The regulation of the protection of personal data has been influential in the way organizations in the world handle the personal information of EU citizens through the GDPR compliance. Though the regulation lies in the European Union, it has been felt across the world. Here are 5 key things for organizations to understand about GDPR Compliance India.
- GDPR Applicable to Organizations that are Controlling
It is worth to stress here that GDPR applies to companies processing any personally identifiable information of the EU resident, irrespective of the location of the company. This means that any organization in India dealing with goods or services to the EU data subjects or monitoring the behaviour of such residents or processing data of the EU citizens is bound to meet the requirements of GDPR.
- Consent and Data Protection Principles
The collection of data of EU residents is another essential GDPR measure that must be complied with and requires obtaining consent to store and process the data. Consent has to be given willingly, voluntarily, and must be able to be withdrawn at the subject’s own request. Additionally, GDPR mandates 6 main principles for handling personal data: Legality/non-legal use & equal & openness; relevance/necessity; least number of data collected; correctness; short retention time & data are updates; and security/privacy. They are guidelines that have to be incorporated into the data governance policies and security controls of the companies.
- Carrying out Data Protection Impact Assessments
GDPR requires that a Data Protection Impact Assessment (DPIA) must be conducted before any operation which may present significant risks to privacy rights of data subjects. DPIA assesses the risks and identifies the countermeasures needed to posterior risks precisely where personal information involves. With GDPR, since the most important element is the duty to find blame and implement corrections, this need becomes even greater.
- Mandatory Breach Reporting & Data Privacy Policies
Personal data breaches shall be communicated to supervisory authorities within 72 hours of the organization being aware of the incident, together with informing the affected persons. Furthermore, there is also the requirement of records of internal breaches. The necessity of adequate and transparent policies regarding data privacy and security, as well as maintaining a clear chain of command and monitoring internal reports and investigations of cases are non-negotiables.
- Have a Data Protection Officer
GDPR has introduced the accountability model that requires the appointment of a Data Protection Officer for some organizations and recommends it for others. A DPO supports and monitors the compliance of the organization, provides guidance on DPIA, engages with the regulators and acts as the first point of contact for the data subjects to forward their complaints or to get their privacy related inquiries resolved. Creating this role serves to formally assign the responsibility within an organizational setting.
Conclusion
As a whole, GDPR contributes to the conception of a significantly higher legal and ethical standard for the utilization of personal data that demands a set of proactive compliance measures from companies around the world. Implementing and formalizing consent management, developing/implementing policies/ procedures, strengthening security measures, documenting data flows, raising staff awareness, and monitoring regulatory changes are crucial activities towards compliance. Consider collaborating with INTERCERT, an international certification institute that offers reputable auditing and certification, as well as training services on a range of management systems and standards worldwide, to make sure your company complies with the strict GDPR regulations.
Comments