The term General Data Protection Regulation is known to most Indian organizations dealing with personal data by now. On 25th May, one of the biggest changes in the regulation of data protection and privacy took effect. GDPR changed the way of how personal data will be gathered, used and handled. And the non-compliance of GDPR rules can cost companies a fortune – 20 million Euros or 4% of annual turnover, whichever will be greater.
GDPR is designed to give the European Union (EU) citizens more power to control their personal data. However, it also applies to an Indian entity if it monitors the behavior of individuals in the EU. An Indian organization can either act as a controller (i.e determine how and why data needs to be processed) or a processor (i.e process data on behalf of a controller). GDPR has prescribed specific obligations and penalties for both the cases. In today's data-driven marketing world, one thing is clear – the consumer is more in charge than ever before.
Some organizations have appointed Data Protection Officers to manage the implications of GDPR while some are still finding their way. Companies need to educate their staffs about GDPR and take action to ensure they're compliant in the way they collect, manage, process and share information.
Every company needs proper consultation and legal advice on the matter and here are few most asked questions to clear the confusion and get you started:
First of all, the decision makers and key members of the company need to be completely aware of the new regulation and how its impact. Consent of the owner of personal data is playing a pivotal role in GDPR compliance. Companies must ensure that the consent is clear, affirmative and in plain language. It is their responsibility to make it easy for the data subjects to withdraw consent if they wish to do so. Personal data that any business holds must be analyzed and documented. The company needs to check procedures to make sure they cover all the rights individuals have. The lawful basis of the processing activity must be identified and the consent procedures must be reviewed. And implementing the procedures to detect, report and investigate personal data breaches are also the responsibility of the company.
The GDPR aims to give individuals (consumers, contractors, members or staff) more control over the ways in which businesses process their personal data. There are 8 fundamental rights of individuals under GDPR. They are:
Reconfirming your list will help you make sure that your list is clean and all recipients have given you consent to send them emails. GDPR uses the term 'legitimate interest' and this is the described people who are already your customer or might have previously enquired with you. These people have 'legitimate interest' in your business. But this must be noted that the 'legitimate interest' cannot be used to send completely unsolicited marketing emails to the people you haven't contacted before. You cannot assume that everyone in your gained database would have a legitimate interest in your service or product.
The role of Data Protection Officer is to act as the data 'Controller' or 'Processor' to comply with data protection law and avoid the risks that companies face while processing personal data. Even if you do not recruit a dedicated Data Protection Officer, but someone in the organization needs to take the responsibility for this role. The DPO is the data protection expert within the organization and forms the link with external people and the organization's employees in relation to the processing of personal information held. Article 37(5) of the regulation says, "The DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39."
According to GDPR, the customer has the right to forget. This means you must delete all the data belonging to a contact who ceased to be a customer of yours.
Though the procedure to leave the European Union has already begun, Brexit is still expected to take at least two years to take full effect. UK businesses still need to become GDPR ready. What happens post-Brexit, is subjected to further concern. If UK joins the European Economic Area (EEA), GDPR will continue to be applied in the UK with some small practical changes. If the UK opts out, GDPR will no longer be applied and personal data transferring from EU Member states to the UK would no longer be permissible without additional legal protections or safeguards in place.
These are the few most asked questions about GDPR. If you are still wondering how GDPR works and confused about its procedures, ask us. We shall try to answer as many as we can!For complete GDPR consultancy, call: +91 9830310550 / +91 98319 15441