The General Data Protection Regulation 2016/679 (the GDPR) aims to strengthen and unify data protection for individuals within the European Union (EU). It will fundamentally change the current EU data protection regime by replacing the current Data Protection Directive, which forms the basis for the existing regime. It will apply directly in each Member State and so minimize the level of national variation in data protection law.
The GDPR states that organisations must adopt appropriate policies, procedures and processes to protect the personal data they hold.
Article 32 of the GDPR specifically requires organisations to, as appropriate:
- Take measures to pseudonymise and encrypt personal data;
- Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and/or
- Implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
Article 32 further requires risks “from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data” to be identified and mitigated.
Request a Quote
How does GDPR matter to Indian companies?
The EU is a large market for the Indian companies who provide products and services to countries in the EU. If data of EU residents/individuals is transmitted over to India for processing, then GDPR applies to the Indian company processing that data, and the company needs to comply with GDPR.
What is the penalty for not complying with GDPR?
If an Indian company is processing personal data of an European Union customer and it is not compliant with GDPR, then the following penalty will apply:
- Fine: €10,000,000 Euros (INR 80 Crores) or 2% Global Turnover, for offenses related to:
- Child consent.
- Transparency of information and communication.
- Data processing, security, storage, breach, breach notification.
- Transfers related to appropriate safeguards and binding corporate rules.
- Fine: €20,000,000 Euros (INR 160 Crores) or 4% of Global Turnover, for offenses related to:
- Data processing.
- Data subject rights.
- Non-compliance with GDPR.
- Transfer of data to third party.
When does GDPR come into effect?
The GDPR comes into force from 25 May 2018. However, it is essential that Indian companies start planning their approach to GDPR compliance as early as possible.
How can DGCS help you prevent with GDPR?
- Carry out a risk assessment on personally identifiable information within your organization and identify all the risks that could cause a breach Review your companies Data Policies.
- Recommend the most appropriate measures (controls) to mitigate those risks.
- Advise on necessary policies and procedures to support the controls.
- Implement Checklist for data protection and provide required training
- Carry out audits to make sure the controls are working as intended.
- Ensure your company is compliant with GDPR.
- Spread awareness about GDPR within your company
- Implement a comprehensive and robust ISMS.
How can ISO 27001 help you with GDPR?
- ISO/IEC 27001 provides an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR).
- In fact, a company when implementing ISO 27001 would already complete at least half the job of achieving GDPR compliance by minimising the risk of a breach.
- An effective information security management system (ISMS) that conforms to ISO 27001 will meet all the above requirements.