In this excessively digital world, data breaches happen every single day. But most of the companies that led to these breaches make a way out of the cases without paying any price for the damages.
European Union’s General Data Protection Regulation (GDPR compliance) came into effect from 2018. And with the effect, the companies dealing with the EU and the data from the EU had to face fines in case of any unfortunate events.
One of the biggest data breaches in history happened when 3 billion Yahoo user accounts were breached in 2013-2014.
But such a big company did not notify the data subjects in time.
The extent of the impact of the breach came out clear only by 2017. Had GDPR been in place, Yahoo would have had to pay $80-$160 million as fine for non-compliance issues.
The Data Protective Directive of 1995 was the first time the processing of personal data within the European Union was regulated. It marked an important event relevant to EU data privacy and human rights law.
But by 2012, the European Union realized, it required a more unified ground to protect the data which was spanning borders aggressively. Thus European Commission announced on 2012, 25 January that it will try to unify the data protection regulations of 27 nations into one.
And this is called GDPR- General Data Protection Regulation. With that, it intended to improve the transfer of corporate data outside the EU and provide users more control over their personal data.
What was the issue with the earlier directive?
According to the EU, the 1995 Directive was not enough to protect the data sensitivity issue in digital times. It was devoid of important provisions like:
(i) How the data is stored?
(ii) How is the data collected?
(iii) How is the data transferred?
With the kind of digital advancements, the companies and entities had gone through, a refined directive was required for data cleaning & processing.
One of the biggest changes it brought was that all Non-E.U. companies will have to comply with the set of rules. Finally approved on 14th April 2016, the European Commission gave entities across the world time till 25th May 2018 to prepare for compliance.
Thus in April 2016, the European Union GDPR replaced the existing Data Protection Directive. As per the directive, all the 28 countries of the EU are required to comply and adopt the GDPR directive.
What is GDPR Compliance?
The General Data Protection Regulation (GDPR) was agreed upon in 2016 by European Parliament and Council. The law intends to protect the personal data of EU citizens’.
All the entities that were maintaining compliance with the 1995 Directive had to ensure they extend the compliance to GDPR also. Failing to do so, they would have to face penalties.
The directive of GDPR emphasizes data and privacy protection according to the below-mentioned guidelines:
(i) While processing a subject’s data, the company must take consent from the subject.
(ii) To protect the collected data against any attack, the data anonymity must be maintained.
(iii) In case of any data breach, the people must be notified immediately
(iv) When the data is transferred across the border, its safety must be the priority.
(v) A dedicated GDPR Requiring certain companies to appoint a data protection officer to oversee GDPR compliance.
Here is what the Wall Street Journal says about GDPR
Why is the GDPR required?
The GDPR was imposed for a purpose. It was directed to bring uniformity of data security law across the 28 members of the European Union.
This would make sure no state had to write a separate set of data protection laws and maintain it. GDPR compliance in Digital Marketing effectively applies to any organization that offers its products or services to the EU residents. This is independent of the geographical location of the service provider.
What types of Privacy Data Does the did GDPR protect?
The GDPR directive comprises of 11 chapters and 91 articles that set all the compliance parameters. To understand what is GDPR compliance, and how it protects different kinds of data and up to different scales:
Right to Erasure
Articles 17 and 18 of the GDPR offer the data subjects a more defined control over their personal data. But this data must be only processed automatically.
With this, the data subjects can then transfer the data in a more portable way. That is why it is also called the right to portability. Here the data subjects are in complete control of their data and can demand the service providers to erase their personal data.
Protection against loss or improper exposure
Article 23 and 30 offer the data subject’s protection against data loss. This requires the companies to make sure that reasonable data protection measures are implemented so that the user’s personal data is never at risk of loss or exposure that is not desired.
Notification of Data Breach
Under Article 31 and 32, GDPR compliance protects the data subjects against the data breaches. It tells the companies, that data breach notification has a very important role.
According to Article 31, the data controllers must notify any kind of data breach to the supervising bodies with complete details like what kind of breach and the number of users that were affected within 72 hours.
Failing to do so, there might be penalties thus it makes a very important point in the checklist for GDPR compliance.
Extension of the same protection is Article 32, it ensures the data controllers also notify data subjects so that protective measures at their end are taken.
The risk is addressed under Articles 33 and 33a. As per these articles, the entities must assess the kind and quantity of risk the subjects are exposed to.
Under Article 35 a service or product provider is required to hire dedicated data protection officers. If the company deals with data that is highly sensitive in nature, this is a must. The data can be relevant to religious beliefs, genetic information, health data or ethnicity.
They are known as data protection officers and are required to act as Supervising Authority and help the company understand what is GDPR compliance.
The extension of the same is covered under Article 36 and 37 according to which the responsibilities of data protection officers are defined.
International Data Protection
As per Article 45, the data protection offered by the GDPR directive is extended to international companies also. Especially those organizations that collect, process or transfer any kind data coming in from EU citizens. The GDPR compliance requirements, fines, and penalties are the same as for EU entities.
Any non-compliance of GDPR attracts penalties so it is important for organizations to maintain a checklist for GDPR compliance. These penalties depend upon the kind of violation and might attract penalties close to 4% of the global revenue of the organization that leads to the violation.
