The European Parliament adopted the GDPR in April 2016, requiring certain
classes of companies in accordance with the applicability criteria, to protect
the personal data and privacy of European Union (‘EU’) citizens for transactions that occur
within EU member states, thereby regulating the export of sensitive personal
information outside the 28 EU member states.
GDPR compliance is
applicable to all companies processing and archiving personal information (including
personally identifiable data within social media, photos, email addresses and
IP addresses) regarding EU citizens
within EU states, even if such companies do not have a business presence within
the EU. The below mentioned companies are required to adhere with GDPR
A presence in an EU
No presence in the
EU, however the company processes personal data of European residents;
More than 250
Fewer than 250
employees however the company’s data-processing impacts the rights of individuals (data subjects), is
not occasional, or includes certain types of sensitive personal data.
Compliance responsibility – Data protection
GDPR defines specific roles and
responsibilities for ensuring compliance viz. data controller, data processor
and the data protection officer (‘DPO’) respectively.
The data controller defines the
methodology for processing personal data and defines the objectives for which data
is processed. Data processors are generally represented by internal groups or
external outsourcing firms that maintain and process personal data records and
are held liable for breaches or non-compliance.
Data controllers and data processors
are mandated to appoint a DPO in cases where Companies process or archive significant
volume of EU citizen data, process or archive privileged personal data,
regularly monitor pertinent data subjects, or are a public entity (except law
enforcement authorities, which may be exempt). The primary objective behind
appointment of DPO is to designate someone responsible for overseeing the data
Overview of key components
Data privacy by design
Processes will need to be continuously
assessed and periodically amended to consider privacy by design wherein the data
controller must apply adequate technical and organisational procedures to comply
with the requirements of GDPR and protect the rights of data subjects. Types of
privacy data protected by GDPR include:
information such as name, address and ID numbers;
Web data such as
location, IP address, cookie data and RFID tags;
Health and genetic
Racial or ethnic data;
Personally, identifiable data must be
portable by open use of common file formats that are machine-readable when the
data subject receives them.
iii) Rights of data subjects
The data controller is obligated to
provide a free electronic copy of any personally identifiable data to the data
subject. GDPR provides the below mentioned rights to data subjects from the
respective data controllers:
to access: to confirm whether their personally
identifiable data is being processed along with the objective for which it is
being processed and the location; &
b) Right to be forgotten: includes permanent or on-demand deletion of his/her personally
identifiable data, cease further distribution of the data, and demand third parties’
restriction on processing of the data.
iv) Data breach notification
As a data breach is likely to result in
a risk to the rights of individuals, GDPR requires a mandatory breach
notification to be submitted to the supervisory authority within 72 hours of
the organisation first becoming aware of the breach. In addition, data
processors are required to notify their customers without unnecessary delay.
GDPR requires ‘a statement or clear affirmative action’ that signals
agreement of transferring personal data. Further parental consent is required
for processing children’s (13-16 years of age depending on member state)
The GDPR allows for steep penalties of
up to €20 million or 4 percent of global annual turnover, whichever is higher,
for non-compliance. Failure to adequately
conduct a DPIA where appropriate, is a breach of the GDPR and could lead to fines of up to 2% of an organisation’s annual global
turnover or €10 million – whichever is greater.
IT security, governance and GDPR
Compliance with GDPR will require an IT
governance framework to be modified to incorporate pertinent aspects relating
to data transfer, data subject consent, and privacy by design.
GDPR introduces several privacy
arrangements and control mechanisms that are intended to safeguard personally
identifiable information. Most of these controls are also recommended by ISO/IEC 27001:2013, ISO/IEC 27002:2013 and other ‘ISO27k’ standards, as well as COBIT 5.