Approved and adopted by the European Union (“EU”) Parliament in the April of 2016, the General Data Protection Regulations (“GDPR”) shall come into force in May 2018 after the passing of a two year transition period. GDPR regime has been primarily enacted to ensure a uniform blanket legislation governing the security of data of all members of the EU. It seeks to replace the Data Protection Directive of 1995 (“Directive”)[1] and bring in force stricter parameters of consent, the concept and mandate of portability of data, and a special ‘right to be forgotten’. A welcome sight, the implementation of GDPR will dramatically reduce the burden of registrations by multinational enterprises.

Applicability of GDPR

Consequent to its enforcement, the participating states of the EU would not need to legislate on data protection and governance on a national level any more. Furthermore, any entity across the globe that markets its products or services to the residents of the EU shall be subject to GDPR regime. Thus, the far-reaching implications of the blanket law will have ensure that there is consistency in legislation and no grey areas exist for manipulation contrary to what has been noticed recently. The United Kingdom, post Brexit, is not mandated by law to implement the GDPR regime; however, the government has affirmed its stance of imposing equivalent and alternative legal mechanism consonant to the scheme of GDPR.[2]

What is the need?

Other than providing an impetus to the online market place, the GDPR also impose harsh penalties on non-compliance. Any entity found to be in violation of the GDPR regime may be held liable to shelling out penalties up to 20 million Euros or 4% of global annual turnover, whichever may be higher.

Personal Data and Amendments by the GDPR

The entire refurbishment of law is based on the newel of personal data as defined under the European law. Thus, it would be pertinent to reproduce the definition as stated under Article 4(1) of the GDPR for the sake of clarity and purpose. The proposed Regulations define ‘personal data’ to be “any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” The Concept of Sensitive Personal Data remains primarily unchanged with the proposed regulations under Article 9(1) also defining the said to be “any personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.” The Data associated with criminality and convictions are addressed separately under the proposed regulations. Although the GDPR makes minor changes to the definition of ‘processing’ by adding the terms ‘structuring’ and ‘restriction’ to the definition as prescribed by the EU Directive, it does not channel into a major difference in practical implementation.

Steps of Compliance

The proposed regulations are replete with nuanced intricacies, and the summarization of which would require a long checklist; however, conforming to the following steps will definitely ensure that you are not stepping into the line of fire:

  • Employ a Data Protection Officer (“DPO”) who would be required to ensure the protection of data and be compliance with the new regime. It may not be a full time position as per the proposed regulations and consequently a virtual/part-time officer would be a viable fit for small enterprises.
  • With the help of the DPO, ensure your business outfit has a data protection plan in place and ready to be implemented.
  • Create a Data Register which should be used to document all relevant data. As per the GDPR regime, each country’s Data Protection Association shall continuously monitor the compliance of the proposed regulations. Consequently, the Register shall act as an effective tool for an efficacious and speedy review. It is important to classify which data channels into the definition of personal data and sensitive personal data so that extra levels of security while processing can be put forth.
  • Get a Risk Assessment conducted by an independent consultancy service. You should know which segments your business is most vulnerable to in terms of leakage if data. The Assessment should also involve suggestions from the consultancy firm to mitigate such risks in the first place. Subsequently, the recommended process for mitigation should also be enforced. For a big enterprise, such assessments can also be conducted internally without engaging a third party.
  • As per the GDPR regime, any entity in breach need to report the same to the concerned authorities within three days of such an occurrence. Ensure that you have a system in place that allows you to report an overt breach within the span of 72 hours from the breach. A failure to do so may lead to heavy penalties.

What about the previous personal data collected?

It is advisable to create and expansive record of the personal data presently being held, its source of origin and with whom it has been shared. For the said purpose, it is important that one is very careful while documenting such data as any slip up may lead to the violation of GDPR. Consequently, an information audit across the enterprise, both horizontally and vertically, is recommended for ensuring compliance with the proposed regulations. The underlying hypothesis to the audit is linked to the objective of the GDPR prima facie as the GDPR intends to update the trackers for a better networked and transparent world. Hypothetically, if you have shared inaccurate personal data with another organization, it is your duty under the Accountability principle of the GDPR to apprise the said organization of such inaccuracy. Unless an audit is performed, it is unlikely that the personal data can be properly documented in consonance with the requirements of the GDPR.

Concluding Remarks

Although the enforcement of the GDPR may seem far off, it does not amount to a space for laxity for anyone conducting their business in the EU. Evolved to create transparency and confidence in the conduct of online services, both outbound and inbound, the GDPR in all practicality makes the protection of personal data a fundamental right of the citizens of EU. It is predicted that such a transition will lead to a booming electronic marketplace. However, on the downside, it also acts an additional burden on the relevant entities to collect data in the specified manner. Consequently, it is high time that the top management prioritize cyber readiness to comply with the hygiene standards that GDPR is advocating.

[1] Data Protection Directive, 1995, 95/46/ec

[2] http://www.eugdpr.org/gdpr-faqs.html