General Data Protection Regulation (GDPR) – The Need of the Hour
May 25th, 2018 is fast approaching, the day when General Data Protection Regulation would go into effect. This would impact how companies manage personal data.
In this write-up, we would mainly glance at some of the important points which you need to know about GDPR Compliance.
We are a part of the digital world where accessing our personal information has become quite a ubiquitous part of our day to day life. This has left us with the increasingly lesser idea to know who is accessing our data, from where they are accessing and for what they are using it. With much talked high profile data breaches during the past time, it has now become mandatory for citizens that their personal data should be protected.
General Data Protection Regulation has now become “Now or Never” situation for businesses. GDPR is aimed to replace the existing Data Protection Directive (Directive 95/46/EC, or DPD) with a new set of the framework which would increase responsibilities of organizations. Complying with GDPR would ensure the protection of the personal data and privacy of European (EU) citizens for all the transactions that occur within European member states. Non-compliance would cause hefty fines of up to €20,000,000 or 4% of worldwide annual revenue (whichever is higher) based on the specific violation.
Elizabeth Denham – UK Information Commissioner in her lecture on “GDPR and accountability” for the Institute of Chartered Accountants in England and Wales quoted “We’re all going to have to change how we think about data protection.”
For both large and small companies GDPR compliance would not be easy, it is a complex and huge undertaking. However, we all will have to move with the regulation and it is imperative to know the same from the core.
Some of the important rights highlighted in General Data Protection Regulation for individuals with respect to their information are:
- The right to be informed;
- The right to be forgotten
- The right of access;
- The right to rectification;
- The right to object;
- The right to restrict processing;
- The right to data portability;
- The right not to be subject to automated decision-making (such as profiling); and
- The right to an explanation if an algorithmic decision was made about them
Further information can be accessed via ICO’s Overview of the General Data Protection Regulation.
Now let’s look at the types of privacy data which would be protected by GDPR:-
- Basic identity information such as ID numbers, name and address
- Biometric Data
- Genetic Data
- Health Data
- Sexual Orientation
- Racial Data
- Web data such as location, cookie data, IP address and RFID tags
- Political Opinions
To whom does GDPR apply?
GDPR applies to both ‘Controllers’ and ‘Processors’ of the data. A processor is a party who actually processes the data while data controller states how and why personal data would be processed. So the data controller can be any company or organization or government. While data processor can be any IT firm performing the actual data processing. It would be controller’s responsibility for ensuring that their processor abides by data protection law while processors would abide the law to maintain their activities. Under GDPR, if processors are involved in a data breach they would be would be far more responsible than were under the Data Protection Act.
GDPR would still be applied even if the processors and controllers are based outside the EU, as they would be dealing with data belonging to EU residents.
Although the above information is just a glance through GDPR, achieving complete compliance would help you enable to establish a clear view of your data, where it is placed, how and which company processes it and how to quickly access the same to make key changes. Digital tools would help a lot to get full visibility of your organization’s data structure and saving time.
Let’s ensure that we fully comply with GDPR.