Most Important Changes under GDPR
- The most important changes under the GDPR can be categorized into 4 major points
- Internal Procedures Supervisory
- Scope Accountability and Penalties
[su_spoiler title=”Individual Rights”]Consent
Whenever a data subject is about to submit their personal information the data controller (usually a company) has to make sure the data subject has given their consent. The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters”. Controllers will also be required to provide evidence that their processes are compliant and followed in each case. Previously, under the DPD, consent could be inferred from an action or inaction in circumstances where the action or inaction clearly signified consent. Thus, the Directive left open the possibility of “opt-out” mechanism. However that will change under the GDPR which requires the data subject to signal agreement by “a statement or a clear affirmative action.” Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must also know exactly what they are consenting to and they must be informed in advance of their right to withdraw that consent. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity. This means that informing the user during the opt in is becoming more important in the future.
New Rights for Individuals
The regulation also builds in two new rights for data subjects: a “right to be forgotten” that requires controllers to alert downstream recipients of deletion requests and a “right to data portability” that allows data subjects to demand a copy of their data in a common format. These two rights will now make it easier for users to request that any information stored should be deleted or that information that has been collected should be shared with them.
Data subjects always had a right to request access to their data. But the GDPR enhances these rights. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also drop to a 30 day period. In certain cases, organisations may refuse to grant an access request, for example where the request is deemed manifestly unfounded or excessive. However, organisations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.[/su_spoiler]
[su_spoiler title=”Procedure”]Privacy by Design and DPIA
There are several new principles for entities that handle personal data, including a requirement to build in data privacy “by design” when developing new systems and an obligation to perform a Data Privacy Impact Assessment (DPIA) when processing using “new technologies” or in risky ways. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals so that potential privacy issues can be identified before they arise, giving the organisation time to come up with a way to mitigate them before the project is underway.
Data Privacy Officer
On the security side, the GDPR will require many businesses to have a Data Privacy Officer (DPO) to help oversee their compliance efforts. Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale. While the GDPR currently preserves the DPD’s approved methods for ensuring “adequacy” when transferring personal data to third countries (including the Privacy Shield and the Model Clauses), DPOs will also be helpful in overseeing a controller’s relationships with vendors who process and store personal data, helping to review vendors’ security practices and inform vendors of data subject requests.
Contracts & Privacy Documentation
Since the GDPR is all about transparency and fairness, Controllers and Processors will need to review their Privacy Notices, Privacy Statements and any internal data policies to ensure they meet the requirements under the GDPR. If a Controller engages third party vendors to process the personal data under their control, they will need to ensure their contracts with those Processors are updated to include the new, mandatory Processor provisions set out in Article 28 of the Regulation. Similarly, Processors should consider what changes they’ll need to make to their customer contracts to be GDPR ready by May 2018.[/su_spoiler]
[su_spoiler title=”Supervisory Authorities”]One-Stop Shop
One particular item in the GDPR should serve to make the lives of these DPOs easier: the GDPR’s new “one stop shop” provision, under which organizations with offices in multiple EU countries will have a “lead supervisory authority” to act as a central point of enforcement so they don’t struggle with inconsistent directions from multiple supervisory authorities.
The GDPR contains a new requirement that controllers must notify their country’s supervisory authority of a personal data breach within 72 hours of learning of it, unless the data was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned.[/su_spoiler]
[su_spoiler title=”Scope, Accountability and Penalties”]Scope
While the current legislation, the 1995 EU Data Protection Directive, governs entities within the EU, the territorial scope of the GDPR is far wider, in that it will also apply to non-EU businesses who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
This new concept will require Controllers and Processors to be able to demonstrate their compliance with the GDPR to their local supervisory authority. Processes should be recorded, implemented and reviewed on a regular basis. Staff should be trained and appropriate technical and organisational measures should be taken to ensure and demonstrate compliance.
The importance of the GDPR’s new provisions is underscored by the new penalties it imposes for violations. Depending on the type of violation in question, controllers and processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater).[/su_spoiler]
Rohit Shetty born and brought up in Mumbai is a Digital Marketer by profession and a writer and philanthropist by passion.
Rohit started his career with First Step Publishing in Mumbai in 2011 as a Digital Marketer and excelled in the field of Publishing. With First Step Publishing, Rohit eliminated the cumbersome process of waiting for a writer to get published. With First Step Publishing, Rohit Shetty has been known for marching forward with some great titles and allowing first-time authors to find a platform and publish their content in a market space that focuses on branding a certain ‘author’ rather than scouring talent.
In an interview with DNA, First Step Publishing has been reported to be one of the fast-growing publishing firms based in Mumbai. The firm has the tagline ‘Paying Ways For New Writers’ which is meant to reflect the motive with which it was founded.
Rohit Shetty holds two National Records Records being Book With the Shortest Title ” i ” with Limca Book of Records Special Literature Edition and with India Book of Records as well. He holds the title of the Most Published poet of India in 2012 and 2013 with India Book Of Records and Unique World Records.
Apart from writing, Rohit is also an active Philanthropist and works towards Education and Health sectors.
Awards and Recognitions
Nominated four times for India’s Fourth Highest Civilian Award Padma Shri in 2017, 2018, 2019 and 2020
2012: Rohit has been recognized for his work and felicitated at the Grand Finale of Mulund Fest in 2012 by MLC Mr Charan Singh Sapra and MPCC President Mr Manikrao Thackrey
2012 and 2013: Most Published Poet by India Book of Records
2015: Book with the Shortest Title from Limca Book of Records, India Book of Records
2018: Member of NITI Ayog Atal Movement of change and Mentor of Change
2019: Nominated by Social Samosa as 40 Under 40 Digital Marketers in India
2019: Rohit Digital Marketing Blog www.rohitnshetty.com ranked 13th Spot as India’s Best Digital Marketing Blog by Expertido
2019: Rohit Digital Marketing Blog www.rohitnshetty.com was also Ranked in Top 50 India’s Best Digital Marketing Blog by Feedspot
2019: Received prestigious Dr APJ Abdul Kalam Memorial Award for work towards building the nation
2020: Global Brand Icon Awad by Brand Opus
2021: Rashtriya Prerna Award