The General Data Protection Regulation (GDPR) is a regulation that will enforce a stronger data protection regime for organizations that operate in the European Union (EU) and handle EU citizensâ€™ data.
GDPR constitutes the protection of personal data of employees, customers and others.
A detailed understanding of your own data processing underpins the accountability aspect of the GDPR. Any effective data governance strategy has to begin with a comprehensive data audit so ensure you have detailed and documented answers to the following key questions:
- What personal data do you hold? Do you hold any special category data?
- Where is it from and where is it sent?
- Why is it processed? For what purpose?
- How is the processing lawful and fair? Which of the conditions is met? Have you provided individuals with details about the processing of their data, including reference to the rights they have?
GDPR places emphasis on the early adaptation of a proper and effective data Protection practices:
- Data protection must be considered early on in projects involving data
- Data Protection Impact Assessments (DPIA) are best practice and likely to be mandatory in some circumstances such as
- Decisions that produce legal effects
- Processing of special category data e.g. health data
- Monitoring of publicly accessible areas
Along with adaptation, proper documentation also needs to be maintained in order to avoid chaos and regular reviews help the organizations with compliance and regulation of the mandates directed towards them.
The GDPR accommodates a tougher requirement approach by the Data Protection Authority including the capacity to force huge fines:
- Data breaches must be reported to Data Protection Authority within 72 hours of discovery
- Individuals impacted should be made aware of the high risks involved e.g. identity theft, personal safety
- Fines can be issued up to €20 million or 4% of global annual turnover
- Data Protection Authority can issue reprimands, warnings and bans as well as fines.
The level of fine is likely to be dependent on a number of factors including:
- Nature, gravity and duration including categories of data;
- Intentional or negligent;
- Action taken to mitigate damage;
- Security and Privacy by Design measures;
- Degree of co-operation;
- How Data Protection Authority found out;
- Previous enforcement activity;
- Other aggravating or mitigating factors.
It is essential for data protection to be integrated into corporate risk management for your organisation. Consider how you will manage breach reporting both internally and in respect of your obligations to the Data Protection Authority. If you use a data processor, be clear about your expectations in respect of breach management and ensure these expectations are incorporated into the relevant contracts.
GDPR Applicability in India
“If you are providing goods and services through the data subjects in EU, you will be covered under the ambit.
“For example, the outsourcing services will be covered under GDPR. Moreover, establishments which are engaged in tracking data subjects of the EU through apps or any other tools will be liable to comply with the new regulations,” Chakraborty said in a statement.
According to the European Commission, the law applies to a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed.
It also applies to a company established outside the EU offering goods/services — whether paid or for free — which monitors the behaviour of individuals in the EU.
According to Shree Parthasarathy, partner, Deloitte India, Indian businesses are battling severe issues of data protection and cybersecurity that have larger business implications for productivity and customer confidence.
“Embracing GDPR with a strategic roadmap should be the immediate priority for Indian CXOs, that would include creating awareness, training as well as the constitution of a dedicated data protection framework,” Parthasarathy said in a statement.
“GDPR can be a competitive advantage for India if enterprises understand its relevance and further bring in a risk-based iterative mechanism to their business strategy that is trustworthy secure, and agile in the digital world,” he added.
According to a Deloitte survey conducted in collaboration with Data Security Council of India (DSCI), large organisations with more than 10,000 employees (21 percent of respondents), embarked on their GDPR readiness journey in 2016 itself.
Whereas 43 percent of organisations started their GDPR readiness journey only in late 2017 or early 2018, the results showed.
“GDPR compliance should not only be looked at as an effort and money draining exercise but also as a business advantage which can be a differentiator in the market. An entity compliant with GDPR requirements would definitely command more confidence from customers as compared to those who do not,” Chakraborty said.
How Can Codec Networks Help?
Codec Networks is a PECB certified training provider, we have trainers with 25 plus years of industry experience. We impart in-depth knowledge on the subject, Our 5 Days Bootcamp covers the whole spectrum of a GDPR CDPO training.
Day 1: Introduction to the GDPR and initiation of the GDPR Compliance
- Course objective and structure
- General Data Protection Regulation
- Initiating the GDPR Implementation
- Understanding the Organization and Clarifying the Data Protection Objectives
- Analysis of the Existing System
Day 2: Plan the implementation of the GDPR
- Leadership and approval of the GDPR Compliance Project
- Data Protection Policy
- Definition of the Organizational Structure of Data Protection
- Data Classification
- Risk Assessment under the GDPR
Day 3: Deploying the GDPR
- Privacy Impact Assessment (PIA)
- Design of Security Controls and Drafting of Specific Policies & Procedures
- Implementation of Controls
- Definition of the Document Management Process
- Training and Awareness Plan
Day 4: Monitoring and continuous improvement of GDPR compliance
- Operations Management
- Incident Management
- Monitoring, Measurement, Analysis and Evaluation
- Internal Audit
- Data breaches and corrective actions
- Competence, Evaluation and Closing the Training
Day 5: Certification Exam