Narasimhan Elangovan*
INTRODUCTION
Growing saturation of technology in all areas of business and personal life diversifies sources of unintentional data loss. Such data loss occurs when confidential data leaves the organization boundaries without proper approvals. With increase in technological innovations such as IoT, Cloud services the boundaries are reducing, thus increasing the risks of data loss.
With increase in technological innovations such as Internet of Things (IOT), Cloud services and mobility coupled with constant connectivity, the geographical boundaries are reducing and exposing personal data to higher risks. News about data breaches and penalties are on the rise and there is a need for legislation to protect data privacy.
To protect this personal data and ensure its privacy, European Union (EU) have introduced GDPR (Global Data Protection Regulations) to protect the personal data of the users and the privacy of the EU citizens.
However, this legislation impacts not just enterprises in the EU but goes beyond!
What is the GDPR?
Effective, May 25, 2018 the GDPR has officially become a law that strengthens the fundamental right to privacy for people living in the EU, replacing an outdated Data Protection Directive which was in effect since 1995.
The regulation mandates organizations to have sufficient operational and technological controls for protection against data violation and grants new rights for individuals in treatment of their personal data.
GDPR codifies the concept that the data belongs to the individual and that companies are only custodians of the information. Individuals retain their legal rights to the data and protections around the data usage, even while the data is under the stewardship of the corporation.
Under GDPR EU residents have:
- a right to access their data
- a right to port their data
- a right to rectify their data
- a right to erase their data.
Organizations are obligated to document how data comes into the organization, gets processed and get disposed. This requires an ability to map the flows of data.
“GDPR codifies the concept that the data
belongs to the individual and that companies
are only custodians of the information”
How To Be GDPR Compliant?
To be GDPR-compliant, a company must handle consumer data more carefully and provide consumers with numerous ways to control, monitor, check and, if desired, delete any information pertaining to them that they want. Companies must also implement processes to ensure that when data is handled, it remains protected. To comply with this requirement, GDPR promotes pseudonymization, anonymization and encryption.
For Whom Does The GDPR Apply To?
GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU regardless of the location of business.
It is also applicable to organizations that collects/ processes personal data or Personally identifiable information (PII) of EU residents outside EU’s geographical boundaries.
Note: The term personal data or Personally identifiable information (PII) can be used to identify a specific individual. It refers to any information relating to individual’s name, home or public life. Such as name, address, photo, bank details, post on social networking sites, medical information, IP address etc.
Does GDPR Apply To Indian Organizations?
Yes, GDPR is applicable to those Indian organizations which provides goods / services to persons of European Union (EU) i.e. EU data subjects or monitors their behavior within EU like hotel industry, back offices processing data of EU citizens, travel industry etc.
Note: An Indian organization may act as a data controller, or a processor or a sub-processor.
What Are The GDPR Fines And Penalties For Non-Compliance?
Fines depend on severity of the breach
Maximum of 20 million Euros or 4 % of World Turnover
whichever is greater is for infringements of the rights of the data subjects, unauthorized international transfer of personal data, and failure to put procedures in place for or ignoring subject access requests for their data.
Or
Minimum of 10 million Euros or 2% of world turnover will be applied to companies which mishandle data in other ways.
How Should Indian Organizations Prepare For The GDPR?
Following points provides organizations a starting point towards GDPR compliance:
1. Review policies and procedures to include new GDPR requirements.
2. Conduct exercises to identify personal data and where it resides.
3. Assess data protection mechanisms and privacy impact involved in processing high-risk personal data.
4. Implement policies and controls to prevent, detect and report data breach.
5. Maintain up-to date documentation on data breach.
6. Organizations can consider pseudonymization and encryption while processing personal data.
7. Organizations must ensure presence of explicit privacy notices wherever personal data is collected.
8. Review/update contracts signed with third-party vendors.
9. Impart training to all stakeholders.
What Are The Critical Points Of GDPR Relating To Security?
- Data processors (internal group or outsourcing firm that maintains and processes personal data records as per
controller’s instructions), data controllers (determines the purpose and means of processing personal data
collected from end-users) and sub-processors (third -party businesses) must ensure that data stay secure and safe.
The security controls must guarantee CIA of data.
Note:
i) A third-party processor not in compliance means your organization is not in compliance.
ii) The GDPR assigns liability to the data processors and controllers and does not require smaller operations to hire a data officer
- In the event of data breach, controllers are required to notify the relevant Data Protection Authority (DPA) within 72 hours of the occurrence. And if the breach poses high risk to rights of the data subject, then controllers need to notify impacted data subjects without delay. Similarly, data processors are also required to notify data controllers of the breach, without undue delay.
- For children under a certain age using social media, parental consent is required.
- Individuals have a right to data portability to enable them to transfer their data easily between services.
- Individuals have the right to have their personal data deleted, if it is no longer needed. ‘Right to be forgotten’ is in support of – freedom of expression.
- Principle of “Privacy by Design to be adopted”, emphasizing consent from the individual is required for data to be processed, their consent cannot be assumed!
Does GDPR Mandate Organizations To Appoint Data Protection Officer?
The DPO is responsible for informing employees of their compliance obligations as well as conducting monitoring, training, and audits required by the GDPR. A DPO needs to be appointed if you:
- process large amounts of personal data
- carry out large scale systematic monitoring of individuals or,
- it it’s a public-sector authority
Failure to appoint a data protection officer, if required to so by GDPR, could count as non-compliance and result in a
fine.
Conclusion
EU data protection law provides data subjects with a wide range of rights that can be enforced against enterprises that process personal data. These new rights can significantly impact an enterprise’s business model. The shift to a protection model that is focused on individual privacy represents a major transformation in the requirements for protecting the personal data of individuals. Organisations in India will have to consider the applicability and how their businesses are impacted. With penalties running in millions of Euros for Non-Compliance, the implications of these regulations should be seriously thought !
*Author is associated with KEN & Co. Chartered Accountants and can be reached at narasimhan@ken-co.in
Disclaimer: This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. No part of this material shall be construed as a solicitation of services or an invitation of any sort whatsoever from KEN & Co or to create a professional relationship.
