General Data Protection Regulation (GDPR) - Requirements and facts

General Data Protection Regulation (GDPR) - Requirements and facts

Date : 30 Jul, 2021

Post By Adv. Kishan

Data breaches happen every single day in this digital world. But most of the companies that led to these breaches find a way out of the cases without paying any price for the damages. The entire concept of GDPR revolves around the elements of protecting the natural person’s personal information and its associated use relating to individuals in the EU from individuals, companies, or organizations. The privacy protection does not apply to legal or deceased persons. The restriction is applicable only when the use or process of data is for reasons other than personal or activities carried out in the household. The categories of user data that are protected under GDPR are “sensitive data” and “personal data”.

GDPR Compliance: The General Data Protection Regulation was agreed upon in 2016 by European Parliament and Council. The law aims to protect the personal data of citizens of the EU. had to ensure that they also complied with the GDPR. All entities that complied with the 1995 Directive had to ensure that they complied with the GDPR also. They would have to face penalties if they fail to do so. Article 1 of the GDPR lays down rules regarding the protection of personal data, protecting every individual’s right to the protection of personal data, and the free movement of personal data within the EU without the fear of leakage. Companies that collect data from citizens in the European Union countries have to comply with the GDPR rules and non-compliance, which would cost companies heavily.

The GDPR directive emphasizes data and privacy protection according to the following guidelines:

  1. While processing data of a subject, the company must take consent from the subject.

  2. Data anonymity must be maintained to protect the collected data against any attack.

  3. In case of a data breach, the people must be notified immediately.

  4. When data is transferred across borders, its safety must be the top priority.

  5. A dedicated GDPR needs certain companies to appoint a data protection officer to oversee GDPR compliance.  


Consult the best lawyer online


Why is the GDPR required?

The GDPR was imposed for a specific purpose. It was directed to bring uniformity of data security law across the European Union's 28 member states.

This would ensure that no state had to write a separate set of data protection laws and maintain it. GDPR compliance in digital marketing effectively applies to any organization that offers its products or services to the residents of the EU. This is independent of the geographical location of the service provider.

Rights of a User under GDPR: Chapter 3 of the General Data Protection Regulation act has mentioned 8 rights for users that guide in the drafting of policies. These rights represent a rudimentary checklist of sorts, where no provision of the policy should be violative of these, while all eight are included in no uncertain terms. The user has to be actively intimated that he/she has access to these rights under your privacy policy. These rights are as follows:

  1. The right of access

  2. The right to erasure

  3. The right to be informed

  4. The right to rectification

  5. The right to object

  6. The right to restrict processing

  7. The right to data portability

  8. The rights related to automated decision-making and profiling. 

What type of Penalties does the GDPR Non-Compliance attract?

The 1995 Directive of Data Protection also imposed fines and penalties on the non-compliant entities. But with GDPR the size of penalties has increased and therefore it is more important to understand what GDPR compliance is.

  1. The Supervising Authorities have more power in the case of GDPR

  2. They can investigate the data issues more aggressively

  3. They can issue warnings if any non-compliance is noticed

  4. They can ask entities to erase the subject data

  5. They have more corrective powers

  6. They can execute audits

  7. They can ask entities to stop data transfer to a particular entity

The Supervising authorities have more power over Data controllers and processors. The penalties and fines:

  1. They are based on the intensity of the particular case.

  2. Corrective measures can be imposed at times without fines.

  3. Fines for failing the compliance range from 2-4 percent of total annual turnover across the globe. It could also range from 10m or 20m whichever is high.

Who all are required to maintain GDPR Compliance?

EU members are required to stay GDPR compliant. Apart from that, each company that offers its products or services to the residents of the European Union must adhere to GDPR directives. This stands true irrespective of the organization’s location.

Effectively each organization has to make sure that they comply with GDPR compliance requirements so that no kind of penalties are attracted in case of any kind of data breach. This ensures higher trust and protection.

Impact of GDPR on India - The General Data Protection Regulation (GDPR) that is legislated by the EU parliament is believed to have a far-reaching impact globally. Article 3 of the GDPR states that it will apply to data controllers and processors dealing with the personal data of EU citizens, irrespective of the fact that the processing takes place in the EU or elsewhere. It is borderless and sector-neutral legislation thereby, the Indian data processing companies who handle the data of persons belonging to EU nations shall also fall within the ambit of the said legislation.


Get in touch with the best lawyer online


Europe has been a substantial marketplace for Information Technology Enabled Services, Business Process Outsourcing Organizations, and pharmaceutical companies in India. Hence, Indian industries have to comply with these rules, if they have to continue doing their business in EU countries.

The Indian data processing companies will have to abide by the GDPR with respect to their EU customers. They will have to renew their contract with the EU-based data subjects in accordance with the GDPR. Hence, the methodology of data acquisition, processing, management, and protection would have to be changed and looked into.

Conclusion – Organizations need to have a consistent compliance effort to stay on the safe side of the law. They must develop a vision and strategy in order to make sure the GDPR compliance stays consistent. A constant assessment of gaps must be gaged to make sure the current policies are followed. The most critical areas of GDPR compliance are, Data processing, Notice and consent, Data subject rights, Data security, Transparency of information and communication, Accountability, Cross-border data transfer, Third-party and vendor management, storage, breach, breach notification, Training, and awareness. The GDPR is a sine qua non for business not just in Europe but for business on the internet in the future. Countries have been modeling their data protection laws based on the GDPR, and compliance is a good way of future-proofing one’s business. Drafting a GDPR policy is much less about legalese than about consent and transparency- two values that the modern consumer increasingly respects. In this regard, GDPR compliance is as much an ethical value point as much as mere compliance.

Comment on Blog

Get Free Response




LATEST POST

Consult a Lawyer Now