Why GDPR Compliance is Important

Why GDPR Compliance is Important

Why GDPR Compliance is Important

By Pallavi Sengupta

GDPR is a regulation that dictates specific requirements with which businesses must comply to protect the personal data privacy of EU citizens. The regulation also includes the monitoring of data that is exported outside the EU. The European Parliament adopted the GDPR in April 2016, replacing a rather outdated data protection directive from 1995.

The GDPR regulations are uniform across all the 28 countries in the EU.  Some organizations may need to make a sizeable investment to become compliant, especially if they do not have the processes currently in place.  Nevertheless, irrespective of the expenses that GDPR compliance calls for, following the regulations has become a mandate, owing to the growing public concerns over data collection, storage and dissipation.

It is important to note that Europe was always aware of the importance of public content safety and had, therefore, already implemented the Data Protection Directive in the year 1995. This was when Internet was yet to become the hub of businesses. However, with time, the requirement for a more detailed regulation was understood and implemented in the form of GDPR.

The Data that GDPR protects

The regulation covers the protection of the following data:

  • Personal data that relates to an identified or identifiable ‘individual’, for example;
    • name, address, and/or ID numbers
  • Web data such as location, IP address, cookie data, and RFID tags
  • Special Category Information, for example;
    • Health and genetic data
    • Political opinions
    • Biometric data
    • Racial or ethnic data
    • Sexual orientation

Owing to the advantages that GDPR has to offer, industry giants have accepted the compliance norms in a positive way. According to a survey done by PwC, 92 percent of the US companies consider GDPR a top data protection priority. Furthermore, 68 percent of the US-based companies expect to spend $1 million to $10 million to meet the GDPR requirements. And another 9 percent are willing to spend more than $10 million. In fact, to give exclusive attention to GDPR compliance, companies are now considering ways to create a position for a Data Protection Officer (DPO) who will be responsible for addressing issues related to the new data regulation.

Things to be considered for compliance

Being GDPR compliant is not easy. Thorough planning is required, and several factors need to be considered. Some of these factors are as follows:

  • The storage, transfer, access, and security of electronic information
  • Document retention schedules and their implementation
  • Written proof of compliance
  • Documentation pertaining to data protection
  • Type of data that is being stored and transferred
  • Incorporation of newly-created data
  • Data accessibility
  • Data content

Under certain circumstances a Data Protection Officer is required, part of their role is to follow a strict protocol to identify personal data that the company processes and ensure its protection under the guidelines of the GDPR. In short, following these protocols make a company eligible for GDPR-compliance.

Data Mapping: It is impossible to ensure security if the DPO does not know the location or the content of the corporate data. If the data map for the corporation is incomplete, a discussion with the I.T stakeholders of the company should be held. Going forward, collaboration between all business areas, I.T, management, and the corporate legal department is very important for a comprehensive data management plan, which again is a significant step toward GDPR compliance. It is to be noted that personal data in possession of third-party providers, which include cloud service vendors or data archival companies, also come under the purview of GDPR compliance.

Understanding the content of the personal data: Companies should understand the nature of the personal data that they are storing and not just identify where the data is stored. They should understand whether the personal data is legally binding by nature (like in contracts and in agreements) or what other legal basis they have for the processing of the personal data.

Taking customer’s consent: Consent of an individual is one of the bases for data storage and transfer.  A company must provide clear affirmative statement by a customer, allowing the former to process and utilize his data. On similar lines, an individual has the right to know where the data is being stored and how it is being processed. He also has the right to reprimand the company for storing inaccurate information, thus demanding correction or deletion. It is to be noted that consent is not the only basis to process personal data. Under GDPR there are 6 legal basis that can be applied to the processing of personal data, these are;

  • Consent
  • Contract
  • Legal Obligation
  • Vital Interests
  • Public Task
  • Legitimate Interests

Sending security alerts: It is important for a company to have adept technical support to avert data breaches. If at all there is a breach, it should have provisions to inform both the individual and the company regarding the same. The company should be able to tell its customers specifically as to what was exposed. The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. Companies must do this within 72 hours of becoming aware of the breach.

Monitoring data transfer: GDPR lays great restrictions on personal data transfer. Corporate entities should have an enforceable plan to prevent unauthorized data transfers. Transfer of data outside EU should meet the GDPR requirements first. A series of queries pertaining to the content of the data need to be answered. If the data is extremely sensitive, additional restrictions must be imposed. If needed, the permission for transmission can also be revoked.

Penalty for non-compliance

After the compliance deadline of May 25, 2018, companies that failed to be GDPR compliant had to pay hefty fines. For instance, organizations holding data of EU customer faced a fine of up to EUR 20 million or 4 percent of their total global revenue for the preceding fiscal year, whichever was higher.
In a nutshell, GDPR should not be taken lightly. Business entities, big or small that process EU personally identifiable data, should implement the regulations immediately to ensure a secured environment for their customers. After all, a safe environment for data is  for sustainable business opportunities.