What is GDPR? Whats does GDPR stand for?
GDPR is an act introduced by the European Union for Data protection. GDPR stands for General Data Protection Regulation 2016/679. It is a E.U. law to protect and secure the data, privacy and security of all individual citizens in the EEA. This was mainly introduced by processing the personal data of the European Economic Area (EEA) region individuals.
What is GDPR compliance? Who does GDPR apply to? How to be GDPR compliant?
GDPR compliance – Any organization abiding by the rules and regulations set by the European Union (EU) on data protection of individuals are said to be GDPR compliant.
GDPR applies to any organization processing the personal data of a E.U. citizen within the EEA and globally. There are a set of guidelines for organizations to follow in this regard.
An example for reference
A data processing company in India is working for European clients. If the company is collecting client personal data for the process, then the company should be GDPR compliant. It is mandatory for any company in the EEA if they process personal data or outsource it to other states out of the EEA.
EU has released the regulation copy for the public on 27th of April 2016. The articles in this copy act as the base for implementing GDPR.
There are XI chapters and 99 articles in GDPR. All companies in the EEA were required to be compliant with GDPR by 25 May 2018. There are areas which define how GDPR is applicable to small scale sectors and also on outsourcing EU citizen data out of the EEA region. CertPro is an expert when it comes to implementing GDPR efficiently and full the requirements of our clients and their customer needs.
A brief description of our methodology to be GDPR compliant is given below:
Step 1: Consult our professional experts at CertPro – www.certpro.in
GDPR requirements require us to focus on areas such as;
Being legal and compliant – enforcement of fines, responsibility (DPO), accountability, privacy notice and consents
Technology – breach reporting, encryptions, online profiling, privacy by design, secure applications
Data – data handling, data collection, data transfer, data processing, data storage, data deletion, data portability etc.
Step 2: Awareness training to all employee about the seriousness of this data protection law and the penalties associated with it.
Step 3: Identify the activity of the organization that falls under a data controller or data processor (are we a controller or a processor).
Step 4: Appoint a Data Protection Officer (DPO) and define the roles and responsibility of a DPO.
Step 5: Define personal data policy along with other policies and procedures.
- Implement DPIA.
Step 6: Define the policy & procedure for third-party contracts.
Step 7: Review and conclusion through compliance audits by the senior-most technical auditors.
ISO 9001 Certification
ISO 27001 Certification
ISO 20000 Certification
ISO 22301 Certification
ISO 21001 Certification
ISO 41001 Certification
ISO 50001 Certification
ISO 29001 Certification
ISO 14001 Certification
ISO 45001 Certification
ISO 22000 Certification
FSSC 22000 Certification
ISO 17025 Certification
ISO 13485 Certification
CE Mark Certification
Who can be a controller or processor? Are we a controller or processor?
Controller means a person, a public authority, an agency or any other body which determines the purpose and the means of the processing of personal data. While the purpose and means of processing are determined by the EU or Member State Laws, the controller may be designated by those laws.
Processor means a person, a public authority, an agency or any other body which process personal data on behalf of the controller.
In simple words, a Controller is a person or an organization directly responsible for the data collection from the data subjects and a processor works for the controller in processing the useful data.
We will give you some examples for a controller and processor below;
Controller- A University collecting the personal data of students for scholarships based on their performance. They outsource the data of students to Company X, which then processes the student credentials and thereafter, duly releases the amount of scholarship.
Processor- Company X is processing the student personal data to release the scholarship behalf of the university.
Here the university is a Controller while Company X is a Processor and the students are the Data Subjects.
To make sure whether you are a controller or a processor, you can always reach our CertPro Professionals.
Who are Data Subjects? What are data subject rights under Data protection act?
Data subjects are the European Union individuals when they share their personal data for any useful purpose for the organization to process their needs. Then they are known as data subjects under the GDPR data protection act.
Data subject rights under GDPR are:
Under Chapter III
Section 1- Transparency and modalities
Article 12– Transparent information, communication and modalities for exercising the rights of the data subject
Section 2- Information and access to personal data
Article 13- Information to be provided where personal data are collected from the data subject
Article 14- Information to be provided where personal data have not been obtained from the data subject
Article 15- Right of access by the data subject
Section 3- Rectification and erasure
Article 16- Right to rectification
Article 17- Right to erasure (‘right to be forgotten’)
Article 18- Right to the restriction of processing
Article 19- Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20- Right to data portability
Section 4- Right to object and automated individual decision-making
Article 21- Right to object
Article 22- Automated individual decision-making including profiling
Section 5- Restrictions
Article 23- Restrictions for government authorities
What will be GDPR fines? Any case studies?
Serious non-compliance could result in fines of up to 4% of annual global turnover, or €20 million – whichever is higher. Law enforced in EU and EEA regions, also it may extend up to other regions based on the severity of noncompliance.
One of the most viral case studies are
British Airways, which was imposed with a fine of £183m for a breach of customer data.
HOW DOES THE GDPR IMPACT INDIA? IS GDPR A BOON OR A BANE IN INDIA?
Indian laws, with respect to data protection, are very limited especially when it comes to GDPR. It is the organization’s responsibility to abide with the GDPR EU laws and the basic expectation from a third country is for them to be adequate with the level of protection. The Commission shall, in particular, take account of certain elements in terms of sharing data to the third country, contractual clauses between the controller and the processor or the recipient of the personal data in the third country.
In India, GDPR is viewed as a positive progressive change as many international organizations are approaching the privacy and security terms more efficiently. This has taken the country a few steps ahead in terms of IT security. Some of the articles of GDPR are also referred to create a data protection act. As of now, laws are limited to banking transactional data, individual banking passwords, health-related data etc. For a service-based country like India, data protection law will create a major impact/change in the IT sectors. We would therefore conclude that GDPR in India is a boon. Of course, non conformity would lead to a huge penalty and that would most definitely not be a boon.
For GDPR compliance in India, our CertPro GDPR professional consultants are well experienced in this regard and they have garnered these experiences after successfully implementing GDPR for many companies across multiple cities in India.