What does it really mean to be compliant with GDPR? — Know thy challenge.
In less than 2 months, the data protection laws of the European Union are going to undergo the biggest transformation till date. Considering the last time a concrete regulation related to data protection was enforced in the European Union, laptops were as rare as a shooting star, computers ran on windows 97 and floppy disks were the best way to transfer data; GDPR has to deal with a much bigger problem.
Therefore, it’s not surprising that the lawmakers proposed a penalty as high as 20 million euros if this regulation is not complied with. If the fine wasn’t deterring enough, the data controllers are at the risk of losing their reputation in the market if a lack of compliance on their part results in them being dragged to the court. To make matters worse, thanks to the widespread impact of this regulation, there is a higher chance of a data controller being governed by this than it being left unaffected. As most of you might know that to be governed by this regulation, the data controller does not necessarily have to be within the territorial jurisdiction of the European Union. A data controller anywhere in the world who is processing the data of a data subject within the European Union is governed by GDPR.
Agreed the data controllers are in the line of fire but how did they end up there? What is the the “risk” that they are facing? Simply put, the lapse of compliance with this regulation constitutes risk. So to understand if they are at risk, the data controllers have to understand what this regulation expects them to do. As we had mentioned in our previous post, GDPR focuses on enabling the data subjects to reclaim control over their data. So any action or inaction by the data controllers that endangers the rights of the data subjects will constitute risk.
The question that begs to be answered is what does it mean to be compliant with this regulation. Well, simply put, adhering to the provisions of all the Articles in the image above would ensure that you are compliant with this regulation. This leads us to the next problem which is to decipher what these Articles want from the data controller.
Let’s try to understand the law with a few examples.
An Example: GDPR Article 6 — Guidelines for Data Processing
GDPR has laid down certain parameters for processing of data in Article 6, therefore, it becomes imperative that the data controllers ensure that these parameters are met while processing data.
Now, reading Article 6 is not the hardest thing on the planet, but wouldn’t it be so much easier if the elaborate text is simplified and converted into a basic checklist which the data controller needs to comply with to ensure compliance with the regulation?
Doesn’t this make life easier? Now all a data controller needs to do is check off action items like if the data subject has consented to the processing of his data, figure out the reason for processing, ensure safeguards, etc. and it is good to go.
Another Example: Article 15 — Rights of Access by a Data Subject
Similarly, the regulation gives the data subject a bunch of rights and these rights end up levying a bunch of duties on the data controllers. If one reads Articles 12 to 22, it becomes a rather cumbersome process. Fret not dear data controllers, we have broken it down for you into a basic to-do list.
For instance Article 15 deals with the data subject’s right to access his/ her data. Now if we look at the text of the Article, it gets a little mind-boggling and we might have to read it a couple of times to be certain that we have understood it completely. What if we told you that this Article can be broken down into five action items and all you have to do is read five sentences to understand what this Article wants from a data controller; wouldn’t that be splendid?
Yet Another Example — Article 32
Now let’s look at Article 32 which lays down certain security standards to be maintained while processing data. To be compliant with this Article the data controller will have to ensure that these standards are met.
Imagine if we take it up a notch and not only provide you with a compliance checklist but also a heat map which helps you ascertain the level of risk, wouldn’t that be nicer?
Once the data controller has figured out what the law is and what is the level or risk that it is at, it will get a little overwhelming. So the question arises, is it absolutely necessary to be compliant with the all the 99 Articles?
So what does it ‘really’ mean to be compliant?
Well, ideally a data controller should comply with every little direction under the 99 Articles and 102 recitals of this regulation; but since we do not live in an ideal world, the expectation is more of reasonable compliance than a strict one.
“Reasonable diligence” is subjective but considering we are looking at it from the legal point of view, let’s understand it in legal terms. Reasonable diligence as per the Black Law’s dictionary is defined as “A fair, proper, and due degree of care and activity, measured with reference to the particular circumstances; such diligence, care, or attention as might be expected from a man of ordinary prudence and activity”. In simpler terms, it means what is considered to be fair by a disinterested third party. So for compliance of GDPR, reasonable diligence would mean that the data controllers take the requisite measures to safeguard the interests and rights of the data subjects and are not negligent.
So you see, it’s a huge change no doubt and yes there is a lot at stake but it is not a regulation that cannot be dealt with. One needs to understand the law and then take a call as to what has to be done to comply with it. We understand that interpreting a statute is not everybody’s cup of tea, therefore we have attempted to simplify it to the best of our abilities to enable you to understand it better. We have attempted to break down what would constitute compliance for every Article so that the data controllers are also at ease and feel more in control. For the inquisitive and proactive data controllers, we have added some FAQs to help them get more clarity on the Articles that they choose to focus on. However, if you still have any other queries, we are just an email away.
Once you have acquainted yourself with the law, it becomes easier to plan your next move. So, now that we have understood the law and understood what it means to be compliant with the law, in the next post we shall strive to ascertain where we stand and how prepared are we for this regulation.