Does your firm or startup have a presence in the European market? Does your company provide Information Technology and ITeS, pharmaceutical, financial or data processing services to European clients? If yes, then the clock is ticking and you must comply with the new and strict nuanced framework of GDPR introduced by European Union for datahandling.
Data offers competitive edge and assists businesses to differentiate themselves. It is at the heart of the technological evolution and helping in ushering a new era of artificial intelligence. Unfortunately, companies like Uber, Pizza Hut, Clarksons, Deloitte, Equifax, Zomato, etc. have all reported loss of personal data of consumers. This unceasing rise of data leaks has stirred concerns over the way firms are using consumer data for marketing and other purposes. The Facebook-Cambridge data fiasco has yet again reignited the debate around data protection and data privacy all around the world.
To set new data protection standards in place the European Union is rolling out General Data Protection Regulation.
These are the comprehensive set of rules put forward to globally strengthen data protection and privacy of users. The primary aim of the regulation is to give all control of the data to the user.
This regulation will come into force on 25th May 2018 and any non-compliance will attract fine up to 20 million pounds or 4% of the company’s global turnover.
As per a survey, presently only a one-third of Indian IT services firms are compliant with a European Data Protection Law. EY reports that around 60% of Indian companies are still unfamiliar with this new regulation. It is estimated that the size of the Information Technology industry only in Germany and France, i.e. the top two European member states is around 155-220 billion USD. It is considered an important market for firms operating in business-to-business segment. GDPR is slated to have global ramifications and huge fines and stringent compliance can lead to a shutdown of start-ups.
What is GDPR?
GDPR is a new set of rules introduced for data protection by the European Union. As per these new regulations organizations are required to obtain data of citizens legally and under strict conditions. These rules are aimed at simplifying the regulatory environment for both citizens and businesses for getting the maximum benefit from the digital economy. GDPR will govern how data is obtained and processed of European citizens.
Is it applicable to you?
Article 3 (Territorial scope) of the regulation categorically states that it will be applicable to all companies regardless of whether the processing takes place in EU or not. Even if the company does not have an office in the EU or operates in the EU but only handles personal data of the EU citizens this law will be applicable to all such companies.
What are the obligations for companies?
In order for companies to become GDPR compliant they must-
1. Warrant Data Security:
Companies are required to ensure that the data they are dealing with is protected from additional processing. For this purpose, the company must implement such measures that will safeguard personal data of citizens from any unauthorised usage, loss, damage, alteration, damage.
Organisations must implement such practices that will ascertain data accuracy and integrity and substantially reduce the risk of data loss.
3. Effectively manage Data Breach:
Build a system for effectively handle personal data breaches. Implement appropriate measures to minimize the loss and notify the public authority within 72 hours about such breach.
How to become GDPR compliant in India?
The companies require a robust programme to become GDPR compliant. In order to implement these rules, it is pertinent to that every stakeholder of the company must take requisite steps to become GDPR compliant. Accordingly, they must also train their employees on handling personal data appropriately. Also, they must-
1. Undertake data-detection activity:
A company must know for what purpose is it collecting data, where is it stored and how is it processed within the company.
2. Take prior consent:
The consent should be freely obtained as per the GDPR norms., consent should be obtained freely. Thus, organizations while taking consent from the consumers ensure that it is specific, informed and unambiguous. The company is required to carefully review as to how it seeks, records and manages consent to process data and implement a sophisticated framework to obtain and record consent.
3. Maintain a record:
An organization must keep a complete record of the personal data it holds and how this data flows in and out. They must also keep a database of who all have the access to the personal data.
The only way to save oneself from an unwanted hefty penalty is to draft a policy for handling data of consumers in consonance with GDPR. So be aware and acknowledge the changes with all preparation and required paperwork to comply with the new and strict nuanced framework.