EU's GDPR will change the way personal data is handled worldwide

European Parliament has passed the general data protection regulation (GDPR) which will come into effect from May 25, 2018. The regulation is significant as it promises to protect the personal data of the EU data subjects.

GDPR is likely to change the way the private and personal data is handled across organisations. GDPR has an extended territorial scope. While EU organisations are subject to GDPR, non-EU organisations that process personal data of EU residents, or provide services to them are also subject to GDPR. 

Data privacy is a fundamental human right. GDPR has magnificently listed out the steps to protect personal data. We all know data is the new oil. Firms have access to plethora of data and have the onus of handling this vast amount of data responsibly, harness its power and monetise it. GDPR will address the first part of the puzzle as to how to handle the data responsibly. There are few unique terms in GDPR. ‘Personal data’ means any information relating to an identified or identifiable natural person (data subject). ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

GDPR is designed to offer privacy by design. The regulation mandates that data protection principles should be adopted into product/project design process. GDPR empowers the data subject with various rights. Firms must inform data subjects of the existence and consequences of any profiling activities which they may carry out and obtain explicit consent from data subjects. Data subjects have the right to ask for rectification or right to be forgotten. Once the data is shared with the controller or the processor, data subjects continue to have the right to rectify the data or erase the data completely. Data subjects also have the right to data portability. Organisations should develop interoperable formats that enable data portability. This, in itself, is a big challenge for the organisations. 

In case of any data breach organisations need to report the breach within 72 hours of discovery. In case of breach, it should be reported to the supervisory authority and the data subject. Each member state shall provide for one or more independent public authorities to be responsible for monitoring the application of this regulation. The supervisory authority shall be independent to function. They are the one who will interact with the data protection officers of the firm.

In fact, only 35 per cent to 40 per cent of all the IT/ITES companies have started their journey to work towards GDPR compliance. The IT product companies and service providers will have to rework the contracts and are likely to see their working costs with clients going up. While larger firms will be able to withstand the cost of complying with GDPR, smaller companies do not have the resource to make the necessary changes to ahere to the new law.

The cost of non-compliance of GDPR is huge. The GDPR establishes penalties for breach which enables the data processing authority to impose fines for infringements of up to the higher of four per cent of annual worldwide turnover and Euro 20 million. These penalties are against both data controllers and data processors. Other less egregious breaches would attract a fine of up to and two per cent of the annual worldwide turnover and Euro 10 million.

European Parliament has passed the general data protection regulation (GDPR) which will come into effect from May 25, 2018. The regulation is significant as it promises to protect the personal data of the EU data subjects.

GDPR is likely to change the way the private and personal data is handled across organisations. GDPR has an extended territorial scope. While EU organisations are subject to GDPR, non-EU organisations that process personal data of EU residents, or provide services to them are also subject to GDPR. 

Data privacy is a fundamental human right. GDPR has magnificently listed out the steps to protect personal data. We all know data is the new oil. Firms have access to plethora of data and have the onus of handling this vast amount of data responsibly, harness its power and monetise it. GDPR will address the first part of the puzzle as to how to handle the data responsibly. There are few unique terms in GDPR. ‘Personal data’ means any information relating to an identified or identifiable natural person (data subject). ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

GDPR is designed to offer privacy by design. The regulation mandates that data protection principles should be adopted into product/project design process. GDPR empowers the data subject with various rights. Firms must inform data subjects of the existence and consequences of any profiling activities which they may carry out and obtain explicit consent from data subjects. Data subjects have the right to ask for rectification or right to be forgotten. Once the data is shared with the controller or the processor, data subjects continue to have the right to rectify the data or erase the data completely. Data subjects also have the right to data portability. Organisations should develop interoperable formats that enable data portability. This, in itself, is a big challenge for the organisations. 

In case of any data breach organisations need to report the breach within 72 hours of discovery. In case of breach, it should be reported to the supervisory authority and the data subject. Each member state shall provide for one or more independent public authorities to be responsible for monitoring the application of this regulation. The supervisory authority shall be independent to function. They are the one who will interact with the data protection officers of the firm.

In fact, only 35 per cent to 40 per cent of all the IT/ITES companies have started their journey to work towards GDPR compliance. The IT product companies and service providers will have to rework the contracts and are likely to see their working costs with clients going up. While larger firms will be able to withstand the cost of complying with GDPR, smaller companies do not have the resource to make the necessary changes to ahere to the new law.

The cost of non-compliance of GDPR is huge. The GDPR establishes penalties for breach which enables the data processing authority to impose fines for infringements of up to the higher of four per cent of annual worldwide turnover and Euro 20 million. These penalties are against both data controllers and data processors. Other less egregious breaches would attract a fine of up to and two per cent of the annual worldwide turnover and Euro 10 million.