The General Data Protection Regulation (GDPR) is considered as a golden standard for the data protection. The European Union law on Data Protection and Privacy as introduced on 25 May 2018. The GDPR is a comprehensive law on data protection and privacy. It is hailed as one of the strictest data protection regime across jurisdictions and has been instrumental in fostering a uniform data protection atmosphere within the European Union (EU) and facilitating the introduction of National Legislations.
The GDPR’s primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The regulation contains provisions and requirements related to the processing of personal data of individuals who are located in the European Economic Area (EEA) , and applies to any enterprise—regardless of its location and the location of the data subject. Our GDPR services thus entail measures incorporating GDPR for Indian companies as well.
Scope of GDPR
GDPR is applicable to all entities operating within the EU and EEA regions . It is applicable to Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden along with any national laws that these regions may enact.
The provisions of GDPR mandate compliance for processing related to the data of subjects in the European Union even if the data processing takes place outside the territorial limits. The law also mandates compliance if the entity is located outside EU, but processes data in context of activities in the EU. The focus of our GDPR services is data protection in the EU including implementing measures for data protection outside EU such as GDPR for Indian companies.
Rights of Data Subjects
The purpose of GDPR is also to lay down the rights of the data subject, the person whose data is being collected and processed by data collector to allow for stricter compliance from the initial stages to the last. All information conveyed to the data subject should be in a clear and unambiguous manner.
GDPR provides the data subjects with the following rights:
Right to Access
The right to access the information regarding their data being processed.
Right to be Informed
The right to be informed on the specifications of processing data.
Right to be Forgotten
The right to call for erasure of their data shared by them.
Right to Objection
The right to restrict the processing of the data shared by them.
Right to Restrict Processing
The data subjects have a right to limit the processing of their data for the purpose it was collected.
Right related to automated individual decision making
The data subject has the right not to be subjected to any decisions taken by the controller solely based on automated means.
Right to Withdraw Consent
The right to restrict the processing of data when they withdraw consent.
The crucial principles embedded in the GDPR that also provide the framework of holistic data protection cast the obligation on data controllers that all processing of data must be accorded the requisite layers of protection.
- The processing must be lawful, fair and transparent with regards to the data subject.
- The legitimate purpose for data processing must be specified and expressly conveyed to such data subject.
- The data controllers must also comply with the principles of data minimization, storage limitation, maintaining accuracy of data along with the security, integrity and confidentially of such data by way of implementing adequate security measures.
- For demonstrating GDPR compliance, a substantial obligation of abiding variety of measures should be adopted by your organization for data protection, such as appointment of Data Protection Officers, establishing Data Protection by design, designation of data protection responsibilities to the team along with adequate training and awareness exercises.
Our services ensure compliance of GDPR for Indian companies as well as other globally existing companies.
Legal Basis for processing of Data under GDPR
Article 6 of the GDPR provides legal basis on the processing of data as allowed under the law. The processing of data would be lawful only if one of the following circumstances apply:
For the processing of personal data, a clear and affirmative consent is required to be obtained by the controller from the data subject for the processing of data for such specific purpose.
Processing of personal data for a purpose of carrying out obligations in a public interest or in an official capacity, are allowed under GDPR as a legal basis.
For the purposes of fulfillment of legal requirements, a controller can process personal data for such purposes.
The processing required to comply with contracts, forms a legal basis for processing of personal data for such specific purpose.
Exceptions to Consent Requirement under GDPR
Under Article 6 of GDPR, Data processing is only permitted when specific, unambiguous consent to process data granted by the data subject. However, at the same time it is provided under GDPR that even without consent, data may be processed in case such processing is necessary for performance of contractual or legal obligations, or such processing is necessary to protect vital interests of the data subject or any other natural person. Processing is also allowed when it is necessary for performance of public interest/official authority or legitimate interest.
Article 51 of GDPR provides that each member State needs to establish one or more independent public authorities that will be responsible for monitoring the application or compliance with GDPR, known as Supervisory Authority. The GDPR also specifies on the need of complete independence of such Supervisory Authorities so that they may remain free from external influence in order to perform their tasks and exercise their powers under GDPR. They enjoy wide powers for investigation and correction and can also issue guidance and directives to the public. As per Article 77, Individuals also enjoy the right to lodge a complaint with a supervisory authority. All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against a decision of a supervisory authority concerning them or for failing to make a decision. The data subjects also have a legal remedy against any actions of the processor or controller.
GDPR derives its stringency from the substantially high fines and penalties it imposes on organisations for their non compliance with its regulations. These fines are made flexible to adapt with the scale of the organisation responsible for non-compliance. There are two tiers of fines that depend on various factors such the nature and gravity of the infringement, intent, damage, mitigation efforts etc.
The first of the two tiers of penalties is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second tier of penalty is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
Our GDPR Services
We offer the following services to our clients as a part of our GDPR Implementation Programs providing GDPR services for Indian companies as well by:
- Implementing Privacy Ecosystems
- Providing Data Protection Impact Assessments
- Providing GAP ecosystems
- Acting as a Data Protection Officer
- Data Protection and Privacy Consulting and Advisory
- Evaluating and monitoring compliance levels from a legal standpoint under various jurisdiction
- Drafting relevant agreements/ policies for securing consent, provision of notice etc.
- Suggesting security and privacy best practices, policies and standards
- Developing mitigation plan for possible privacy breaches
- Assisting with disputes under the realm of data protection/ privacy, if any
- Delivering trainings on the legal provisions to the concerned teams
Benefits of the GDPR Implementation Program
As a part of our Data protection Services, we offer our GDPR Services through an Implementation program, done through our five-phase approach.
- Implementation done for clients located in EU, India or elsewhere
- Provided end-to-end support throughout the project
- As a part of the project, developed protection toolkit (including draft agreements, security/ privacy best practices, policies etc.) and incidence management system
- Provide compliance with the Privacy Laws efficiently and effectively.
- Recognize, Access and Strategize Personal Data within your organization.
- Adapt, Improvise and leverage your existing privacy compliance in order to comply with the legislations.
- Respond to Data Subject Rights and fulfil Business obligations under the legislations.
- Policy and Notice Management and maintain data privacy structures within the organizations.
- Provide an effective solution to all organizational requirements in privacy.
- Cost Effective solutions for privacy compliance with subject matter experts
- Implementation of the privacy program from industry professionals with prior experience with MNC’s in the EU region.
Along with GDPR implementation, we provide assistance or maintenance in compliance to GDPR obligations as a part of our GPPR Consulting Services.