GENERAL DATA PROTECTION REGULATIONS (GDPR)PRACTICES
Ricky Chopra – International Counsels is a full service International law firm, offering a wide range of legal support.With its offices in Gurgaon, Delhi, Chandigarh, Pune and New York, we provide legal support to our clients at every stage of the legal cycle. We believe in assisting our clients in the most responsive and cost-effective manner.
Mr. Ricky Chopra, Chairman & Chief Counsel of the firm, possesses a vast experience in Data Protection, Privacy and Cyber Security sector.The counsels in the firm are currently handling matters pertaining to General Data Protection Regulations (GDPR) and the envisaged legal risks companies and individuals are exposed to.
Our GDPR practice extends from analysing, assessing, designing, implementing and monitoring any new data protection process you need to comply with the GDPR.
The General Data Protection Regulation (GDPR) is the new data protection law in European Union’s (EU) that will come into effect on 25 May 2018.Appliedall over the EU, it will govern all businesses operating within the union and implant a more consistent approach to data protection. All the organizations transacting trade with EU based businesses will also be affected by GDPR and will have to comply with the changes.
These regulationsintroduce anenormousarray of changes. The main aim of the regulation is to safeguard its citizen’s private and confidential information. The GDPR strengthens right to privacy of individuals and imposes enhanced data protection by implementing stringent rule for the business deals with the data.
Applicability of GDPR
The GDPR will apply to companies processing personal data in the context of an EU establishment, companies offering goods or services to EU residents and companies that monitor the behaviour of EU residents.
Therefore, if your organization controls and processes data on people living the European Union-even if your organization is not located in the EU-it applies to your organization.
Compensation for Breach of the General Data Protection Regulation
Complying with GDPR is not optional. If your organization controls or processes personal data on natural persons in the European Union, GDPR almost certainly applies to you. It will attract huge sum of penalty in case of non-compliance with the regulations. If you meet the test of applicability for the GDPR, you cannot opt out of complying.
Data Protection Commissioner may impose fines in the event of a data breach which may be up to €20 million or 4% of annual turnover, whichever is greater. This 4% turnover is calculated at a group level, not by subsidiary.
How RCIC can help you in achieving the GDPR Compliances
With RCIC team you will receive consistent advice, tailored to youthroughout your GDPR journey ranging from data protection frameworks, policies and procedures, data processor management, information security, international data transfers to various compliance documentation.
Bridging GDPR and current data privacy compliance (GDPR Gap Analysis): Analysis of the various processes are required to fill in the gap between the current data privacy compliance and GDPR.
We at RCIC prioritize the key areas to be addressed, Process to be analysed, requirement of appointing a Data protecting officer and Scope of compliance required. Each process must comply with the Principles of GDPR (as per Article 5 to 11).Whether, any processes for which a data protection impact assessment (DPIA) is mandatory, and for which processes might a DPIA help establish data protection by design and data protection by default? We clearly define the scope within which an organization has to operate by taking Personal Data into the account. Whether it is processed lawfully, fairly and in a transparent manner, collected for specified, explicit and legitimate purposes, adopting steps to ensure accurate and up to date data. We also have to identify all the important databases that hold personal data, as well all extra-territorial/trans-border processing.
Auditing Data Lifecycle&GDPR compliance Checklist:RCIC audit the lifecycle of data keeping GDPR compliance checklist into account. Key highlights of the audit are:
- Data entry points:
- Consent & Notices:Precondition for lawfully processing personal data, the subject must give consent for the specified purpose.Individuals can withdraw their consents at any given time. Under the GDPR, privacy notices must state the processing ground relied upon, and if relying on legitimate interests, state the nature of the legitimate interest.Conditions applicable to child’s consent in relation to information society services is provided separately in GDPR. There are certain categories of data which is prohibited for processing unless explicit consent is not provided such as personal data revealing racial or ethnic origin, political opinions, religious.(Art 5, 6, 7, 9, 10, 85-91)
We at RCIC review your existing grounds for lawful processing and confirm that these will still be sufficient under the GDPR. We analyse all the points of data entry and recommend changes which may be required for obtaining new consents.
We also ensure that there is a system in place which can accommodate withdrawal of consent at any given point of the life cycle of the data processing.
- Data Transparency: There is an emphasis on transparency in the GDPR. Notices must concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. Employees must be trainedon all data processing activities and data transfers in accordance with informationas mentionedin the Articles 13 to 14. Criminal records can no longer be processed unless authorized by member state law. (10, 12-14)
We at RCIC review and update, where necessary, employee notices are GDPR compliant
- Data processing & Data storage: The GDPR requires organizations to maintain a detailed record of all processing activities, including purposes of processing, a description of categories of data, security measures, comprehensive data flow map, etc. A number of stakeholders will need to be involved in creating and maintaining this data record (Art 30)
We at RCIC identify all identify, implement and help maintaining all the data process and data storage.
- Data Export: The GDPR only permits exports of data to entities of its group and third-party vendors outside the European Economic Area if the country in which the recipient of such data is established offers an adequate level of protection. (Art 44-50)
We at RCIC identify all cross-border data flows and review data export mechanisms and update cross border mechanisms if necessary.
- Data protection impact assessment: Perform an assessment on the risks to the rights and freedoms of controlling and processing personal data and develop organizational and technological mitigations for the identified risks. The risk assessment has to include any third-party relationships for data held and processed on your behalf. (25, 35, 36)
We at RCIC, ensure processes are in place to embed privacy by design into projects (e.g. technical and organizational measures are in place to ensure data minimization, purpose limitation and security) and put in place a privacy impact assessment protocol.
- Data protection Officer (DPO): DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
- RCIC legal software solutions/ Our Virtual DPO
We have a techno-legal solutionwhich can track your compliance with the GDPR articles and processing activities at just a click of a button. The tool also comes with a data breach management system that documents every activity in a defined work flow to help generate a detailed audit trail.
Trainings:An effective data protection awareness and training programme is essential to make sure employees follow your defined guidelines and prevent data breaches. Our full day Training classes are designed specifically for following two categories:
- Training for Data Protection officer
- It is a mandate under GDPR guidelines to appoint DPO for many organizations, especially if you are a public authority or body, including school, public library, or a utility company, carrying out large scale of data processing which requires synchronized monitoring of data subject or data processing of sensitive data
- Training by RCIC experts will ensure that trainee learn about key definitions under GDPR, special categories, background to the GDPR DPO requirement (who can/cannot become DPO, qualification), what is counted as public authority body, scope of the ‘large scale data’ definition and its processing, scope of using external agency as DPO, role of DPO in organizational structure, obligation of DPO against customers, clients and business partners, relationship between DPO and commissioners office and other information on GDPR compliances.
- Training for other staff handling private data
- Other staff of an organization is also to be trained in manner complimenting the duties of DPO. This staff will be provided a basic level of understanding about GDPR and its requirement to be compliant according to regulations
Why Indian Firms should be complaint to EU GDPR regulations
Indian firms who are associated in the business of data collection, processing and transferring should make their all the system of data lifecycle compliant with EU GDPR. Companies/organizations proactively equipping itself according to the GDPR compliance in advance will benefit them in the following ways:
- Indian Government will soon enact a new law related to data privacy in lines EU GDPR: Report and the white paper has already been submitted by the committee formed under the chairmanship of Justice Shri Krishna.
- Future expansion of the business in EU or other data privacy compliant countries according to the guiding principles laid by OECD
To discuss more about various requirements of GDPR and to be compliant with the new regulation, please get in touch with our team
get in touch
Help line: +91 88 008 55555
We're here to help! If you have any questions regarding our services or anything else please send us an email via the contact form.