What is GDPR? Whats does GDPR stand for?  

GDPR is an act introduced by the European Union for Data protection. GDPR stands for General Data Protection Regulation 2016/679. It is a E.U. law to protect and secure the data, privacy and security of all individual citizens in the EEA. This was mainly introduced by processing the personal data of the European Economic Area (EEA) region individuals.

GDPR Requirements and GDPR Compliant

What is GDPR compliance? Who does GDPR apply to? How to be GDPR compliant?

GDPR compliance – Any organization abiding by the rules and regulations set by the European Union (EU) on data protection of individuals are said to be GDPR compliant.

GDPR applies to any organization processing the personal data of a E.U. citizen within the EEA and globally. There are a set of guidelines for organizations to follow in this regard.

An example for reference

A data processing company in India is working for European clients. If the company is collecting client personal data for the process, then the company should be GDPR compliant. It is mandatory for any company in the EEA if they process personal data or outsource it to other states out of the EEA.

EU has released the regulation copy for the public on 27th of April 2016. The articles in this copy act as the base for implementing GDPR.

There are XI chapters and 99 articles in GDPR. All companies in the EEA were required to be compliant with GDPR by 25 May 2018. There are areas which define how GDPR is applicable to small scale sectors and also on outsourcing EU citizen data out of the EEA region. CertPro is an expert when it comes to implementing GDPR efficiently and full the requirements of our clients and their customer needs.

A brief description of our methodology to be GDPR compliant is given below:

Step 1: Consult our professional experts at CertPro – www.certpro.in

GDPR requirements require us to focus on areas such as; 

Being legal and compliant – enforcement of fines, responsibility (DPO), accountability, privacy notice and consents 

Technology – breach reporting, encryptions, online profiling, privacy by design, secure applications

Data – data handling, data collection, data transfer, data processing, data storage, data deletion, data portability etc.

Step 2: Awareness training to all employee about the seriousness of this data protection law and the penalties associated with it.

Step 3: Identify the activity of the organization that falls under a data controller or data processor (are we a controller or a processor).

Step 4: Appoint a Data Protection Officer (DPO) and define the roles and responsibility of a DPO.

Step 5: Define personal data policy along with other policies and procedures.

  • Define your privacy policy & the terms and conditions.
  • Implement DPIA.
  • Define Data transfer, Data storage, Data retention, Data subject rights, Data handling, Data breach response and notification procedure, Consents and Cookie policy.

Step 6: Define the policy & procedure for third-party contracts.

Step 7: Review and conclusion through compliance audits by the senior-most technical auditors.

Who can be a controller or processor? Are we a controller or processor?

Controller means a person, a public authority, an agency or any other body which determines the purpose and the means of the processing of personal data. While the purpose and means of processing are determined by the EU or Member State Laws, the controller may be designated by those laws.

Processor means a person, a public authority, an agency or any other body which process personal data on behalf of the controller.

 In simple words, a Controller is a person or an organization directly responsible for the data collection from the data subjects and a processor works for the controller in processing the useful data.

We will give you some examples for a controller and processor below;

Controller- A University collecting the personal data of students for scholarships based on their performance. They outsource the data of students to Company X, which then processes the student credentials and thereafter, duly releases the amount of scholarship.

Processor- Company X is processing the student personal data to release the scholarship behalf of the university.

Here the university is a Controller while Company X is a Processor and the students are the Data Subjects.

To make sure whether you are a controller or a processor, you can always reach our CertPro Professionals.

Who are Data Subjects? What are data subject rights under Data protection act?

Data subjects are the European Union individuals when they share their personal data for any useful purpose for the organization to process their needs. Then they are known as data subjects under the GDPR data protection act.

Data subject rights under GDPR are:

Under Chapter III

Section 1- Transparency and modalities

Article 12– Transparent information, communication and modalities for exercising the rights of the data subject

Section 2- Information and access to personal data

Article 13- Information to be provided where personal data are collected from the data subject
Article 14- Information to be provided where personal data have not been obtained from the data subject
Article 15- Right of access by the data subject

Section 3- Rectification and erasure

Article 16- Right to rectification
Article 17- Right to erasure (‘right to be forgotten’)
Article 18- Right to the restriction of processing
Article 19- Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20- Right to data portability

Section 4- Right to object and automated individual decision-making

Article 21- Right to object
Article 22- Automated individual decision-making including profiling

Section 5- Restrictions

Article 23- Restrictions for government authorities

Data subjects are the European Union individuals when they share their personal data for any useful purpose for the organization to process their needs. Then they are known as data subjects under the GDPR data protection act.

 

 

 

 

 

 

 

Data subject rights under GDPR are:

 

 

 

 

 

 

 

Under Chapter III

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Section 1- Transparency and modalities

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Article 12– Transparent information, communication and modalities for exercising the rights of the data subject

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Section 2- Information and access to personal data

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Article 13- Information to be provided where personal data are collected from the data subject
Article 14- Information to be provided where personal data have not been obtained from the data subject
Article 15- Right of access by the data subject

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Section 3- Rectification and erasure

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Article 16- Right to rectification
Article 17- Right to erasure (‘right to be forgotten’)
Article 18- Right to the restriction of processing
Article 19- Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20- Right to data portability

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Section 4- Right to object and automated individual decision-making

Article 21- Right to object
Article 22- Automated individual decision-making including profiling

Section 5- Restrictions

Article 23- Restrictions for government authorities 

 

 

 

What will be GDPR fines? Any case studies?

Serious non-compliance could result in fines of up to  4% of annual global turnover, or €20 million –  whichever is higher. Law enforced in EU and EEA regions, also it may extend up to other regions based on the severity of noncompliance. 

One of the most viral case studies are

British Airways, which was imposed with a fine of £183m for a breach of customer data.

GDPR Requirements and GDPR Compliant

HOW DOES THE GDPR IMPACT INDIA? IS GDPR A BOON OR A BANE IN INDIA?

Indian laws, with respect to data protection, are very limited especially when it comes to GDPR.  It is the organization’s responsibility to abide with the GDPR EU laws and the basic expectation from a third country is for them to be adequate with the level of protection. The Commission shall, in particular, take account of certain elements in terms of sharing data to the third country, contractual clauses between the controller and the processor or the recipient of the personal data in the third country.

In India, GDPR is viewed as a positive progressive change as many international organizations are approaching the privacy and security terms more efficiently. This has taken the country a few steps ahead in terms of IT security. Some of the articles of GDPR are also referred to create a data protection act. As of now, laws are limited to banking transactional data, individual banking passwords, health-related data etc. For a service-based country like India, data protection law will create a major impact/change in the IT sectors. We would therefore conclude that GDPR in India is a boon. Of course, non conformity would lead to a huge penalty and that would most definitely not be a boon.

For GDPR compliance in India, our CertPro GDPR professional consultants are well experienced in this regard and they have garnered these experiences after successfully implementing GDPR for many companies across multiple cities in India. 

 

Get In Touch 

have a question? let us get back to you.