EU set to bring stricter laws to protect data of its citizens
The GDPR outlines a common regulatory framework pertaining to data security, under which all organisations dealing with data of EU citizens are held accountable
On May 25, 2018, the European Union will formally enforce the European Union General Data Protection Regulation ( EU- GPDR), widely considered by experts to be the most comprehensive data pro- tection law to ever be defined. The landmark regul- a tion supersedes the Data Protection Directive and gives EU citizens more power over their private information.
Data privacy: The GDPR is aimed at enforcing strict policy measures to protect the personal data of EU citizens. Defined as “any information that can be used directly or indirectly to identify an individual” and “must be protected,” personal data is categorised into three major parts: general information, organisational information, and special categories of data. The GDPR outlines a common regulatory framework pertaining to data security, under which all organisations collecting, storing, transmitting, or processing personal data of EU citizens are held accountable for the security of personal information that they handle.
Additional administrative fines can also be imposed upon the data processor/ controller by the GDPR supervisory authority under two categories. In case an organisation is found to be noncompliant with the GDPR regulations, it can face a fine of up to ` 10 million or 2 per cent of the annual global turnover, whichever is higher. If an organisation is found guilty of infringing the principles of data processing and/ or in violation of the data rights of an EU citizen, it can face a fine of up to ` 20 million or 4 per cent of the annual global turnover, whichever is higher. The key aspects for Indian organisations to be mindful of, to take stock of their GDPR readiness and to identify major gaps that need to be plugged, are:
Data activity and DPOs: One of the first things for businesses to gauge is the scope of their data activity and whether they are, in any capacity, either collecting and/ or processing personal data belonging to EU citizens. They must also analyse whether the data volumes are sufficiently high, or the handled information extensive enough, for them to appoint a DPO as mandated under the GDPR.
Impact assessment: Organisations also need to consider if the kind of personal data handled poses the risk of infringing upon the data rights and freedoms as stipulated by the GDPR. It is also essential to identify what kind of mitigation strategy is in place for responding to such a risk.
Data breach alert: The GDPR makes it mandatory for data controllers and processors to notify both the data subject and the supervising authority of a potential breach within 72 hours. This requires organisations to have a breach notification setup in place.
Law process, consent: Data subjects have to consent to the collection or processing of any personal data. Organisations, therefore, need to ensure that processes are in place to record documented consent from data subjects prior to handling any personal information.
Proof of compliance: Under its accountability principle, the GDPR requires organisations to document their compliance readiness. The proof of compliance needs to be furnished on May 25, when the law comes into force.
Data Controllers: Any organisation which collects personal data, as well as defines how and to what end that information will be used, is defined as a data controller. Under the GDPR, data controllers are responsible for conducting DPIAs and risk mitigation in order to identify, analyse, and address potential threats or risks to personal data of EU citizens.
Data Processors: Any organisation which processes personal data pertaining to EU citizens in any manner on behalf of a data controller is defined as a data processor. These are required to ensure that data processing only takes place upon written instructions from the controller.