GDPR law is applicable to all business organizations which gather and handle private data which belongs to or has implications on people residing within European Union. There is every reason to be scared of this law as a failure to comply can lead to serious implications. So, all companies with operations in EU or any website or app which collects as well as processes European Union citizen data needs to be wary of GDPR.
Prime areas of legislation encompass privacy rights, data control, data security, and governance. The only good thing is that the law which will be applicable to all 28 European Union member states will be same, this means they will have to act in accordance with one standard law. Now, the main concern is that law is very stringent — so most of the companies will have to put in significant sums of money in order to become GDPR compliant.
Effects of GDPR Non-Compliance
Failure to comply with GDPR can lead to a fine of a huge sum of money. In case any company is found guilty of a breach which compromises data of any EU citizen, the penalty can be as high as 20 million euros or 4% of enterprise’s global revenue, whichever is larger. This is a huge sum by any parameters. So, in short even for a minor breach, the company could end up paying millions of bucks.
Related Blog: An Overview of GDPR
Apart from this, two key issues are eye-catching: the company which is at fault needs to notify European Union authorities within 72 hours of the breach, and also to prove that its security approach is up to date.
What is mandated by GDPR?
As all requirements with respect to GDPR have not been finalized as yet, some companies have taken to ‘wait-and-see’ approach. Mentioned below are some of the obligations which are being introduced by GDPR regulation:
1. Data Control
In order to uphold privacy of the subjects’ organizations need to:
- Process data only for purposes which are authorized
- Make sure data accuracy as well as integrity
- Curtail disclosure of identities of the subject
- Carry out several data security actions.
2. Data Security
Data security is actually a part of data control. GDPR places security at service of privacy. In order to uphold privacy of the subject, organizations should put into practice:
- Safeguards so as to keep data for supplementary processing
- By default data protection measures
- Security as contractual requirement, on basis of risk assessment as well as encryption
3. Right to Erasure
Companies cannot keep data of the subjects for indefinite period. GDPR necessitates companies to fully erase data from all repositories when:
- Data subjects take back their consent
- Partner organization demands data deletion
- When a service agreement is near completion
What is important to know, however, is that owners of data do not have carte blanche right for their data to be removed. In case there are legal implications — mentioned in regulation, a company can keep hold of and process data of the subject. However, there are certain exceptions to this rule.
4. Minimization of Risk and due Attentiveness
Organizations need to assess any kind of perils to privacy as well as security, and then reveal that that they are taking steps to reduce them. This necessitates that they:
- Carry out a complete risk assessment
- Put into practice measures to make sure and reveal compliance
- Proactively assist 3rd-party clients as well as partners to fulfill, and
- Establish complete data control
5. Breach notification
When any security breach intimidates the rights as well as privacy of data subject, company has to:
- Notify the authorities within span of 72 hours
- Clearly define cost of the breach
- Tell about the breach without any delay to all parties which have been affected
Take help of services offered by GDPR compliance solution providers. Further, you must access Data Protection Commissioner’s (DPC) compliance checklist which clearly mentions what the organizations are supposed to do before a deadline of 25th May 2018.
Mentioned below are some vital points regarding GDPR compliance
Need to be accountable
The Regulation incorporates provisions which lead to accountability, therefore Data Protection Commissioner recommends that all organizations must make an inventory of personal data which is under their control and look at it in light of questions mentioned below:
- Reasons for holding the data
- How was the data obtained?
- Why was the data initially collected?
- How long will you keep the data with you?
- How secure is the data, as regards encryption as well as accessibility?
- Have you ever shared the data with third parties, and if you intend to do so, on what basis will such a thing happen?
Review of personal privacy rights
Data subjects have several rights linked to the manner in which organizations can collect as well as hold personal data. These encompass:
- Right to rectification
- Right to be informed
- Right to erasure
- Right to restrict processing of data
- Right to the portability of data
- Right to object
- Finally, right to access
Most of the rights mentioned above are quite similar to those stated in data protection laws. Having said that few significant changes are being made It is vital to familiarize yourself with the changes which have been there and then plan accordingly.
Communication with staff and other service users
It is vital for staff and other service users of the company to be aware of rights of data subjects. When you are collecting personal data from clients, staff or service users, they need to be informed about their rights.
Legal grounds for data processing
Organisations have to establish that they possess legal grounds to process the data. A lot of companies presently make use of consent by default; GDPR has now made strict the rules for obtaining as well as upholding the consent.
You must get assistance from GDPR consultant so that no vital point is missed.