art 30)
We at RCIC identify all identify, implement and help maintaining all the data process and data storage.
- Data Export: The GDPR only permits exports of data to entities of its group and third-party vendors outside the European Economic Area if the country in which the recipient of such data is established offers an adequate level of protection. (Art 44-50)
We at RCIC identify all cross-border data flows and review data export mechanisms and update cross border mechanisms if necessary.
- Data protection impact assessment: Perform an assessment on the risks to the rights and freedoms of controlling and processing personal data and develop organizational and technological mitigations for the identified risks. The risk assessment has to include any third-party relationships for data held and processed on your behalf. (25, 35, 36)
We at RCIC, ensure processes are in place to embed privacy by design into projects (e.g. technical and organizational measures are in place to ensure data minimization, purpose limitation and security) and put in place a privacy impact assessment protocol.
- Data protection Officer (DPO): DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
RCIC legal software solutions/ Our Virtual DPO
We have a techno-legal solution which can track your compliance with the GDPR articles and processing activities at just a click of a button. The tool also comes with a data breach management system that documents every activity in a defined work flow to help generate a detailed audit trail.
To discuss more about various requirements of GDPR and to be compliant with the new regulation, please get in touch with our team at:
Ricky Chopra (CEO & Chief Counsel), [email protected]
Phone Number:+91 124 409 9999