What is GDPR? Whats does GDPR stands for?
GDPR is an act introduced by the European Union for Data protection before it was known as the data protection act under the data protection directive.
GDPR stands for General Data Protection Regulation 2016/679, ita an EU law to protect and secure the data of all individual citizens in EEA, privacy, and security on their personal data. This was mainly introduced on processing personal data of the European Economic Area (EEA) region individuals.
What is GDPR compliance? Who does GDPR apply to? How to be GDPR compliant?
GDPR compliance – Any organization abiding with the rules and regulations set by the European Union (EU) on data protection of individuals are said to be GDPR compliance.
GDPR applies to organization processing personal data of EU citizen within the EEA and globally. There are a set of guidelines for organization processing out of EEA. Some of the example for reference- A data processing company in India working for European clients, if the company is collecting client personal data for the process than the company should be GDPR compliant. Its mandatory law for any company in EEA to process the personal data or outsourcing it to other states out of EEA.
EU has released the regulation copy for the public on 27th of April 2016, considering the articles in this copy as a basement to implement GDPR.
There are XI chapters and 99 articles, it was enforced to be compliant with GDPR by 25 May 2018 for all companies in EEA. There are areas which define how GDPR is applicable to small scale sectors, also on outsourcing EU citizen data out of the EEA region. Our CertPro expertise has implemented GDPR efficiently fulfilling the requirements of their customer needs and satisfying the needs and expectations of Law.
Our methodology to be a GDPR compliant
Step 1: Consult our Professional experts – www.certpro.in,
GDPR requirements focus on areas such as;
Legal and compliance- Enforcement of fines, Responsibility (DPO), Accountability, Privacy notice, and Consents.
Technology- Breach reporting, Encryptions, Online profiling, Privacy by design, Secure applications,
Data- Data handling, Data collection, Data transfer, Data processing, Data Storage, Data deletion, Data portability, etc.
Step 2: Awareness training to all employee about the seriousness of this data protection law and the penalty associated with it.
Step 3: Identify the activity of the organization fall under a data controller or data processor. (Are we a controller or processor)
Step 4: Appoint a Data Protection Officer (DPO), define the roles and responsibility of DPO.
Step 5: Define personal data policy along with other policy and procedure.
- Implement DPIA.
Step 6: Define the policy & procedure for Third-party contracts.
Step 7: Review and conclusion through compliance audits by the senior-most technical auditors.
ISO 9001 Certification
ISO 27001 Certification
ISO 20000 Certification
ISO 22301 Certification
ISO 21001 Certification
ISO 41001 Certification
ISO 50001 Certification
ISO 29001 Certification
ISO 14001 Certification
ISO 45001 Certification
ISO 22000 Certification
FSSC 22000 Certification
ISO 17025 Certification
ISO 13485 Certification
CE Mark Certification
Who can be a controller or processor? Are we a controller or processor?
Controller means a person, public authority, agency or any other body which alone or jointly with others determines the purpose and means of the processing of personal data: Where the purpose and means of processing are determined by EU or Member State Laws, the controller may be designated by those laws.
Processors mean a person, public authority, agency or any other body which process personal data on behalf of the controller.
In simple words, a Controller is a person or an organization directly responsible for the data collection from the data subjects and a processor works for the controller in processing the useful data.
Let me give you some examples for a controller and processor;
Controller- The university collecting personal data of students for scholarships based on their performance. Outsourcing the data of students to Company X, which process the student credentials and release the amount of scholarship.
Processor- Company X is processing the student personal data to release the scholarship behalf of the university.
Here the university is a Controller, Company X is a Processor and the students are the Data Subjects (Who are data Subjects).
To make sure you belong to be a controller or a processor, you can always reach our CertPro Professionals.
Who are Data Subjects? What are data subject rights under Data protection act?
Data subjects are the European Union individuals, while they share their personal data for any useful purpose for the organization to process their needs; then they are known as data subjects under the GDPR data protection act.
Data subject rights under GDPR are:
Under Chapter III
Section 1- Transparency and modalities
Article 12- – Transparent information, communication, and modalities for the exercise of the rights of the data subject
Section 2- Information and access to personal data
Article 13- Information to be provided where personal data are collected from the data subject.
Article 14- Information to be provided where personal data have not been obtained from the data subject
Article 15- Right of access by the data subject
Section 3- Rectification and erasure
Article 16- Right to rectification
Article 17- Right to erasure (‘right to be forgotten’)
Article 18- Right to restriction of processing
Article 19- Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20- Right to data portability
Section 4- Right to object and automated individual decision-making
Article 21- Right to object
Article 22- Automated individual decision-making, including profiling
Section 5- Restrictions
Article 23- Restrictions for the government authorities.
What will be GDPR fines? Any case studies?
Serious non-compliance could result in fines of up to 4% of annual global turnover, or €20 million – whichever is higher. Law enforced in EU and EEA regions, also it may extend up to other regions based on the severity of noncompliance.
One of the most viral case studies are
British Airways, which was imposed with a fine of £183m for a breach of customer data.
How GDPR impacts India? GDPR in India is a boon or a bane?
In India Laws with respect to data protection are very limited, when it comes to GDPR it’s the organization responsible to abide with the GDPR EU laws, and expectation from the third country would be the adequacy of the level of protection. The Commission shall, in particular, take account of the certain element in terms of sharing data to the third country, contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization will be critical documents to abide with the law of India.
In India GDPR been a positive progressive change, as many international organizations are approaching the privacy and security terms. This has developed a country step ahead in terms of IT security. Some of the articles of GDPR are also referred to create a data protection act, as of now laws are limited to banking transactional data, individual banking passwords,health-related data, etc. For a service-based country like India, data protection law will be a major change for the IT sectors in India. I would conclude that GDPR in India is a boon; except the huge penalty would be a bane!!!
For GDPR compliance in India, our CertPro GDPR professional consultants are well knowledgeable about the act and have obtained experience implementing GDPR for most of the companies in all major cities of India.