Select Location
Criminal

Get GDPR Compliant Ready. Read all about Procedure, Fines, Deadline & Data Protection

With the increased cases of leak of personal data GDPR regulations are set to be enforced from 25 May to protect the data. Know all about how to be GDPR compliant and fines in case of data breach.
Written by:
Swati Shalini
Published on
13-Sep-19

What is GDPR?

General Data Protection Regulation (GDPR) is the regulation formulated by the European Union (EU) for the protection of data of individuals. It provides protection to the exporters of the data outside the EU. India adopted the GDPR in April 2016 and it will be enforceable by 25 May 2018. It means that everyone falling under the ambit of GDPR has to conduct GDPR compliance in India and get a GDPR certification by 25th May, 2018.

Update your data protection policy and become GDPR compliant by getting in touch with the Cyber crime lawyers.

Overview of GDPR

EU has amended their existing laws on data protection by including the General Data Protection Regulation in it. Amendment in the data protection laws that GDPR in force date will be 25 May 2018. The objective of GDPR is to protect the data of the individuals by recognising their right and freedom relating to data processing. As per the GDPR overview 2018 the scope of GDPR has been extended to the companies which process the data of residents of EU.  

Consumer data has been used by the companies for the marketing purpose increasingly by the companies and there was earlier no law to stop them from doing so. GDPR provides for more stringent compliance policies and in case of failure to comply with the regulations GDPR fines and penalties will be levied on. 

 

Consult :  Consult Top Cyber Crime Lawyers in India

What is the definition of Personal Data?

GDPR protects the personal data from being misused. To understand the procedure and compliance of GDPR it is necessary to understand what comes under the definition of personal data.

As per the GDPR ico blog personal data has been defined as any information of an identifiable person who is being identified directly or indirectly through such information. Simply, any information which clearly talks about a person is personal data. There is no definite definition of personal data under GDPR data protection and it leaves a scope for broad interpretation of the term personal data.

Article 4(1) of GDPR defines personal data as personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

GDPR applies to personal data as well as sensitive personal data.

What is Sensitive personal data?

GDPR ico notification defines the sensitive personal data as the data which is immensely personal to a natural personal and is very sensitive in nature. Thus the sensitive personal data as defined under the GDPR is data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

GDPR ico notification

Related Read : Right to Privacy vis-a-vis Technology

Whom does GDPR applies to?

GDPR applies to data controller and data processor. Definition of GDPR data controller provides that controller is a person who looks after, control and determines the means and purpose of processing of personal data. On the other hand GDPR data processor process and is responsible for the processing of data on behalf of GDPR data controller. On doing a comparison study of  GDPR data controller vs data processor it can be seen that data controller is a person or agency appointed for controlling the implementation of the GDPR data protection compliances and policies whereas a data processor is one who process the data on behalf of data controller.

The responsibility of GDPR data processor is given under Article 28 and according to Article 28 from the EU GDPR, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

GDPR Data Controller Obligations

The regulations on general data protection has provided certain obligations of GDPR data controller which are as follows :

  • Data Protection by default and by design - Data controllers are obligated to ensure that the gdpr data protection policies are being adhered to and implemented at the implementation as well as processing stage of any new service or product.

  • The distribution between joint controllers - When there is more than one GDPR data controller is looking after the GDPR compliance they are called as Joint Controllers and they have to distribute the work and power among themselves to ensure that regulations and policies of GDPR are duly complied with. In case of any failure, the joint controllers will be liable jointly and severally unless a joint controller proves that he has no connection with the failure.

  • Processing data records - The GDPR data controller has to preserve and keep records of the processing activities conducted by them.

  • Appointment of a processor - Data controller can appoint the GDPR data processor only under the written and binding GDPR data processor agreement. The data processor agreement should clearly state the obligations and work GDPR data processor is required to adhere to.

  • GDPR data breach reporting to DPA - GDPR data controllers have an obligation to notify the data breach of GDPR to the data privacy authorities or data privacy officer.

  • GDPR data breach notification to affected subjects - in case of GDPR data breach it is the obligation of GDPR data controller to notify the GDPR data breach to the affected subjects of data without any undue and unreasonable delay.

GDPR data breach

Suggested Read: The Legal Battle Against Online Piracy in India

What Information is covered under GDPR?

GDPR talks about the protection of data but what kind of data is actually protected under the General Data Protection Regulation. The data which is protected under the GDPR is the data which is identifiable with a natural person.  Thus, the following data is protected by way of GDPR -

  • Basic identity information such as name, address and ID numbers

  • Web data such as location, IP address, cookie data and RFID tags

  • Health and genetic data

  • Biometric data

  • Racial or ethnic data

  • Political opinions

  • Sexual orientation

Which companies are affected by the GDPR?

Indian companies might be wondering that why do they have to comply with the GDPR compliance and why do they need to obtain the GDPR compliance certification. The answer is very simple to this as the GDPR provides that a company which stores, uses, control or processes the information of EU citizens have to comply with the GDPR even if they do not have a physical business presence in European nations.  If any company fulfills the following requirement they have to be GDPR compliant :

  • Company having its presence in the EU,

  • Company not having a physical presence but controls or process the data of residents of EU,

  • Company having more than 250 employees.

  • Company having less than 250 employees but their data processing impacts the rights and freedom of the subjects of data and this impact is not occasional or contains sensitive personal information.

