A Date with Data: Demystifying EU's Data Protection Regulations

Assessing GDPR readiness: The first step towards getting ready for a new data privacy paradigm

The key aspects for Indian organisations to be mindful of, to take stock of their GDPR readiness and to identify major gaps that need to be plugged, are:

• Scope of data activity and the need for data protection officers (DPOs): One of the first things for businesses to gauge is the scope of their data activity and whether they are, in any capacity, either collecting and/or processing personal data belonging to EU citizens. They must also analyse whether the data volumes are sufficiently high, or the handled information extensive enough, for them to appoint a DPO as mandated under the GDPR.
  
  
• Data breach notification: The GDPR makes it mandatory for data controllers and processors to notify both the data subject and the supervising authority of a potential breach within 72 hours. This requires organisations to have a breach notification setup in place for the eventuality of personal data being compromised.
  
  
• Data protection impact assessment (DPIA) and rights of data subjects: Organisations also need to consider if the kind of personal data handled poses the risk of infringing upon the data rights and freedoms as stipulated by the GDPR. This includes the ‘right to be forgotten’, the ‘right to data portability’, and the ‘right to object to profiling’. It is also essential to identify what kind of mitigation strategy is in place for responding to such a risk.
  
  
• Lawful processing and consent: Data subjects have to consent to the collection or processing of any personal data. Organisations, therefore, need to ensure that processes are in place to record documented consent from data subjects prior to handling any personal information.
  
  
• Personal data protection, and privacy by design and default: Organisations must have satisfactory technical and organisational measures in place to ensure the security of personal data. It must also be evaluated if any such measures for data protection and privacy are designed into the organisational systems and processes, in addition to gauging the default compliance levels.
  
  

• Proof of compliance: Under its accountability principle, the GDPR requires organisations to document their compliance readiness. The proof of compliance needs to be furnished on May 25, when the law comes into force.

Another thing that Indian organisations need to pay attention to here is identifying their role in the data hierarchy, and the corresponding responsibilities. The GDPR classifies data handlers under the following two categories:

• Data Controllers Any organisation or individual which collects personal data, as well as defines how and to what end that information will be used, is defined as a data controller. Under the GDPR, data controllers are responsible for conducting DPIAs and risk mitigation in order to identify, analyse, and address potential threats or risks to personal data of EU citizens. Controllers are also responsible for implementing measures that safeguard the rights of data subjects, as well as for ensuring that any data processor or third party associated with them is compliant with the GDPR and has signed stringent and legally binding contracts. Additionally, it is necessary for the data controller to define and document individual responsibilities and liabilities in case joint controllers are involved, as well as to implement data protection principles, both ‘by design’ and ‘by default’.
  
  
• Data Processors In broad terms, any organisation or individual which processes personal data pertaining to EU citizens in any manner on behalf of a data controller is defined as a data processor. Data processors, as per the GDPR stipulations, are required to ensure that data processing only takes place upon written instructions from the controller. In case sub-processors are used for handling personal data of EU citizens, data processors are required to first ensure consent from the data controller.
  
  It is also the responsibility of data processors to ensure that any contracts with sub-processors are legally enforceable, and to assist controllers in respecting the rights of data subjects. If personal information of data subjects is to be sent to another country for further processing, data processors must first secure documented consent from the controller.

Data processors must also sign confidentiality agreements with personnel who work with personal data of EU citizens, and delete/ return all personal data to the controller at the end of service. Ensuring the security, confidentiality, integrity, availability, access control, and resilience of the personal data handled also falls under the ambit of data processor responsibilities.

In addition to their individual responsibilities, controllers and processors share certain common responsibilities under the GDPR. They are required to maintain records of data processing, comply with the code of conduct or with an approved certification mechanism, and to implement appropriate technical and organisational measures to ensure security of personal data. Both controllers and processors are also required to undertake regular risk assessments, testing, and monitoring in order to identify existing or prospective vulnerabilities in their systems, as well as to review and upgrade the technical and procedural safeguards from time to time. Data handlers also need to implement SOPs for identifying potential data breaches.

How MDR service providers such as Paladion can help in achieving GDPR compliance

Getting business operations compliant with the new data protection law requires significant investment of time and restructuring of existing processes and systems. This is where MDR service providers such as Paladion step into the picture. With a four-phase approach, Paladion can help businesses in fast-tracking the compliance efforts, in addition to ensuring regular monitoring and maintenance for continued compliance.

The GDPR is a revolutionary step towards ensuring adequate security and protection for personal data, but meeting its compliance requirements will be difficult for organisations. With many organisations struggling to implement adequate measures, market studies estimate that the EU could end up collecting up to $6 billion in fines and penalties in the first year alone. With Paladion’s high-speed approach, Indian organisations can ensure that they are able to avoid the ignominy of making the non-compliance list by meeting each of the stringent requirements of the articles of the regulation.