Training and Implementing GDPR
GDPR is the General Data Protection Regulation, also referred to as Regulation (EU) 2016/679. It has been created by the European Parliament and Council to strengthen and unify data privacy for EU individuals as well as to regulate the international transfer of their data. It replaces the prior Data Protection Directive (95/46/EC) of 1995 and, as a regulation instead of a directive, now is applicable immediately on enforcement date without requiring individual transpositions by member state legislation. The EU regulation has consolidated the many different data protection regulations which are spread across all EU member countries.
Businesses will no longer be able to use personal data for their own competitive advantage; and must follow a clear set of rules to ensure data is processed in a fair and consistent manner. GDPR is a game changer in how Organizations look at the Data Privacy of its customers and how they build it into their design philosophies.
Does my business needs to comply if I am not in EU?
It is important to understand that you need to comply with GDPR, even if you don’t have a legal entity in the EU. Any business big or small is now obligated under the law to comply to it or face the risk of stiff penalties. So if you offer your goods or services to any EU residents, then you must comply with GDPR. If you collect, process, exchange, or store personal identifiable information (PII) of EU and EEA citizens (referred to as Principals), you will need to ensure you comply with these regulations.
Two primary groups of entities must therefore comply with the GDPR.
- Firms located in the EU
- Firms not located in the EU, if they offer free or paid goods or services to EU residents or monitor the behavior of EU residents which means nearly any business anywhere in the Globe dealing with EU.
What type of data is considered to be personal data?
The GDPR categorizes a broad swath of data, such as name, email, location, IP address, and online behavior as personal data.
We do not charge for services we offer. Do we need to comply?
Yes. The GDPR applies to firms that offer goods or services to EU residents irrespective of if payment is exchanged.
What happens if I do not comply?
Non-compliance and data privacy breaches may result in fines – up to 20 million Euro or 4 % of your global annual revenue – whatever is higher.
There will be two levels of fines based on the GDPR.
The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
Fines shall be issued for infringements for several reasons some of them are ignoring :
- The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
- The data subjects’ rights under Articles 12-22
- The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49
- Any obligations pursuant to Member State law adopted under Chapter IX
- Any non-compliance with an order by a supervisory authority (83.6)
The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation.
Does compliance with ISO 27001 guarantee GDPR compliance?
There exists as confusion among many people and organizations that if they have certain certifications like ISO 27001 that will means compliance to GDPR. The often repeated question that “Am I fully compliant with GDPR if I am already certified to ISO 27001?” This is a myth. GDPR is not an IT problem, it’s certainly not just a data security problem, it is a business problem, and one that will affect every individual in your organisation to a greater or lesser degree.
In crux GDPR law consists of 99 Articles. As we’ve seen, just one of those covers technical and organisational data security measures. In other words, there’s much more to full GDPR compliance than ensuring your information security management system is up to level.
Can we get our organization certified to GDPR?
- As on date there is no certification approved for GDPR compliance. As on date there are no certifications yet available for GDPR, let alone accredited certification bodies who can provide it.
- To date there is no GDPR certifications available from anyone for anything. The ICO, in the UK, have released nothing on certification / accreditation, not even guidance. Nor have the Article 29 Working Party (Art. 29 WP) to whom the ICO refer.
- GDPR is compulsory compliance to EU law and as of today there is no certification which can prove to any supervisory authority that companies processing personal information of EU citizens are GDPR compliant.