DATA PROTECTION REGULATION (GDPR) .pdf
Original filename: DATA PROTECTION REGULATION (GDPR).pdf
This PDF 1.5 document has been generated by Microsoft® Word 2013, and has been sent on pdf-archive.com on 29/03/2018 at 12:31, from IP address 114.29.x.x.
The current document download page has been viewed 156 times.
File size: 788 KB (6 pages).
Privacy: public file
Download original PDF file
Call : +91-020-26434646
visit : www.sphinx-solution.com
ADVANCED GUIDE TO THE GENERAL DATA PROTECTION
“Data protection used to be a cause of concern for every country in Europe leading to a
remarkable difference. From now on, the situation is expected to change because a unique law
that applies equally to each EU member state is coming”.
GDPR – yet another abbreviation to memorize by every other company doing business in Europe.
GDPR stands for General Data Protection Regulation, which is a new set of guidelines created
by EU, replacing various other data management and data protection laws around Europe. Current
GDPR implementation will replace the Data Protection Directive 95/46/EC of 1995 and is
supposed to affect Data Protection Act 1998 in the UK as well as the current Freedom of
Information Act 2000 (FOIA).
Current Challenges in Personal Data Protection
The landscape of data privacy threats is evolving at a greater speed forcing organizations to face
the bitter reality of carrying significant risks, stronger enforcement and the increasing urgency to
face the obstacles in managing and protecting personal data. Due to the increased number of data
breaches, and the way they are made public further aggravate these challenges. One of the major
challenges faced by many organizations is to cope up with the data protection rules, regulations,
policies, and processes that imbricate with the current set of organizational, business and
Here are some of the challenges faced by personal data protection:
Might be due to the lack of awareness of the legal and financial consequences, but
organizations lack discernment for security
NO standard data protection protocol within the organizations leading to no control over
compliance security policies.
Business owners lack the interest to take ownership or accountability of personal data.
A huge amount of data generated and unwillingness or incompetence to analyze and subdue
IT trends like cloud, mobility and virtualization increase the complexity of business-critical
systems and drives up the costs to locate, classify and protect information.
About 36% business-critical applications are already in the cloud and the statistics claim that
concerned IT departments are not aware about half of them.
The Need to Implement GDPR :
The General Data Protection Regulation is an effort to update data protection for the 21 stcentury,
wherein people grant permissions to share their personal information across various online
platforms in exchange for ‘free services’. The revised EU data protection framework was finally
adopted after about four years, on 8 April 2016. The GDPR will replace the current Directive and
will be directly applicable in all Member States without the need for implementing national
legislation. It will take effect on 25 May 2018. The law is applicable not only to the European
organization using personal data but will be applicable to the non-European Union (EU) based
organizations as well.
There are two major objectives behind the introduction of GDPR. First, to bring people’s data in
line to understand how this data is being used, especially when tech giants like Amazon, Google,
Twitter, and Facebook are offering free services to users in exchange for their data. (In a recent
scandal, Cambridge Analytica harvested about 50 million Facebook profiles to compromise the
2016 US election-a classic example of how these tech giants manipulate personal data of a user.)
The second objective is to offer more clarity to the organizations over a level of environment that
dictates how they need to behave. By making data protection guidelines uniform over all the EU
states, it is supposed that the EU companies will collectively save €2.3 billion per year.
Key Points in GDPR :
As the makers say, “The GDPR is not a revolution but a mere evolution of current EU laws.” The
GDPR is expected to enhance data subjects along with rights and the enforcement capabilities.
GDPR makes it mandatory for all the organizations and companies processing data from EU
citizens to comply with the rules and regulations.
The GDPR emphasizes on consent, control, and clear explanation intended to elevate users
understanding to reckon the way they are monitored online. Even since internet dominated and
commercial web penetrated our lives, organizations were motivated to compile user’s data for
monetization. Henceforth, EU empowered its citizens to opt-in instead of facing the burden to optout.