Who all are required to Maintain GDPR Compliance?
It is pretty clear that EU members are required to stay GDPR compliant. Apart from that, any company that offers its products or services to the residents of the European Union must comply with GDPR directives. This stands true irrespective of the location of the organization.
Effectively each organization has to make sure they comply with GDPR compliance requirements so that no kind of penalties are attracted in case of any kind of data breach. This ensures higher trust and protection.
What kind of Penalties does the GDPR Non-Compliance attract?
The 1995 Directive of Data Protection also levies fines and penalties to the non-compliant entities. But with GDPR the size of penalties has increased and that is why it is more important to understand what is GDPR compliance. In the case of GDPR, the Supervising Authorities have more powers:
(i) They can investigate the data issues more aggressively
(ii) They have more corrective powers
(iii) They can issue warnings in case any non-compliance is noticed
(iv) They can execute audits
(v) They can ask entities to erase the subject data
(vi) They can ask entities to stop data transfer to a particular entity
The Supervising authorities hold more power over Data controllers and processors. The penalties and fines:
(i) These are based on the intensity of the particular case.
(ii) The corrective measures can be imposed at times without fines
(iii) For failing the compliance, the fines range from 2-4% of the total annual turnover across the globe. It could also range from €10m or €20m whichever is higher.
What are the best practices for GDPR Compliance?
Organizations of all scales are required to stay GDPR compliant. They must first understand what is need and GDPR compliance requirements. Here the best practices to ensure your organization and its operations do not attract any penalties:
(i) The first step is to hire a data protection officer.
(ii) These officers are required to create a data protection program that meets GDPR directives
(iii) They must stay updated with any changes in the laws
Are you an Indian company? Here is your checklist for GDPR compliance.
India has a massive presence in product and service outsourcing. But the data protection law is very weak. Currently, the Indian Outsourcing industry contributes almost 9.3% to the GDP of India.
And that amounts to be over 150 Bn USD and European Union is one of the biggest contributors. But as the Indian data protection laws are very weak, it impacts India’s stand against other competitors.
This is just one of the challenges. There is a lot of inflexibility in the GDPR compliance policies. Because of which the Indian companies have to incur a lot of compliance costs. They spend a lot on assessing risks of data transfer when dealing with data of residents from the EU.
As per the compliance policy of Territorial scope(Under Article 3), even when the company is Indian, it is legible to pay all the penalties as per the directive.
Because of all these challenges, it is all the more important for organizations to maintain compliance. Here is the exhaustive checklist for GDPR compliance to make sure no penalty is attractive:
(i) Make sure the policies and procedures are thoroughly reviewed
(ii) Data discovery protocols must be established and exercised as per a defined schedule.
(iii) Documentation of data discovery exercises must be maintained to ensure in case of audits, the compliance can be proved
(iv) The employees must be trained about data privacy, risks and issues
(v) Regular data protection assessments (DPIAs) and compliant management of data subject requests and design of privacy.
(vi) Data Protection Impact Assessments (DPIAs)
(vii) According to the GDPR directive, it is mandatory for organizations to maintain DPIAs. This is especially crucial for organizations where the risk is high. For example when the new technologies are being introduced or where a large public area or data is being monitored.
(viii) Legitimate Interests Assessments (LIAs) – This is more like a best practice rather than a mandate. The privacy specialists generally create these policies for the organization and is made keeping in mind the best interest of the organization.
(ix) The third-party vendors must be made aware of the GDPR compliance. It should always be a part of the signed contract.
(x) The personal data of the subjects must be encrypted to ensure protection.
(xi) The best kind of Data Loss Prevention(DLP) techniques must be employed.
(xii) Identity and access management solutions must be established and audited time and again.
(xiii) Data retention schedules must be reviewed
(xiv) Incident management solutions must be maintained to make sure any kind of data breach is notified to the data subject.
Importance of GDPR Compliance
As the GDPR compliance has become an important part of the business land sphere while dealing with the European Union, it is important that organizations must treat it as a business opportunity. For the Indian IT companies, the European Union is the second biggest market thus GDPR compliance is no longer a choice but a necessity.
If Indian companies ensure maximum GDPR compliance, they can always attract more business from the EU. India’s privacy landscape has evolved a lot in light of the GDPR pressure from the European Union.
As per the GDPR, every country where the EU’s data is transferred must meet the GDPR compliance requirements more precisely adequacy requirements. Eventually, the Indian legal framework has also caught up. The Supreme Court of India has passed a verdict according to which the data privacy and protection is also very important.
Thus to stay on the safe side of the law the organizations need to have a consistent compliance effort. They must develop a vision and strategy to make sure the GDPR compliance stays consistent. A continuous assessment of gaps must be gaged to make sure the current policies are followed.
The most critical areas of GDPR compliance are, Data processing, Notice and consent, Data subject rights, Data security, Transparency of information and communication, Accountability, Cross-border data transfer, Third-party and vendor management, storage, breach, breach notification, Training, and awareness.
So, if you are inspired by the opportunities provided by Cyber Security? Enroll in our Cyber Security Course to elevate your career.