Legal cases with fixed pricing, standardized processes, and firm timelines
General Data Protection Regulation (GDPR) is the regulation formulated by the European Union (EU) for the protection of data of individuals. It provides protection to the exporters of the data outside the EU. India adopted the GDPR in April 2016 and it will be enforceable by 25 May 2018. It means that everyone falling under the ambit of GDPR has to conduct GDPR compliance in India and get a GDPR certification by 25th May, 2018.
Update your data protection policy and become GDPR compliant by getting in touch with the Cyber crime lawyers.
EU has amended their existing laws on data protection by including the General Data Protection Regulation in it. Amendment in the data protection laws that GDPR in force date will be 25 May 2018. The objective of GDPR is to protect the data of the individuals by recognising their right and freedom relating to data processing. As per the GDPR overview 2018 the scope of GDPR has been extended to the companies which process the data of residents of EU.
Consumer data has been used by the companies for the marketing purpose increasingly by the companies and there was earlier no law to stop them from doing so. GDPR provides for more stringent compliance policies and in case of failure to comply with the regulations GDPR fines and penalties will be levied on.
Consult : Consult Top Cyber Crime Lawyers in India
GDPR protects the personal data from being misused. To understand the procedure and compliance of GDPR it is necessary to understand what comes under the definition of personal data.
As per the GDPR ico blog personal data has been defined as any information of an identifiable person who is being identified directly or indirectly through such information. Simply, any information which clearly talks about a person is personal data. There is no definite definition of personal data under GDPR data protection and it leaves a scope for broad interpretation of the term personal data.
Article 4(1) of GDPR defines personal data as personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR applies to personal data as well as sensitive personal data.
GDPR ico notification defines the sensitive personal data as the data which is immensely personal to a natural personal and is very sensitive in nature. Thus the sensitive personal data as defined under the GDPR is data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
Related Read : Right to Privacy vis-a-vis Technology
GDPR applies to data controller and data processor. Definition of GDPR data controller provides that controller is a person who looks after, control and determines the means and purpose of processing of personal data. On the other hand GDPR data processor process and is responsible for the processing of data on behalf of GDPR data controller. On doing a comparison study of GDPR data controller vs data processor it can be seen that data controller is a person or agency appointed for controlling the implementation of the GDPR data protection compliances and policies whereas a data processor is one who process the data on behalf of data controller.
The responsibility of GDPR data processor is given under Article 28 and according to Article 28 from the EU GDPR, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
The regulations on general data protection has provided certain obligations of GDPR data controller which are as follows :
Data Protection by default and by design - Data controllers are obligated to ensure that the gdpr data protection policies are being adhered to and implemented at the implementation as well as processing stage of any new service or product.
The distribution between joint controllers - When there is more than one GDPR data controller is looking after the GDPR compliance they are called as Joint Controllers and they have to distribute the work and power among themselves to ensure that regulations and policies of GDPR are duly complied with. In case of any failure, the joint controllers will be liable jointly and severally unless a joint controller proves that he has no connection with the failure.
Processing data records - The GDPR data controller has to preserve and keep records of the processing activities conducted by them.
Appointment of a processor - Data controller can appoint the GDPR data processor only under the written and binding GDPR data processor agreement. The data processor agreement should clearly state the obligations and work GDPR data processor is required to adhere to.
GDPR data breach reporting to DPA - GDPR data controllers have an obligation to notify the data breach of GDPR to the data privacy authorities or data privacy officer.
GDPR data breach notification to affected subjects - in case of GDPR data breach it is the obligation of GDPR data controller to notify the GDPR data breach to the affected subjects of data without any undue and unreasonable delay.
Suggested Read: The Legal Battle Against Online Piracy in India
GDPR talks about the protection of data but what kind of data is actually protected under the General Data Protection Regulation. The data which is protected under the GDPR is the data which is identifiable with a natural person. Thus, the following data is protected by way of GDPR -
Basic identity information such as name, address and ID numbers
Web data such as location, IP address, cookie data and RFID tags
Health and genetic data
Racial or ethnic data
Indian companies might be wondering that why do they have to comply with the GDPR compliance and why do they need to obtain the GDPR compliance certification. The answer is very simple to this as the GDPR provides that a company which stores, uses, control or processes the information of EU citizens have to comply with the GDPR even if they do not have a physical business presence in European nations. If any company fulfills the following requirement they have to be GDPR compliant :
Company having its presence in the EU,
Company not having a physical presence but controls or process the data of residents of EU,
Company having more than 250 employees.
