General Data Protection Regulation (GDPR) - Strengthen and Unifies the Data Protection Laws

Gist in General Data Protection Regulation (GDPR)

General Data Protection Regulation is a regulation by which European Union (EU) strengthens and unifies the data protection laws for states within it.

Scope: The regulation applies to all organizations using information about European citizen. The law also applies to organizations that are outside the EU region, but still processes/accesses information of the European citizens.

Timeline: This rule has been formally adopted on April 2016 and will come into effect after a transition period of 2 years, i.e. 2018.

Below are some of the key points about the rules:

  • Territory is now global: This may affect organizations that are processing /having European citizen’s data
  • Accountability & Privacy by Design: GDPR has shifted the onus on the organizations using EU residents’ data. This would require them to timely privacy assessments, implementing data protection techniques using encryption, masking and others
  • Consent Requirement: Consent needs to be obtained from the resident on the use of personal data for processing. This includes the explicit statement of data types collected and the intended purposes of the collection.
  • Right to forget, verification, data usage, data portability and others.
  • Need for a Data Protection Officer: There should be a separate data protection officer in place to monitor for the internal compliances of the organization with the data protection laws. It is not required for organizations having lesser than 250 employees.
  • Data breaches: The data protection officer is obligated to notify the supervisory authority without delay (72 hours max). If there is adverse impact to the end user’s data, they should also be notified as well

So what is the big deal about it? It is kind of a big deal as the penalty levied for non-compliance varies from 1 Million Euros to 2% of Annual worldwide sales turnover (whichever is higher). Serious breaches could result in fines up to 4%

Let’s take a peek of what this minuscule 2% represent:

The value at stake is near $170 Billion, and this only includes the top European organizations. If we account for all organizations affected by GDPR, the value at stake seems to be massive. 

This calls for action surgical action to all organizations impacted by GDPR to safeguard the revenues.

Where can TCS help organizations?

For starters, TCS is coming up with a control testing assessment frame work to determine the readiness of an organization against GDPR rules. This would serve as a starter to any organization and their CIOs to know the gaps and the approximate investments required to close the gaps and create a tactical group.

TCS also has a host of data privacy tools such as TCS Data Masker, Mastercraft, TCS Crystall Ball and others all addressing pain points problems related to privacy protection and regulations.

Thus GDPR legislation has redefined how to safeguard personal data and TCS understands the very need for GDPR compliance and its implication and tailoring its service offering to best fit customer’s needs.

Authored by Siddharth V

TCS Enterprise Security and Risk Management

Rate this article: 
4.5
Average: 4.5 (2 votes)
Article category: 
Keywords: 

Comments

Look for further developments regarding "the right to be forgotten."  The provision has charged a lot of heated controversy and debate.  An alternative "right to delete" selected data has been proposed.  Though, I can't imagine the organizations that profile our online activities, preferences, and other very personal information will be willing to expose all of the details they have collected.  The "dossiers" would make those who do Top Secret security clearances proud.
For insight into the profiling data, visit https://epic.org/privacy/profiling
Much of the information is in public records.  However, the problem lies in the concentration of the information in one place.
Consumer attitudes about privacy seem to be changing.  Where we used to think...nobody can have my personal information.  Now we accept that our personal information will be collected to facilitate convenience and personalization.  However, the new attitude comes with the expectation that the information will be accurate, strongly protected, used responsibly, and not shared without consent. The GDPR text ultimately addresses these four principles. I would like to have seen them more clearly summarized at the beginning of the regulation.

Article and observation duly noted.  However, and not being a 'legal eagle', with the advent of Brexit, GDPR is now just one of a myriad of EU legislation.  I'm now questioning about the legal stance of all EU legislation once Article 50 is invoked, in my mind it would have to be re-written under UK law for it to become legal in the UK.  Please advise if my undestanding is wrong.

Pages