GDPR IS ENFORCEABLE. COMPLIANCE IS MANDATORY WITHOUT EXCEPTION NOW

THE DEADLINE IS OVER.  GDPR IS  ENFORCEABLE. COMPLIANCE IS MANDATORY WITHOUT EXCEPTION  NOW.

May 25 2018, the day when GDPR compliance became a mandatory legal requirement for all businesses that either interact with EU residents or are based within the UK is over. It replaces the prior Data Protection Directive (95/46/EC) of 1995 and, as a regulation instead of a directive, now is applicable immediately on enforcement date without requiring individual transpositions by member state legislation. The EU regulation has consolidated the many different data protection regulations which are spread across all EU member countries.

Businesses will no longer be able to use personal data for their own competitive advantage and must follow a clear set of rules to ensure data is processed in a fair and consistent manner.

Common misconceptions 

I have updated my Privacy policy 

Mare update of a privacy policy does not mean compliance as privacy policy is only one constitute of GDPR compliance. To get compliant one needs to be 100% GDPR compliant which means adoption and action as per regulation. 

I received DPA from the client and note sure how to go ahead. 

Data protection addendum emphasizes on having organization and IT controls in place and just signing that will not serve any purpose. By signing you are confirming that all compliances are in place which can be easily checked and result into business discontinuity and fines.

I am waiting.

You can wait by all means but GDPR will not go away. It is here to stay and going forward will affect your business as the rest of the world has started moving towards compliance. You will certainly lose the initial advantage of not getting compliant.

I am ISO compliant thus would like to wait to see what happens 

There exists as confusion among many people and organizations that if they have certain certifications like ISO 27001 that will means compliance to GDPR. The often-repeated question that “Am I fully compliant with GDPR if I am already certified to ISO 27001?” This is a myth.

GDPR is not an IT problem, it’s certainly not just a data security problem, it is a business problem, and one that will affect every individual in your organization to a greater or lesser degree. 

In crux GDPR law consists of 99 Articles. As we’ve seen, just one of those covers technical and organizational data security measures. In other words, there’s much more to full GDPR compliance than ensuring your information security management system is up to level.

   

Does my business need to comply if I am not in EU?

It is important to understand that you need to comply with GDPR, even if you don’t have a legal entity in the EU. Any business big or small is now obligated under the law to comply to it or face the risk of stiff penalties 

So if you offer your goods or services to any EU residents, then you must comply with GDPR. As long as you collect, process, exchange, or store personal identifiable information (PII) of EU and EEA citizens (referred to as Principals), you will need to ensure you comply with these regulations.

What happens if I do not comply?

Non-compliance and data privacy breaches may result in fines – up to 20 million Euro or 4 % of your global annual revenue – whatever is higher. 

There will be two levels of fines based on the GDPR. 

1. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.

2. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. 

Fines shall be issued for infringements for several reasons some of them are ignoring :

• The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9

• The data subjects’ rights under Articles 12-22

• The transfer of personal data to a recipient in a third country or an international organization under Articles 44-49

• Any obligations pursuant to Member State law adopted under Chapter IX

• Any non-compliance with an order by a supervisory authority (83.6)

The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation.

Can we get our organization certified to GDPR?

As on date, there is no certification approved for GDPR compliance. As on date, there are no certifications yet available for GDPR, let alone accredited certification bodies who can provide it.  GDPR Compliance.

To date, there are no GDPR certifications available from anyone for anything. The ICO, in the UK, have released nothing on certification/accreditation, not even guidance. Nor have the Article 29 Working Party (Art. 29 WP) to whom the ICO refers. 

GDPR is compulsory compliance to EU law and as of today, there is no certification which can prove to any supervisory authority that companies processing personal information of EU citizens are GDPR compliant.

How can we get assistance to comply with the new law?

If you wish to know more about GDPR issues  and how we can assist you to comply please visit us at www.gdprconsultants.in and  do call me at  +91 9968416366 or email at info@gdprconsultants.in

GDPR Compliance Software

How to ensure GDPR compliance is in place

As GDPR is in place and Indian privacy bill is also ready to be tabled in parliament, one needs to understand that this is not a one-time activity but whole business needs to be restructured to avoid legal issues from any government, GDPR Compliance Software.

GDPR Compliance

To ensure privacy is the core of any business one needs to ensure management of privacy laws at every stage of activity which can be achieved only by stringent frequent internal audit. Audits are required to ensure we do not miss any action which by law is considered to be mandatory. For example, every country privacy law emphasizes on DPIA (Data protection impact assessment) on personal data. Which means DPIA is required before commencement of any activity . and frequent DPIA is required if the purpose or personal data changes during the course of the processing activity.

Data protection impact assessment

While conducting DPIA one needs to ensure results from DPIAs showing how determinations were made balancing the legitimate interests of the company against the interests or fundamental rights and freedoms of data subjects. 

Along with DPIA law emphasize on procedures for breach control, training, awareness among the team about data subject rights and actions taken to protect personal information. So this is not one-time process or procedure but regular process which ensures compliance is in place all the times.

Your public domains should speak loud about personal data privacy management as law emphasize that users should be aware of their rights and how you process/use their information before taking their data. So this cannot be achieved by putting some privacy/cookies policy link somewhere in the footer of your websites or apps.

   

To understand more about Privacy GDPR Compliance Software / GDPR do contact us at info@gdprconsultants.in or visit our website www.gdprconsultants.in for more updates.