Company having less than 250 employees but their data processing impacts the rights and freedom of the subjects of data and this impact is not occasional or contains sensitive personal information.
Get your compliance of GDPR done on priority from the Best Cyber Crime Lawyers as the date of deadline of mandatory GDPR compliance is approaching i.e. 25 May, 2018.
Top Read : Indian Cyber Law vis-a-vis Technology
Data protection laws are those set of regulation, policies and provisions which deal with the protection of personal data when the privacy is invaded because of control, use storing or dissemination of personal data. With Indian Constitution recently recognising Right to piracy as a part and parcel of Fundamental Rights GDPR compliance has become mandatory for companies dealing in the data of EU and residents of EU. In India there is no specific law for data protection though provisions of Information Technology Act, 2000 and the Act also provides for the civil and criminal punishments for misusing the personal and sensitive personal data or wrongfully disclosing the personal data. Section 72 of the Information Technology Act provides for the punishment for violating the laws on data protection. The section states that anyone who is found violating the provisions related to data protection shall be punishable with imprisonment upto two years or fine which may extend upto Rs. 1,00,000 or with both. With the focus to protect privacy the EU GDPR certification has to be obtained and the last date to comply with GDPR is 25 May, 2018. To be GDPR compliant follow the below given GDPR compliance checklist -
Be prepared for what is coming - Senior management of the companies need to know what is coming and be prepared for risks of not complying with the GDPR compliances. Get in touch with the famous cyber crime lawyers to help you in being GDPR compliant.
To be accountable - GDPR data protection laws provide for accountability in case of GDPR data breach and thus data privacy officer has advised the organisations whether big or startups to hold and examine the personal data they use or control under the following questions -
Why are you holding it?
How did you obtain it?
Why was it originally gathered?
How long will you retain it?
How secure is it, both in terms of encryption and accessibility?
Do you ever share it with third parties, and on what basis might you do so?
Review of personal privacy rights - There are certain rights which are mostly similar in all data protection laws with a little difference. So to be GDPR compliance one needs to familiarise with the following rights of GDPR -
The right to be informed
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
The right to access
Legal grounds - For processing data under GDPR one has to have a legal ground for the same. Under GDPR there are five lawful or legal grounds for data processing - a legal contract, compliance with legal obligation, vital interest, public task and legitimate interests. Data protection policies have to be adjusted as per the above stated legal grounds.
Appointment of data protection officer - Data protection officer - Data privacy officer or the data controller are mandated to be appointed to oversee the data protection strategies and compliance programs.
Data breach - GDPR data breach notification requirements provide that any breach of General Data Privacy Regulation should be reported to supervisory authority within 72 hours of the discovery of data breach.
Adopting privacy by design approach - Get help preparing for your GDPR compliance approach through MyAdvo.
Must Read : Cyber Crime in India
Data breach or breach of data protection simply means that the personal or the sensitive personal information has been accessed or disclosed to a third party who is unauthorized to get such information. The information which has been disclosed has to be otherwise protected. Data breach generally and other GDPR includes information such as personal health, intellectual property, trade secrets, etc.
GDPR ico prescribes for two types of breaches - Personal Data Breach and Security Data Breach. Any kind of data breach should be reported to the supervisory authority within 72 hours and also the GDPR data subject rights policy also state that the data subjects should also be reported about the data breaches without any unreasonable delay.
GDPR ico privacy notice levy following GDPR fines and penalties in case of GDPR data breach -
Administrative fines - The GDPR imposes stiff fines on data controllers and processors for non-compliance.
Determination of fines - Each state supervisory authority can administer the fines for GDPR breach. The following 10 criteria are to be used to determine the amount of the fine on a non-compliant organisations:
Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing
Intention: whether the infringement is intentional or negligent
Mitigation: actions taken to mitigate damage to data subjects
Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
History: past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
Data type: what types of data the infringement impacts;
Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement
Amount - For the breach of GDPR the amount to be imposed as a fine should be at the highest end on the company violating and not complying with the GDPR compliance. Penalty for GDPR should be imposed for the biggest breach and not for separate provision. However, the above may not offer much relief considering the amount of fines possible: Lower level - Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
Controllers and processors under Articles 8, 11, 25-39, 42, 43
Certification body under Articles 42, 43
Monitoring body under Article 41(4)
Upper level - Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
The data subjects’ rights under Articles 12-22
The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49
Any obligations pursuant to Member State law adopted under Chapter IX
Any non-compliance with an order by a supervisory authority (83.6)