On 25th May, 2018 the GDPR officially becomes a law that strengthens the fundamental right to privacy for people living in the EU. The regulation mandates need for operational and technological controls for protection against data violation, and grants new rights for individuals in treatment of their personal data. Any company that wants to do business with European residents must comply by the GDPR.

By giving European consumers power to control how their data is used, the GDPR drives businesses all over the world to revisit their data handling policies. Sectors like banking and healthcare have been forerunners in defining their own data-handling laws. And, with the coming of GDPR other businesses now have a broader sense of how personal data should be treated. Businesses have an opportunity to fortify their data protection policies specific to their needs. In short, the GDPR underpins data governance for all kinds of businesses to define data protection rules specific to them.

  • Applies to all businesses processing personal data of the EU resident, regardless of location of the business.
  • Sub-processors or businesses performing data processing for other companies are also accountable for protection of personal data.
  • Standardize data protection laws for residents across all EU states

Businesses to:

  • Exercise stricter control on how data is stored, shared, used and accessed
  • Enhance policies and procedures to ensure lawful processing and more control to the individual
  • Practice governance for transparency, recording and reporting of data protection issues
Failing to adhere to GDPR guidelines post the enforcement deadline of May 2018, companies can incur heavy fines up to €20m or 4% of annual global turnover, whichever is greater.

The DPO is responsible for informing employees of their compliance obligations as well as conducting monitoring, training, and audits required by the GDPR. A DPO needs to be appointed if you:

  • Process large amounts of personal data
  • Carry out large scale systematic monitoring of individuals or,
  • Are a public sector authority
In the event of data breach, controllers are required to notify the relevant Data Protection Authority (DPA) within 72 hours of the occurrence. And if the breach poses high risk to rights of the data subject, then controllers need to notify impacted data subjects without delay. Similarly, data processors are also required to notify data controllers of the breach, without undue delay.

Organisations must prove they are accountable by:

  • Implementing controls to strictly limit use of data, to purposes for which it was collected
  • Establish mechanisms to manage data subject to preferences specified in the consent document
  • Ensure presence of explicit privacy notices wherever personal data is collected
  • Enter into contracts with affiliates and vendors that collect or receive personal data
  • Maintain visible consent proofs in case of processing of personal data

Businesses conducting risky or large scale processing of personal data must:

  • Establish a privacy impact assessment process
  • Administer employee and vendor privacy and security awareness training
  • Establish processes to respond to data subject requests for access, correction, objection restriction, portability, and deletion (right to be forgotten) of personal data
  • Privacy by design requires businesses to bring in data protection right from development of business processes and new systems
  • Privacy by default automatically applies privacy settings whenever a customer acquires a new product or service