9 GDPR Facts That Indian Organisations Must Be Cognizant Of
With GDPR in effect since May 25, 2018, this nine-pointer view may help organisations as they steer their GDPR readiness journey
Photo Credit :
Cyber - police - online shutterstock_4757014
Similar to organizations in the world, the European Union's (EU) General Data Protection Regulation (GDPR) is likely to be applicable to organizations operating in India servicing EU data subjects (including customers, employees, vendors etc) and handling their personal data.
With GDPR in effect since May 25, 2018, this nine-pointer view may help organisations as they steer their GDPR readiness journey:
1. GDPR applicability check:
The GDPR is a sector-neutral and border-less regulation. Along with organizations in the EU, it is also applicable to organizations based outside EU that are handling personal data of EU data subjects.
2. Appointment of a Data Protection Officer (DPO):
Under GDPR, it is mandatory for an organization to appoint a Data Protection Officer (DPO) if:
" It is a public authority in EU
" It is involved in a systematic and regular monitoring of data subjects on a large scale
" It processes sensitive personal data on a large scale
It's recommended that a DPO with expert knowledge of privacy laws must be appointed and DPO must be involved in all discussions, initiatives and programs relating to the processing of personal data.
3. Privacy Notice:
A privacy notice needs to be provided to data subjects by organizations which should include details such as the personal data being collected, how it is shared, and how it is used by the organization etc.
As one of the means to "Lawfulness for Processing" the personal data should only be collected with explicit consent, which must be specific, informed, unambiguous and freely given. In case the consent is not obtained, a limited set of criteria of services must be met. Consent should be genuine, purpose-limited and withdrawable at any point in time.
5. Breach notification:
Organizations will have to, without undue delay, notify the supervisory authorities1 of the personal data breach not later than 72 hours after having become aware of it. The organization will have to notify the data subjects if the breach is likely to result in a risk to the rights and freedoms of natural persons. It will also be mandatory to keep an internal register of the data breaches that have occurred in the organisation.
6. Data subject rights:
A wide range of rights to data subjects that can be exercised by them. These rights are namely the Right to consent, Right of access, Right to Rectification, Right to erasure (Right to be forgotten), Right to the restriction of processing, Right to data portability, Right to object &Automated decision making including profiling. The data controllers and processors2 should be able to guide the data subjects with respect to the process and details involved in exercising these rights.
7. Data Privacy by design:
The standardized and repeatable process of privacy by design and by default ensures that the organizations understand the appropriate privacy and data protection controls. Pseudonymisation, encryption, confidentiality, integrity, deletion/destruction and retention rules in place, are some measures of privacy by design.
8. Cross-border data transfer:
The cross-border data transfers lay out two conditions for adequate data storage and processing:
" Data can be allowed to transfer to countries that provide an adequate level of security as per the adequacy list maintained by European Data Protection Board(EDPB)
" It is the responsibility of the controller to foresee the level of protection
9. Awareness and Training:
Organizations must conduct meetings and discussions for its employees to spread awareness regarding GDPR and its associated privacy practices.
Readiness to GDPR can be an opportunity for Indian organizations to stand out. The changing scenario of the new EU rule will help the private sector in India to further strengthen the security of the data processed by it.
Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.