Any enterprise, irrespective of geography, that conducts business and retains personal information even if on just one citizen in the EU.

New data privacy mandates have been issued by European Union regulation.

GDPR compliance must be achieved by 25 May 2018.

Includes any organization anywhere in the world…if it retains information on any citizen in the EU.

To better protect any individual’s personal information, to secure rights for the individual over that collected information, and to force enterprises to follow a uniform scheme for data protection.

The GDPR empowers data subjects an increased level of control over their information. It also aims to improve the environment by ensuring that data controllers and processors are safe custodians of data through promoting behavioural change.

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

The GDPR provides for enhanced supervision by increasing the powers of the regulator as champion of the data & the business should look at these key points to stay on the safer side.

Privacy by design

Controllers must implement appropriate technical and organisational measures and procedures to ensure that processing safeguards the rights of the data subject by design.

There are a few key steps if a business did not want to embark on a full review and overhaul just yet: (i) minimise data collected; (ii) do not retain that data beyond its original purpose; and, (iii) give the data subject access and ownership of that data.

Right to be forgotten

This is really a right of consumers to erase their data.This is more far-reaching than a business might consider at first blush. A consumer or data subject can request to erase the data held by companies at any time and, if it has been passed on to any third parties (or third party websites), they would have to erase it as well.

Breach Penalties

For serious penalties,the GDPR allows for fines of up to €20 million or 4% of total worldwide annual turnover (whichever is higher), which would be a serious chunk of revenue of even the largest multinational.

There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

Brand Exposure

If a personal data breach is likely to cause a high risk to the rights and freedoms of the data subjects, personal data breaches must be notified to the relevant data subjects without undue delay, unless the controller can demonstrate that encryption or other technology rendered the data unintelligible to third parties. So whether the data for 10 customers or 1,000,000 customers is lost, they would all have to be told. The potential for significant brand damage, litigation and media reporting of an incident is clear and could spell the end of a business overnight.

Data Protection Officer

DPOs mustbe appointed in the case of:

(a) public authorities,
(b) organizations that engage in large scale systematic monitoring, or
(c) organizations that engage in large scale processing of sensitive personal data (Art. 37).

If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

However, important projects need owners.Under the GDPR,a DPO is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches and even creating a good data security policy. Businesses will need someone to act as the focal point in ensuring compliance with the GDPR and businesses will need to appoint DPOs sooner rather than later.

Trust us to get you through this maze

Getting ready for GDPR means, your enterprise needs to

  1. set its vision,
  2. agree its strategy and
  3. constitute the structures for achieving data protection and privacy operational change and compliance.

These are not simply checklist-driven job: getting ready for the GDPR requires multi-disciplinary skill sets. Our team has all of those skill sets, which knit together to provide an end-to-end solution to the challenges ahead.

Hello There!

If you have any question, send us an email and we'll get back to you, soon.

Not readable? Change text. captcha txt
Need Help? Chat with us