GDPR Pdf – Full Form,Impact On India,New Rule,Penalty,Background – GDPR is the EU General Data Protection Regulation which will replace the Data Protection Act (DPA) 1998 in the UK, Data Protection Act 1988 and Data Protection Act (Amended) 2003 in Ireland and the equivalent across the EU Member States.
The European Union’s (EU) General Data Protection Regulation (GDPR), which takes effect from 25 May, envisages strict rules for handling personal data of users and specifies new protocols for handling and storing private data, and sharing it with third parties.
- The new privacy law (GDPR) seeks to harmonise the scattered data protection laws in the EU and envisages stringent penalties under it. It replaces the existing EC Data Protection Directive (95/46/EC).
- GDPR seeks to enhance the data privacy rights of users and imposes certain new responsibilities upon data controllers and processors.
- The new law endeavours to create a model for a data protection and privacy framework that will be able to keep pace with rapid advancements in technology.
- Most importantly, GDPR attempts to give back to individuals control over their personal data, while recognising the protection of one’s personal data as a fundamental right.
Background Of GDPR -GDPR Pdf – Full Form,Impact On India,New Rule,Penalty,Background
- In January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’.
- Almost four years later, agreement was reached on what that involved and how it will be enforced.
- One of the key components of the reforms is the introduction of the General Data Protection Regulation (GDPR).
- This new EU framework applies to organisations in all member-states and has implications for businesses and individuals across Europe, and beyond.
New Rules,Penalty,Global Scope Etc Of GDPR Pdf
New definition of personal data:
- Under the GDPR, personal data is anything that relates to an identified or identifiable individual. For example: name, address, email address, location data or computer IP address. Sensitive data, such as religious beliefs, racial or ethnic origin, sexual orientation or trade union membership, are subject to extra protections.
- The GDPR foresees fines of 2 to 4 per cent of a company’s annual revenues or 20 million euros ($24 million), whichever is higher.
Stricter rules on consent:
- Companies will need to get freely given, specific, unambiguous and informed consent from individuals to process their data. They will also need users to opt in to the processing of their data – simply giving them an opt out will not be valid. In other words, companies will no longer be able to ask consumers to tick a box after a long set of terms and conditions that most people never read.
- The GDPR will apply to any company that has customers in the EU, whether the firm was established in the bloc or not.
New rules for data processors:
- The GDPR distinguishes between data “controllers” and data “processors”.
- A data controller determines why personal data must be collected and processed as well as how.
- A data processor only processes personal data on behalf of the controller and is usually a third-party company.
For example: A retailer that hires a human resources company to handle payroll and other functions is the data controller, while the human resources company is the data processor. Under GDPR, data processors must guarantee the same standards as controllers and ensure they meet the requirements of the law. There must be a legal contract between a processor and a controller, and a processor may not engage another company to process data without the controller’s consent.
Data breach notifications:
- Companies must notify data protection authorities of data breaches within 72 hours of becoming aware of it, if it is likely to impact the rights of individuals.
- If the breach carries a high risk for individuals then the company must notify the affected people without undue delay.
- The GDPR introduces a “one-stop shop” mechanism to make it easier for companies operating across the EU, for example Facebook, Google and Mastercard. Companies processing data across the bloc will have a lead authority in the country where they have their main establishment, for example Facebook in Ireland.
- The lead authority will be the main point of contact for the company and responsible for ensuring its compliance with GDPR.
- In cases involving citizens from several countries the lead authority will coordinate with other “concerned” authorities.
- If there are disputes between authorities, a new body, the European Data Protection Board (EDPB), can make binding decisions.
Stronger rights for Europeans : GDPR Pdf
- People living in the European Union will get the right to:
- Receive clear and understandable information about who is processing their data and why
- Access data an organisation holds about them
- Ask for personal data to be erased if there is no longer any legitimate reason to keep it
- Have data corrected if it is incorrect
- Move data from one service provider, such as an email service or social network, to another.
What does the GDPR bring?
Right to erasure (the “right to be forgotten”)
- Data subjects are entitled to require a controller to delete their personal data if the continued processing of those data is not justified.
The right to restrict processing:
- In some circumstances, data subjects may not be entitled to require the controller to erase their personal data, but may be entitled to limit the purposes for which the controller can process those data.
Notifying third parties regarding rectification, erasure or restriction:
- Controllers must notify any third parties with whom they have shared the relevant data that the data subject has exercised those rights.
Right of data portability:
- Data subjects have the right to transfer their personal data between controllers (e.g., to move account details from one online platform to another).
- Also, data subjects have the right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers.
Right to object to processing:
- Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data, where the basis for that processing is either: public interest; or legitimate interests of the controller.
Right to object to processing for the purposes of direct marketing:
- Data subjects have the right to object to the processing of personal data for the purpose of direct marketing, including profiling.
EU GDPR pdf : The implications for Indian companies
- The European Union’s (EU) General Data Protection Regulation (GDPR), which takes effect from 25 May, envisages strict rules for handling personal data of users and specifies new protocols for handling and storing private data, and sharing it with third parties.
Why should we bother about a European data protection rule?
- GDPR will replace the 1995 Data Protection Directive and is aimed at protecting the personal data of EU citizens in the new digital world.
- The regulation covers all the EU member states and citizens, so all global enterprises with operations or customers in EU must comply.
- Europe is a significant market for the ITeS, BPO and pharma sectors in India.
- The size of the IT industry in the top two EU member states (Germany and France) is estimated to be around $155–220 billion.
What are the implications of the new regulation?
- The rules will also apply to companies whose activities target data subjects in the EU.
- The definition of personal data now explicitly includes location data, IP addresses, and identifiers such as genetic, mental, economic, cultural or social identity of a natural person. Individuals will have stronger rights over their personal data.
- The new rights include the right to be forgotten, the right to data portability, the right to object to profiling. Consumer consent to process data must be freely given.
What if Indian firms do not comply with GDPR pdf?
- Flouting the rules can attract a maximum fine equivalent to 4% of an organization’s global annual revenue or €20 million, whichever is higher.
Are there any positives to EU GDPR pdf ?
- Indian companies are likely to face increased compliance costs on the back of GDPR or risk huge penalties if they fail to comply.
- But they could see it as a business opportunity.
- Moreover, following the Supreme Court’s verdict, a data protection framework has been proposed by the Srikrishna Committee in India.
- Of course, whether the legislation will satisfy the criteria laid down under the GDPR or not remains to be seen.
How should Indian companies prepare for the EU GDPR?
- They should review their policies, procedures and existing privacy programmes; impart data privacy training to employees; and review or update contracts signed with third-party vendors, among other things.
- Besides, Indian companies also need to evaluate how equipped they are to deal with the audit process, and use appropriate technology solutions to prepare for the same.