What is GDPR and why is it important?

Have you been getting emails from Twitter, Gmail, Facebook and others about a change in their privacy and data policies? While you may dismiss or delete these, it is important to understand why they are doing this. The emails and changes are a result of the upcoming GDPR in the European Union that will impact every company that deals with any data in the EU.

A new whitepaper by Assocham and EY explains what is GDPR and why it is important.

The General Data Protection Regulation is a set of rules that will come into effect in the European Union on May 25.

On December 15, 2015, following three years of drafting and negotiations, the European Parliament and Council of the European Union reached an informal agreement on the EU GDP).

The aims of the GDPR are:

1. To reinforce data protection rights of individuals

2. Facilitate the free flow of personal data in the digital market

3. Reduce the administrative burden.

The EU data protection reform was adopted by the European Parliament and the European Council on April 27, 2016.

It will become effective on May 25, 2018.

GDPR applies globally and companies outside the EU will have to comply with the regulation if they process EU persons’ personal data

• Hefty penalties: Breach of the GDPR will result in substantial fines of up to 20 million euros or 4 percent of annual worldwide turnover, whichever is greater.
• Expanded scope: Applies to all data controllers and processors established in the EU and organizations that target EU citizens.
• Mandatory appointment of Data Protection Officers (DPOs): DPOs must be appointed if an organization conducts large-scale systematic monitoring or processing of a large amount of sensitive personal data.
• Obligatory breach notification: Notify supervisory authority of data breaches “without undue delay” or within 72 hours, unless the breach is unlikely to be a risk to individuals. If there is a high risk to individuals, they must also be informed.
• Stringent consent requirements: Consumer consent to process data must be freely given and for specific purposes.
• Privacy by design and default: Data protection safeguards must be built into products and services from the earliest stage of development. Privacy settings must be set at a high level by default.
• Limiting the storage of personal data: Organizations will need to ensure that they retain personal data only for as long as necessary to achieve the purposes for which the data was collected

Companies which were till now only mandated to protect personal data, now need to embed privacy across the life cycle of data. There will be legal implications for wrongful data collection, disclosure, and usage. The high financial costs for non-compliance is one of the biggest drivers for companies to implement privacy by design.

Source: Report titled "The rise of General Data Protection Regulation (GDPR): Is your business prepared?" by Assocham-EY