A date with data: Demystifying EU's data protection regulations
The GDPR outlines a common regulatory framework pertaining to data security, under which they are held accountable for its security.
On May 25, 2018, the European Union will formally enforce the European Union General Data Protection Regulation (EU-GPDR), widely considered by experts to be the most comprehensive data protection law to ever be defined. The landmark regulation supersedes the Data Protection Directive and gives EU citizens more power over their private information. Hrishikesh Sivanandhan, VP & BU Head - Consulting Services at Paladion Networks elaborates what it means for Indian businesses.
Data Privacy 101: Understanding the GDPR in detail
The GDPR is aimed at enforcing strict policy measures to protect the personal data of EU citizens. Defined as “any information that can be used directly or indirectly to identify an individual” and “must be protected”, personal data is categorised into three major parts: general information, organisational information, and special categories of data.
The GDPR outlines a common regulatory framework pertaining to data security, under which all organisations collecting, storing, transmitting, or processing personal data of EU citizens are held accountable for the security of personal information that they handle. This accountability is applicable regardless of where the organisation is actually based, as long as it handles personal data pertaining to EU citizens. This means Indian businesses handling personal information of individuals hailing from Europe are also governed by this new data protection law.
Provisions are made for strict action against non-compliance and data infringement under the GDPR. Any material/non-material damage caused by a GPDR infringement will see monetary recompense awarded to the affected individual (called the data subject) by the non-compliant entity. Additional administrative fines can also be imposed upon the data processor/controller by the GDPR supervisory authority under two categories:
- In case an organisation is found to be non-compliant with the GDPR regulations, it can face a fine of up to €10 million or 2% of the annual global turnover, whichever is higher.
- Infringement: If an organisation is found guilty of infringing the principles of data processing and/or in violation of the data rights of an EU citizen, it can face a fine of up to €20 million or 4% of the annual global turnover, whichever is higher.
The levels of these administrative fines depend on various factors. The nature, gravity, and duration of the infringement are all considered, as is whether the infringement was intentional or negligent. Actions taken to mitigate the impact of the breach on data subjects by the controller/processor in question are also taken into account. Other factors considered while determining administrative fines is the degree of responsibility assumed by the data controller/processor in implementing technical and organisational measures, previous record of data infringements, and compliance with approved certification mechanisms or codes of conduct.
Assessing GDPR readiness: The first step towards getting ready for a new data privacy paradigm
The key aspects for Indian organisations to be mindful of, to take stock of their GDPR readiness and to identify major gaps that need to be plugged, are:
- Scope of data activity and the need for data protection officers (DPOs): One of the first things for businesses to gauge is the scope of their data activity and whether they are, in any capacity, either collecting and/or processing personal data belonging to EU citizens. They must also analyse whether the data volumes are sufficiently high, or the handled information extensive enough, for them to appoint a DPO as mandated under the GDPR.
- Data breach notification: The GDPR makes it mandatory for data controllers and processors to notify both the data subject and the supervising authority of a potential breach within 72 hours. This requires organisations to have a breach notification setup in place for the eventuality of personal data being compromised.
- Data protection impact assessment (DPIA) and rights of data subjects: Organisations also need to consider if the kind of personal data handled poses the risk of infringing upon the data rights and freedoms as stipulated by the GDPR. This includes the ‘right to be forgotten’, the ‘right to data portability’, and the ‘right to object to profiling’. It is also essential to identify what kind of mitigation strategy is in place for responding to such a risk.
- Lawful processing and consent: Data subjects have to consent to the collection or processing of any personal data. Organisations, therefore, need to ensure that processes are in place to record documented consent from data subjects prior to handling any personal information.
- Personal data protection, and privacy by design and default: Organisations must have satisfactory technical and organisational measures in place to ensure the security of personal data. It must also be evaluated if any such measures for data protection and privacy are designed into the organisational systems and processes, in addition to gauging the default compliance levels.
- Proof of compliance: Under its accountability principle, the GDPR requires organisations to document their compliance readiness. The proof of compliance needs to be furnished on May 25, when the law comes into force.
Another thing that Indian organisations need to pay attention to here is identifying their role in the data hierarchy, and the corresponding responsibilities. The GDPR classifies data handlers under the following two categories:
- Data Controllers
Any organisation or individual which collects personal data, as well as defines how and to what end that information will be used, is defined as a data controller. Under the GDPR, data controllers are responsible for conducting DPIAs and risk mitigation in order to identify, analyse, and address potential threats or risks to personal data of EU citizens. Controllers are also responsible for implementing measures that safeguard the rights of data subjects, as well as for ensuring that any data processor or third party associated with them is compliant with the GDPR and has signed stringent and legally binding contracts. Additionally, it is necessary for the data controller to define and document individual responsibilities and liabilities in case joint controllers are involved, as well as to implement data protection principles, both ‘by design’ and ‘by default’.
- Data Processors
In broad terms, any organisation or individual which processes personal data pertaining to EU citizens in any manner on behalf of a data controller is defined as a data processor. Data processors, as per the GDPR stipulations, are required to ensure that data processing only takes place upon written instructions from the controller. In case sub-processors are used for handling personal data of EU citizens, data processors are required to first ensure consent from the data controller.
It is also the responsibility of data processors to ensure that any contracts with sub-processors are legally enforceable, and to assist controllers in respecting the rights of data subjects. If personal information of data subjects is to be sent to another country for further processing, data processors must first secure documented consent from the controller. Data processors must also sign confidentiality agreements with personnel who work with personal data of EU citizens, and delete/ return all personal data to the controller at the end of service. Ensuring the security, confidentiality, integrity, availability, access control, and resilience of the personal data handled also falls under the ambit of data processor responsibilities.
In addition to their individual responsibilities, controllers and processors share certain common responsibilities under the GDPR. They are required to maintain records of data processing, comply with the code of conduct or with an approved certification mechanism, and to implement appropriate technical and organisational measures to ensure security of personal data. Both controllers and processors are also required to undertake regular risk assessments, testing, and monitoring in order to identify existing or prospective vulnerabilities in their systems, as well as to review and upgrade the technical and procedural safeguards from time to time. Data handlers also need to implement SOPs for identifying potential data breaches.
How MDR service providers such as Paladion can help in achieving GDPR compliance
Getting business operations compliant with the new data protection law requires significant investment of time and restructuring of existing processes and systems. This is where MDR service providers such as Paladion step into the picture. With a four-phase approach, Paladion can help businesses in fast-tracking the compliance efforts, in addition to ensuring regular monitoring and maintenance for continued compliance.
The GDPR is a revolutionary step towards ensuring adequate security and protection for personal data, but meeting its compliance requirements will be difficult for organisations. With many organisations struggling to implement adequate measures, market studies estimate that the EU could end up collecting up to $6 billion in fines and penalties in the first year alone. With Paladion’s high-speed approach, Indian organisations can ensure that they are able to avoid the ignominy of making the non-compliance list by meeting each of the stringent requirements of the articles of the regulation.