10 Key Issues Of General Data Protection Regulation (GDPR)
Through the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), the European Commission plans to strengthen and amalgamate data protection for individuals within the European Union (EU) as well as businesses dealing with and storing private information of Europe citizens. Although the GDPR came into force on 24 May 2016, the enforcement of the GDPR will not begin until 25 May 2018, thus leaving less than 12 months now for organizations to get themselves prepared.
Before going to issues, it is necessary to understand some key players involved in GDPR. In GDPR,
- Data Subjects refers to individuals whose personal information is being stored by organizations for their business operations
- Personal Data refers to any information which can lead to identification of a data subject, directly or indirectly, by reference to an identifier such as an identification number, a name, location, online identifier such as I.P addresses or through information relating to the physical, physiological, mental, genetic, cultural, social or economic identity of that person.
- Controller is an entity, whether it may be a person, public authority, organization or agency or any other body which alone or jointly with others determines “why” i.e. the purpose and “how” i.e. the means processing personal data of data subjects.
- Processor may be a person, public authority, organization or agency or any other body that processes personal information on behalf of the controller.
The Ten Key Issues Businesses Should Understand While Making Themselves GDPR Compliant
- Most stuff is changing, however not the entire thing — The GDPR makes several necessary changes to EU data protection law, however, it’s not an entire departure from existing principles. several of the ideas that organizations are conversant in can still apply beneath the GDPR.
- A DPO should be designated — Organisations that often and consistently monitor data subjects, or method Sensitive Personal knowledge on an outsized scale, should appoint a Data Protection Officer (“DPO”).
- The introduction of mandatory Privacy Impact Assessments ( PIAs) — The GDPR makes it mandatory for data controllers to conduct PIAs in the case where privacy breach risks are high. This means before organizations can even begin projects involving personal information, they will have to conduct a privacy risk assessment and work with the DPO to ensure they are in compliance as projects progress
- Data subjects rights — Some rights of data subjects are reinforced by the GDPR (e.g., the right to object) and a few new rights are created (e.g., the right to information portability). These rights might build it more durable for organizations to lawfully method personal information
- Geographic application — The GDPR applies to non-EU organizations if they: (i) provide product or services to EU residents; or (ii) monitor the behavior of EU residents. Several organizations that don’t seem to be subject to existing EU data protection law are subject to the GDPR, particularly online businesses.
- Notifying a data breach within 72 hours — The GDPR necessitate businesses to report data breaches to the relevant DPA within seventy-two hours of detection. For several organizations, radical changes to internal detailing and investigating structures are going to be required.
- Fines — The penalty structure under GDPR for companies failing to mistakes is a tiered one. More serious infringements will cause a fine of 20 million euros up to four percent of a company’s worldwide A lesser fine of up to two percent of worldwide revenue — still huge — are often issued if company records aren’t so as or a supervising authority and data subjects aren’t notified when a breach has occurred. This makes breach notification oversights a heavy and pricey offense revenue.
- Consent — Consent becomes more difficult for organizations to get and place confidence in. Notably, the GDPR states that consent isn’t valid wherever there’s a “clear imbalance” between the controller and also the data subject.
- Compliance obligations for controllers to be increased — The GDPR imposes new and hyperbolic compliance obligations on controllers (e.g., implementing acceptable policies, keeping records of process activities, privacy on purpose and by default, etc.
- Direct compliance obligations for processors — Processors have direct legal compliance obligations under the GDPR and DPAs will take social control action against processors, and DPAs can take enforcement control actions against processors.
Above main issues are few of many that an organization falling under GDPR should be aware of. It is advisable that before making themselves GDPR compliant, organizations need to understand and be more aware now of the whereabouts of their data — where the sensitive information is being stored, who are accessing it and who should be accessing it.