Here are some key points in GDPR:
Stronger proof of consent: Unequivocal consent is must if organizations are collecting
non-sensitive personal data. An explicit consent is mandatory if a company or organization
working in EU or working for the citizens of EU wants to collect sensitive personal data
such as mental or physical health data of a user. Possibilities do exist that organizations
might need extra efforts to understand the terms ‘explicit’ and ‘unambiguous’ in their true
manner. Nevertheless, from here on companies must work harder to manifest if consumers
Data Portability: The new GDPR draft empowers users with the right to data portability.
Thus, consumers are now free to obtain and reuse their personal data across different service
platforms at their own will. Undoubtedly, this user-centric approach will make it a lot easier
for the consumers to switch between services resulting in voiding the problem of ‘lock-in’.
Right to Erasure: From now on organizations will generate personal data but will no longer
have its ownership. ‘Right to Erasure’ is an official term for the data that needs forgetting.
Using this specific rule, consumers can now ask the organizations to erase their personal
data preventing its use in specific circumstances. In spite of having numerous exceptions to
this, the new right to erase guideline is built on previous right to be forgotten established in
ECJ case law, 2014.
GDPR Breach Notification: GDPR in no any sense promises a reduction in the data breach
or hacking of personal data. Remember, an attempt at a personal data breach has the
potential to impart detrimental effects on the life of an individual (as if; online shaming, loss
of confidentiality or financial loss). In such event, it is the duty of an organization where this
personal data breach takes place to inform the individual and report the same to relevant
supervisory authority or face a fine.
Direct representation by NGOs: GDPR empowered consumers all over the EU with a
right to ask an adequate NGO in bringing claims against data processors on their behalf. In
addition to that, GDPR authorized EU countries to bestow such NGOs with a right to take
collective action. It is believed that such liberty might result in significant increase in the
number of litigation class action suits immediately GDPR comes into effect.
Ownership & Accountability: The GDPR mandates organizations to document their
compliance with a new set of rules and standards. Right from recordkeeping obligations to
use of privacy impact assessment everything needs prompt reporting. According to new
GDPR draft, a public body involved in data processing activities needs to hire a data
protection officer, as do companies whose core activities involve data processing requiring
regular individual monitoring. Thus, organizations are free to appoint a data protection
officer or EU legal representative to help them understand, implement, and comply with
Fine & Penalties: Penalties for companies who fail to meet the new GDPR amendments
have increased to up to €20 million or 4% of annual global turnover whichever is higher.
International implications: It does not matter from which location you are processing
personal data of EU citizens; even, the rules in place where EU citizen’s personal data is
processed does not matter. What matters is if your organization or company is specifically
targeting EU citizens to monitor their online behavior then such organizations need to
comply with GDPR irrespective of their demographics.
Reference to one of the PwC surveys affirms that more than 68% U.S. based companies will have
to incur about $1 to $10 million and another 9% are ready to spend more than $10 million in
preparing themselves to meet GDPR requirements.
About 1 million new malware threats loom every day. Consequently, recent Facebook scandal,
repeated growth in targeted attacks and advanced persistent threats have caused companies to be
more reactive in their approach to cybersecurity. In such unsure and insecure environment, GDPR
compliance will definitely offer a competitive advantage to the organizations. Moreover, it will
help in boosting consumer confidence in companies and the way they will be handling their
personal data. More importantly, the technical and process improvements will result in efficient
management and data security by EU based organizations.
Taking GDPR lightly is not at all an option for organizations dealing with personal data of EU
citizens. Ignoring or underestimating the GDPR regulations is a great risk one should not take.
Hope you have read and understood the GDPR guidelines and the necessity to comply with it;
are you still confident that your organization is ready to meet the GDPR requirements? If not,
then get in touch with us.
USA : +1 732-947-4310
| UK : +964 0771 7777 916
| Malaysia: +6017-2126274
IRAQ : +964 0771 7777 916 | BRAZIL : +55 21 2258-7260 | INDIA : +91-020-26434646
Copyright© 2018 Sphinx Solutions Pvt Ltd. All rights reserved.