Get your compliance of GDPR done on priority from the Best Cyber Crime Lawyers as the date of deadline of mandatory GDPR compliance is approaching i.e. 25 May, 2018.

GDPR compliance certification

Top Read : Indian Cyber Law vis-a-vis Technology

What are the laws on data protection?

Data protection laws are those set of regulation, policies and provisions which deal with the protection of personal data when the privacy is invaded because of control, use storing or dissemination of personal data.  With Indian Constitution recently recognising Right to piracy as a part and parcel of Fundamental Rights GDPR compliance has become mandatory for companies dealing in the data of EU and residents of EU. In India there is no specific law for data protection though provisions of Information Technology Act, 2000 and the Act also provides for the civil and criminal punishments for misusing the personal and sensitive personal data or wrongfully disclosing the personal data. Section 72 of the Information Technology Act provides for the punishment for violating the laws on data protection. The section states that anyone who is found violating the provisions related to data protection shall be punishable with imprisonment upto two years or fine which may extend upto Rs. 1,00,000 or with both. With the focus to protect privacy the EU GDPR certification has to be obtained and the last date to comply with GDPR is 25 May, 2018. To be GDPR compliant follow the below given GDPR compliance checklist -

  • Be prepared for what is coming -  Senior management of the companies need to know what is coming and be prepared for risks of not complying with the GDPR compliances. Get in touch with the famous cyber crime lawyers to help you in being GDPR compliant.

  • To be accountable - GDPR data protection laws provide for accountability in case of GDPR data breach and thus data privacy officer has advised the organisations whether big or startups to hold and examine the personal data they use or control under the following questions -

  • Why are you holding it?

  • How did you obtain it?

  • Why was it originally gathered?

  • How long will you retain it?

  • How secure is it, both in terms of encryption and accessibility?

  • Do you ever share it with third parties, and on what basis might you do so?

  • Review of personal privacy rights - There are certain rights which are mostly similar in all data protection laws with a little difference. So to be GDPR compliance one needs to familiarise with the following rights of GDPR -

  • The right to be informed

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • The right to access

  • Legal grounds - For processing data under GDPR one has to have a legal ground for the same. Under GDPR there are five lawful or legal grounds for data processing -  a legal contract, compliance with legal obligation, vital interest, public task and legitimate interests. Data protection policies have to be adjusted as per the above stated legal grounds.

  • Appointment of data protection officer - Data protection officer - Data privacy officer or the data controller are mandated to be appointed to oversee the data protection strategies and compliance programs.

  • Data breach - GDPR data breach notification requirements provide that any breach of General Data Privacy Regulation should be reported to supervisory authority within 72 hours of the discovery of data breach.

  • Adopting privacy by design approach -  Get help preparing for your GDPR compliance approach through MyAdvo.

Information Technology Act

Must Read : Cyber Crime in India

What is Breach of Data Protection?

Data breach or breach of data protection simply means that the personal or the sensitive personal information has been accessed or disclosed to a third party who is unauthorized to get such information. The information which has been disclosed has to be otherwise protected. Data breach generally and other GDPR includes information such as personal health, intellectual property, trade secrets, etc. 

GDPR ico prescribes for two types of breaches - Personal Data Breach and Security Data Breach. Any kind of data breach should be reported to the supervisory authority within 72 hours and also the GDPR data subject rights policy also state that the data subjects should also be reported about the data breaches without any unreasonable delay.

GDPR Fines and Penalties

GDPR ico privacy notice levy following GDPR fines and penalties in case of GDPR data breach - 

Administrative fines - The GDPR imposes stiff fines on data controllers and processors for non-compliance.

Determination of fines - Each state supervisory authority can administer the fines for GDPR breach. The following 10 criteria are to be used to determine the amount of the fine on a non-compliant organisations:

  • Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing

  • Intention: whether the infringement is intentional or negligent

  • Mitigation: actions taken to mitigate damage to data subjects

  • Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance

  • History:  past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines

  • Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement

  • Data type: what types of data the infringement impacts; 

  • Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party

  • Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct

  • Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement

Amount - For the breach of GDPR the amount to be imposed as a fine should be at the highest end on the company violating and not complying with the GDPR compliance. Penalty for GDPR should be imposed for the biggest breach and not for separate provision. However, the above may not offer much relief considering the amount of fines possible: Lower level - Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

  • Controllers and processors under Articles 8, 11, 25-39, 42, 43

  • Certification body under Articles 42, 43

  • Monitoring body under Article 41(4)

Upper level - Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

  • The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9

  • The data subjects’ rights under Articles 12-22

  • The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49

  • Any obligations pursuant to Member State law adopted under Chapter IX

  • Any non-compliance with an order by a supervisory authority (83.6)

Further Read : How to File a Cyber Crime Complaint with Cyber Cell in India Online

Get legal advice from the best legal experts- Email us at info@myadvo.in or call us at +919811782573. MyAdvo acts as Client's legal concierge providing technology solutions for Lawyer Discovery, Price Discovery and Case updates. With the use of technological solutions, we match the client’s requirements with the lawyer based on expertise, location etc. Our dedicated team of 60+ in Delhi, Mumbai and Bangalore strive to do everything to help the client in taking the better-informed decision by understanding his legal situation and requirement. Further, for any query regarding the operational or financial debtor you can consult the lawyer online and also ask legal advice online. MyAdvo lets you find the lawyer anywhere in India online.  To have daily updates of blogs, legal topic and legal news download the MyAdvo App on your phone.