All About GDPR


Introduction

The European Union General Data Protection Regulation (GDPR) was approved by the European Parliament on 14th April 2016 and has been in effect since 25th May 2018. GDPR harmonizes data privacy laws across all the EU member countries.

Applicability

GDPR applies to “any citizen of EU” and “any company doing business with a citizen of the EU regardless of the company’s location”.

GDPR gives priority to the individual over the company and is reflective of the internet connected age we live in where personal data, privacy, and consent for using personal data is vital.

Citizen's Rights Under GDPR

  • Right to know if their data has been breached/hacked – Organizations are required to abide by the breach notification clause – meaning, they have to report breaches within a short time frame to the government bodies, so that EU citizens can take steps to prevent their data from being abused.
  • Right to be forgotten – Individuals are given more power to dictate how their personal data should be managed, including the ability to demand the deletion of their personal data unless otherwise mandated by law.
  • Easy Access to Data– Individuals can demand companies to reveal what personal data they hold.
  • Option to Opt-Out– Ask companies about how they manage and process their data and opt-out if needed.

Citizen's Rights Under GDPR

  • Right to know if their data has been breached/hacked – Organizations are required to abide by the breach notification clause – meaning, they have to report breaches within a short time frame to the government bodies, so that EU citizens can take steps to prevent their data from being abused.
  • Right to be forgotten – Individuals are given more power to dictate how their personal data should be managed, including the ability to demand the deletion of their personal data unless otherwise mandated by law.
  • Easy Access to Data– Individuals can demand companies to reveal what personal data they hold.
  • Option to Opt-Out– Ask companies about how they manage and process their data and opt-out if needed.

Let’s break it down with an example : –

  • ABC Inc is an e-commerce company based in China.
  • ABC Inc has customers from India, Tanzania, and Sweden.
  • ABC Inc collects personal data from their customers as part of doing e-commerce transactions on their website.

By collecting personal data from the customer in Sweden, the Chinese e-commerce company is subjecting itself to the regulations of GDPR irrespective of its size or scope; and that means abiding by all the conditions in the regulation – be it data protection, privacy, breach notification or other related areas.

Despite having two years to be GDPR ready, an alarming percentage of the GDPR impacted companies were found not ready for GDPR compliance, and what is more concerning is that a large volume of companies were not even aware of the need to comply with this regulation.

DATA PROCESSOR’S AND DATA CONTROLLERS

“Data Controller” – controls the overall purpose and means of processing or personal data

“Data Processor” – processes personal data on behalf of the Data Controller.

Data Controller may also double up as the Data Processor but the distinction is essential for compliance. The Data Controller is the party responsible for:

  • Collecting
  • Managing
  • Providing access to data.

The liability of Data Processors kicks in when they do not work within the mandate given to them by the Data Controller or when they violate the terms of the GDPR.

PERSONAL DATA

 “Information that relates to an identified or identifiable individual”

It could be as simple as a name, number or other information such as IP address, cookie identifier, etc. If the information does not enable identification of the individual directly, one has to take into account the information together with all the reasonable means likely to be used to identify that individual.

Principles underlying the processing of personal data

The following principles lie at the heart of GDPR and are the building block for a sound data protection regime.

  • Lawfulness, fairness, and transparency:
  • Identify valid ground for collecting and processing of data
  • Not use data in a manner that is detrimental, unexpected or misleading to the individual
  • Be clear, open and honest about the use of personal data
  • Purpose Limitation
  • Be clear about the purpose for processing
  • Record purpose
  • Use data for a new purpose only if its compatible with original purpose, consent is received and has a clear basis in law
  • Data minimization

Collect only adequate data :

  • To fulfil the purpose
  • Has a rational link to that purpose
  • Limited to the purpose
  • Accuracy
  • Take steps to ensure data held is not misleading or incorrect
  • Take steps to correct or erase inaccurate or misleading data
  • Storage limitation
  • Do not retain data for longer than required
  • Define a standard retention period
  • Erase or anonymize data if no longer required
  • Integrity and confidentiality
  • Process data securely using appropriate technical and organizational controls and measures
  • Have necessary incident response, recovery and back-up practices
  • Regularly test the effectiveness of the security measures
  • Use encryption and pseudonymization where appropriate
  • Ensure data processors have appropriate technical and organizations controls and measures
  • Accountability
  • Adopt and implement data protection policies
  • Put firm written contracts with processors
  • Maintain strong documentation of data processing activities
  • Implement information security practices
  • Appoint DPO
  • Conduct frequent impact assessments
  • Record and report breaches

SUPERVISORY AUTHORITIES

Each member state under the GDPR  shall have an independent public authority to monitor the application of GDPR  and facilitate a free flow of personal data within the EU. Such supervisory authorities have the power to:

  • Conduct investigations
  • Issue warnings and notices
  • Order directions
  • Impose a ban on processing
  • Order erasure, correction, and restriction of data
  • Impose Fines

DETERMINATION OF FINES

The fines should be sufficient, proportionate and dissuasive and would vary from case to case. Typically the following should be considered when determining fine:

  • Duration, impact, and nature of the infringement
  • The character of infringement- whether intentional or negligent
  • Steps taken to reduce the impact on the data subject
  • The extent of measures and safeguards taken to prevent a data breach
  • The responsibility of the controller and processor
  • To what extent the breach was notified and by whom
  • Previous infringement history
  • Level of cooperation with supervisory authority
  • Any factors such as financial gain, losses avoided

FINE

Up to 2% of total global annual turnover or 10Mn Euros (the higher of the two) for following infringements:

  • The requirement of parental consent
  • Communicating to a data subject the inability to identify data subject where the purpose does not require such identifications
  • Failure to abide by the general obligations of processors and controllers
  • Failure to comply with the code of conduct
  • Failure to comply with certification requirements

Up to 4% of total global annual turnover or 20Mn Euros (the higher of the two) for following infringements:

  • Failure to comply with data processing principles,
  • Processing without lawful bases for processing
  • Not complying with conditions for consent
  • Handling of special categories of data,
  • Not giving data subjects their rights, and
  • Not complying with regulations governing data transfers to third countries

Interested to learn more?

Check us @ www.c3m.io

For a demo and free trial

reach us at sales@c3m.io

C3M Blog

Comments are disabled.