GDPR: In a Nutshell

GDPR (General Data Protection Regulation) is the new regulation passed by European Union on Personal data protection, which will be effective/enforced from 25^th May’2018 to all the parties who are involved in any kind of Business with European countries which deals with Personal Data of European Union residents.

This is not the first time when European Union has passed such regulation but in 1995 “Data Protection Directive” was passed to safeguard individual’s Personal data.

What is Personal Data?

• Any data which identifies the person, like Name, Email address, Social Security number, Tax Number, Dedicated IP address, Unique Device Identifier, Employee ID this data is considered as Personal Data.
  
• ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
  

What is Data Controller?

• ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  

What is Data Processor?

• ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  

 

What is Territorial Application?

• The GDPR applies to all non-EU organization if they are dealing with EU residents in the following manner.
  
  • Offer Goods or Services to EU Residents irrespective of free or paid.
    
  • Monitoring of EU Residents within or outside of EU.
    
  • Processing of Personal data of EU residents by a Controller or Processor not established in EU.
    

Consent

Consent becomes harder for the organizations. Now no anonymous consents are accepted. Consents must be more “specific”, Consents must be “Informed” , Organizations must use appropriate methods to obtain consents, Silence is not a consent, the consents must be specific to the data and must not be tied to other matters. The controller must be able to demonstrate consent.

Individuals has full right to withdraw their consent at any time.

Rights of data subject

• Transparent Communication: In order to ensure personal data are processed fairly, GDPR obliges Data Controller to communicate transparently to Data Subjects (EU Resident/s) regarding the processing of their personal data.
  
• Right to basic information: Data Subject (EU Resident/s) are entitled to provide minimum set of information concerning for the purpose of which Personal data is provided to Controller or Processor.
  
• Right to Access: Data Subject (EU Resident/s) has full rights to access their Personal data from Data Controller with minimal or no cost depending upon the country.
  
• Right of Rectification: Data Subject (EU Resident/s) has full rights to rectify any inaccurate or incomplete data to be rectified from Data Controller.
  
• Right to be Forgotten: Data Subject (EU Resident/s) has full rights to delete their personal data from Data Controller.
  
• Right of Data Portability: Data Subject (EU Resident/s) has full right to transfer their personal data from one online platform to another, which can be also their personal/private device in a machine-readable format that supports re-use.
  
• Right to Object: Data Subject (EU Resident/s) has full right to object processing their personal data to Data Controller, the data can be used for Direct Marketing, Scientific, Historical etc.
  

Accountability is King: Data Controller is accountable for any breach of data leak by them, Data Processor or any sub-contractor. The Obligation must be inherited to all the parties who are dealing with Data Subject’s Personal data.

Cross Border Data Transfer: Export of data outside EU will continue to be prohibited unless certain conditions are met.

DPO (Data Protection Officer): It becomes obligatory to appoint Data Protection Officer in the Organization, which has more than 250 employees. It is mandatory for Public Authorities. It is also possible that single DPO can supervise multiple location of organizations, however this role can be also outsourced.

Breach of Personal Data: A breach of security, by the mean of accidental, unlawful, Loss, Alteration, unauthorized disclosure or access to personal data can be considered as Breach of Personal data. This breach has to be notified within 72 hours from the time of realization without any undue delay to Controller, DPA (Data Protection Act) and individual if it is of high risk.

Mega Penalties: There are heavy penalties if the breach of regulation, the lower level of fine is up to € 10 million or 2% of Company’s global annual turnover whichever is higher, Higher level of fine up to € 20 million or 4% of Company’s global annual turnover which is higher.

 

By Praakassh Ghaitadke

Disclaimer: This Article is based on the GDPR Act published on the Official website. The information within this article is simplified with my own language and doesn’t guarantee its completeness and accuracy.