Spotlight on GDPR - Time to know more about the regulations and implications

As the clock ticks closer to May 25, 2018 when the EU’s GDPR will be enforced officially, the overarching effects on organizations that process data from any EU nation will be felt more among the unprepared. This has assumed greater importance because of the sensational breaches that are being reported with alarming frequency. It’s worth noting that Brexit will not affect GDPR’s enforcement in the UK. Here is a quick fact check that will help businesses get additional information which can then serve as a springboard for further queries and clarifications.

What are the penalties? On whom are they imposed?

The penalties are two-tiered and are covered under various articles that deal with specific violations or infringements. To put it quite simply, the two thresholds are:

1. Infringement of key provisions of GDPR which attract a fine ‘upto £20 million or 4% of global annual turnover, whichever is higher’. Here, for the purpose of calculations, the global annual turnover of the preceding year will be taken into account.
2. Infringements of a less severe nature, like procedural violations, which attract a fine ‘upto £10 million or 2% of global annual turnover, whichever is higher’. Here, for the purpose of calculations, the global annual turnover of the preceding year will be taken into account.

Entities that deal with data from the EU are divided into two categories, Data Processors and Data Controllers. Administrative fines, if imposed, are applicable to either or both of the entities.

Are there any accountability requirements as part of compliance? Specifically, what is Art 33?

Yes. The compliance aspect is very clear on businesses demonstrating ‘reasonable’ actions to comply with data protection requirements. Specifically, this needs to be recorded in data processing registers. Businesses need to maintain records that prove the existence of robust measures to safeguard data. Art 33 is more commonly known as the notification of data breach. It simply means that whenever a data processor becomes aware of a breach of personal data, the same needs to be notified to the data controller and thereupon to the supervising authority not later than a period of 72 hours. The issue that most businesses will face here is the absence of clear internal processes that need to be followed to ensure that the breach is notified to the supervising authority within the mandatory 72 hours.

What are the obligations of a Data Processor and a Data Controller?

Data Processor

GDPR Article 28 deals with the obligations of a data processor. It spells out exhaustively all obligations, some of which include the following:

• A data processor cannot bring in other data processors without recorded consent of the controller.
• A data processor needs to enter into a written contract with the controller for services rendered. The contract needs to clearly mention subject-matter, duration, nature and purpose of data processing, the type and categories of personal data.
• Processors are not to process personal data on behalf of controllers, unless they have been explicitly mandated by the controllers to process the data.
• Data processors need to maintain a record of processing activities carried out on behalf of a controller.

Data Controller

GDPR Chapter 10 deals with the obligations of a data controller, some of which are listed below:

• A data controller needs to maintain a record of processing activities, which will clearly show why personal data is being processed and if it is being processed as per laid down procedures.
• A data controller needs to transmit the notification of breach to the supervising authority within the mandated 72 hours period. To do so, the data controller needs to have an effective channel of communication with the data processor to receive intimation of the same if the breach is at the data processor’s end.
• A data controller is responsible for carrying out the data protection impact assessment. This effectively means an impact assessment needs to be carried out when there is a risk or threat of compromise of data.
• A data controller needs to appoint a designated DPO (Data Protection Officer) if the records are public records, special data or criminal records, or records on a large scale.

What exactly is the right to be forgotten?

Article 17 of the GDPR spells out the right to be forgotten or the right to erasure. To put it quite simply, it means that individuals have the right to request that certain data be erased or removed from systems. This will be applicable on certain grounds, for instance, if the data is no more required for the original reason or reasons for which the data was collected. This might actually appear to be one of the more easiest of the obligations. However, businesses need to be aware that data may be residing anywhere on the processor’s databases. Locating every single field of data and securely erasing might be a nightmare, depending on the nature of the data. Failure to erase and furnish proof of erasure is liable to be treated as an infringement.

GDPR, as a regulation standardizes the compliance requirement, and will also offer a layer of protection to the processing entity from claims and complaints if the entity is compliant and following all regulations to the letter. There needs to be greater responsibility while handling sensitive information, including personal data and organizations need to be ready with a risk adaptive approach that works in tandem with regulatory compliance for greater security.

DNS has partnered with LawBite who are business law experts to help you understand your GDPR requirements and provide you with the necessary products and services to help your organisation become GDPR compliant before the deadline of 25th May 2018.

All our readers get a free 15-minute consultation with a specialist GDPR lawyer at Lawbite. To book a consultation please submit your enquiry and an expert GDPR lawyer will contact you shortly.

Speak with an expert

Any questions? Schedule a call with one of our experts.

Book a call