GDPR has set a new standard for consumer rights regarding securing their data, and all organizations have a task in hand to implement it to ensure compliance.
This new European Union framework applies to organizations and LPOs in all member-states. It has implications for businesses and individuals across Europe and third-party organizations involving data of European nationals.
Let us understand what GDPR is and what its implementation means for businesses in Europe and worldwide.
What does GDPR stand for?
GDPR is the abbreviation used for The General Data Protection Regulation, implemented by the European Union to protect the confidentiality of personal data of EU citizens during transactions.
What is GDPR, and how and when did it come into force?
GDPR was adopted by the European Parliament in 2016 when it replaced the
previous data protection directive, which was in place since 1995.
The need for a reformative and advanced data protection policy was felt
by the European Commission early in 2012 in its efforts to make Europe fit for
the digital age. It took four years of extensive research and efforts to
develop the reformed data protection policy in the form of GDPR, which came into force across the European Union on 25th May 2018.
GDPR is the newly defined set of rules which gives EU citizens more
control over their data. In this age of Social Media Invasion, GDPR eases the
regulatory environment for businesses so that the companies and citizens both
could benefit from the digital revolution.
It lists down laws and obligations together around personal data across
Europe.
What is Personal Data as per GDPR?
Personal data in GDPR refers to a citizen’s name, address, contact details, and photographs. It may also include information like IP address or genetic and biometric data.
Who does GDPR apply to?
GDPR applies to all organizations operating in the EU and organizations outside the EU that offer services to customers or businesses in the EU.
To summarise, the following must be GDPR compliant:
- All companies and businesses operating within the EU
- All companies and third-party contractors dealing with the storage and processing of personal data of citizens of the EU even if they are not operating within the EU.
There are majorly two types of data handlers that the Legislation applies to, as per Article 4 of General Data Protection Regulation;
1. Controller: Controllers are a body that, alone or jointly with others, determines the purposes and means of the processing of personal data. A controller can be a person, agency, or public authority, and they ensure that all contracts are compliant with GDPR.
2. Processor: A processor is a body that processes the data on behalf of the controller. Again, a processor can be a person, agency, or public authority, as was in the controller’s case.
In case of a breach, a higher level of legal liability rests with processors responsible for maintaining records of personal data and involved in its processing.
Why does GDPR exist?
The European Legislature felt the need for a revised data protection policy as the Data Protection Directive, preceding GDPR, could no longer address citizens’ concerns on data security in the new age of the internet and social media revolution.
The primary concerns of consumers were found to be as follows:
- Loss of banking and financial information
- Loss of security information and passwords
- Loss of identity information
GDPR came into being to address all of the above and implement a standard guideline for all EU businesses and citizens.
What GDPR means for Businesses?
With GDPR, there is one law across the continent and a single set of rules applicable for all businesses operating in the EU for handling data of citizens of the EU.
This legislation comes into force outside the borders of Europe, and all organizations involved in business with Europe need to be GDPR compliant.
This brings uniformity by introducing a single supervisor authority for data protection across businesses irrespective of their presence in the EU.
It, in turn, has made it simple and cost-effective for businesses to operate within the region.
The regulation guarantees that data protection standards are met right from the early stages of developing a product or service to ensure that new products and technologies meet the data protection and security guidelines.
The technology sector has been most impacted by GDPR, followed by online retailers, financial services, online services.
What GDPR means for Consumers?
With GDPR in place, consumers and citizens of the EU can rest assured of their data protection and security. While the fear of data breach is still there with GDPR, this regulation ensures that violations are reported and actioned upon in a standard way across organizations.
With GDPR, consumers get the right to know if their data has been hacked within a determined time.
Organizations are expected to detail how the customer/consumer information is used or stored clearly and understandably.
Also, with GDPR, consumers can get their information deleted by the organization by requesting the same if they no longer want the business to save their details.
Businesses are expected to accommodate such requests from consumers as per the GDPR guidelines.
What Companies should do to stay GDPR compliant
GDPR compliance not only needs to be incorporated in the system, but the organization also needs to ensure that it remains compliant and the below activities guarantee the same in any business unit or organization:
- Compliance and a sense of urgency should flow from the top management downwards
- All stakeholders and departments should be involved, as GDPR compliance is not just limited to the IT department but boils down to any/all departments dealing with data, be it operations, finance, or sales department.
- Periodic risk assessments should be conducted internally and risk mitigation plans devised
- GDPR compliance progress should be documented
- Data protection plans should be created and maintained and revised from time-to-time basis the risk assessment reports
- Organizations should focus on mobile usage policy as well to arrest any non-compliance through mobile phone usage.
GDPR Breach: Notification & How it works?
GDPR Breach happens in cases where there is unauthorized access to personal data or loss of data. The GDPR also sets out organizations’ duties to let the supervising authority and individuals know about such breaches and data loss.
As per GDPR, an organization should report any breaches resulting in confidentiality or financial loss to individuals. The loss can involve loss of reputation or any other social or economic disadvantage.
The communication needs to be one-to-one communication with the consumers who are impacted by the breach and must be communicated within 72 hours of the breach coming to notice. It may be conveyed directly to the supervisory body or the victims depending upon the severity.
GDPR non-compliance can lead to fines and penalties ranging from 10 million Euros to 4% of the Company’s annual global turnover.
Fines are determined basis the severity of the breach and the company’s commitment and measures taken for ensuring compliance.
Failure in reporting a data breach may also invite fines and penalties as per GDPR rules.
What’s next for other countries post-GDPR?
Many countries around the world like Brazil, Japan, India are taking cues from GDPR and formulating their data protection laws to ensure more stringent and futuristic data security and confidentiality in today’s times of social media revolution.
Read More:
Client Data Protection & Privacy
Obligation as a Canadian Business Owner while Outsourcing or Engaging 3rd Party for Data Processing
