The author is Head of Compliance at Bellwether. At Bellwether, he has been advocating 'privacy by design and by default' principle to clients. He leads the GDPR compliance consulting practice with a team of experienced consultants in the fields of internet privacy, compliance, digital transformation and litigation.
LinkedIn: https://in.linkedin.com/in/balu0103
GDPR is abbreviated form of the European Commission‘s newly enforced privacy protection law – General Data Protection Regulation. Before hiring a GDPR Consultant or considering to outsource your GDPR compliance, GDPR training or GDPR audit, you need to understand why GDPR compliance is important to your organization.
Index
During the last two decades, many countries across the world have enacted information privacy laws or data protection laws to protect their citizens’ personally identifiable information (PII). However, the EU-GDPR law is significantly different than previous ones due to it’s aggressive rules and restrictions on the organizations that collect and process the data of citizens of the European Union.
GDPR tries to protect the personally identifiable information of it’s citizens. A PII is any data that can individually recognize a person with great accuracy. For example, Name of a person combined with the date of birth is a PII. Similarly, Address, email id, phone number are PII. Apart from these, an individual’s health information, political and religious beliefs are all declared as personal information and come under the purview of EU-GDPR regulation.
Since, you have visited this website, your IP address is recorded in our web server logs which can be used to identify you as a person. Hence IP addresses are also included in the definition of PII.
“Hey, we are an Indian business entity! And, we don’t have our business operations in EU. So, we don’t need to be GDPR Compliant“
It may sound logical that GDPR for Indian companies does not apply, at least for business entities that are operating only from India or employing only Indian citizens or those that are not engaged in business with European businesses or citizens. However, the reality is different.
For Indian companies (or companies operating outside European Union), even if they do not have business presence in EU, but serve a client in EU, then GDPR Compliance is necessary, as the regulation mandates.
The dilemma, whether GDPR compliance for Indian companies is needed or not, can be eliminated by answering two questions:
If you have answered yes for any of the above questions, then you need to hire a GDPR compliance consultant in India, to talk about next steps.
Non-compliance with GDPR, after 25th of May 2018, could result in devastating impact for businesses not just operating or having presence in European Union, but also for Indian companies who process information of citizens of European Union
For Indian Companies that do data processing viz, analytics, data mining, big data firms, GDPR compliance has become a business development issue as much as legal issue, since European clients now want to confirm that their vendors are GDPR compliant too.
Personally, I have seen a lot of companies looking for GDPR consulting because their new prospects or customers started asking if they are GDPR compliant.
The Indian mainstream media is already abuzz with news about the hardships being faced by Indian outsourcing companies who are not prepared for GDPR yet.
The unforeseen impact is felt by many functions of Indian Companies. Marketing managers of Indian companies are questioning if their teams can contact prospects in their marketing funnels and email lists.
Sales managers want to understand if their sales reps can do cold-calling to EU citizens.
HR teams are concerned about the personal information, in the form of resumes, they hold from the prospective employees of EU region.
IT Heads are worried about the type of access control they need to have to comply with GDPR.
Inspired by EU-GDPR, An Indian version of the Privacy regulation – Indian Personal Data Protection bill has been drafted and was shared with the Governments of all the states of India for their feedback.
Becoming GDPR compliant now, will be beneficial when the Indian Personal Data Protection Bill becomes a legally enforced Act making it mandatory for the Indian Tech Industry to abide by the privacy laws.
If your website has visitors from European Union, despite having no business operations in EU, your business is liable to pay penalties up to 20 million Euro or up to 4% of your company’s global turnover, for non-compliance. It may sound too harsh but that’s what the regulation says. You can read Article 84 of GDPR, which discusses the penalties for non-compliance.
Bellwether has developed a world-class Enterprise Risk Management framework by combining functional, information security and legal expertise. Our GDPR consulting clients range from large enterprises to start-ups.
Get in touch today to talk to a GDPR Compliance Consultant and explore the ways to manage your enterprise risk and uncover value.
Every month, since 25th of May, 2018, law suits are being filed on organizations of all sizes. Most notably, a few tech giants are facing GDPR legal suits for allegedly not complying with the European Union’s privacy regulation.
An Austrian non-profit, led by privacy activist and attorney Max Schrems, has filed a suit against Amazon,Apple,Youtube, Netflix, Spotify, and three more tech companies alleging that they have violated the terms of GDPR.
It comes as a surprise that companies like Google have failed to get things right with regards to GDPR compliance. The French Data Protection Authority had fined Google 50 million Euros, recently. Read more about GDPR Penalties.
GDPR compliance requirements are the steps you have to take and processes you have to adapt in your organization that help to protect personal data of individuals.
Awareness is the first step towards compliance. The leadership team should understand the importance of data protection and the same has to be effectively communicated to the entire team down to the associate level. In fact, training and awareness is mandated by GDPR under article 47 & article 39
Conduct an in-house audit:
Conducting an in-house audit about all the data your organization holds – how it is generated, stored, transferred and used will give you a high level overview of the potential data risks you are currently sitting on. This in-house audit report can be of great help when you want to prepare your RFP to send to GDPR consultants.
A gap analysis is the first step in identifying what is non-compliant in your organization. Your GDPR consultant needs to interact with all the departments in your company, to understand the status-quo of your processes and establish benchmarks to be met in order to transform non-compliance into compliance.
DPIA:
DPIA or Data Protection Impact Assessment is the process of identifying the risks to privacy and finding solutions to address them. A DPIA many not be needed for your organization if the data processing you are doing is simple and not inherently risky for the privacy of your data subjects.
Other GDPR compliance requirements:
Several other requirements are to met to be GDPR complaint. A few of them are:
While a GDPR compliance checklist is exhaustive and beyond the scope of this article, the following pointers will help you understand the basic requirements to be compliant before outsourcing GDPR compliance.
Data Controller’s Checklist:
If you are a Data Controller (Who is a data controller? Read here), then you might need to look into the following
If you are a Data Processor (Who is a data processor? Read here), then you might need to look into the following
