GDPR (General Data Protection Regulation)

“Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.” – Marlon Brando, Actor           

Introduction

As Haridwar has traditionally been a site, for death rites and also Shraddha, amongst Hindus, it also became customary for the family pandits to record each visit of the family, along with their gotra, family tree, marriages and members present etc., grouped according to family and home town. And over the centuries, these registers became an important genealogical source for many families, part of splintered families, in tracing their family tree and family history as well. In many places these records trace family history, for over twenty prior generations, stretching across many centuries.

Objective

Fundamentally, almost every aspect of our lives revolves around data. From social media companies to banks, retailers, and governments – almost every service we use involves the collection and analysis of our data. Your name, address, and credit card number are collected, analysed and stored by the organisation.

In January 2012, the European Commission set out plans for data protection reform across the European Union to make Europe ‘fit for the digital age.’

At its core, GDPR is a new set of rules designed to give EU citizens more control over their data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.

As per a study conducted by Deloitte in 2018, 92% of companies believe they can comply with GDPR in their business practices in the long run. Companies operating outside of the EU have invested heavily to align their business practices with GDPR. 

Read More: https://bit.ly/WhatEmbeddedSoftware

Definitions:

Personal Data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to identify someone from it.

Data Processing — Any action performed on data, whether automated or manual. The examples include collecting, recording, organizing, structuring, storing, using, erasing… and anything.

Data Subject — The person whose data is processed. These are your customers or site visitors.

Data Controller — The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.

Data Processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations.

Read More: https://bit.ly/WhatisCyberSecurity

Detailed Information:

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. The regulation was put into effect on May 25, 2018. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).

The GDPR 2016 has eleven chapters containing 99 different articles, concerning general provisions, principles, rights of the data subject, duties of data controllers or processors, transfers of personal data to third countries, supervisory authorities, cooperation among member states, remedies, liability or penalties for breach of rights, and miscellaneous final provisions 

Who does GDPR apply to?

GDPR applies to

  • any organization operating within the EU
  • any organization outside of the EU which offers goods or services to customers or businesses in the EU
  • means that almost every major corporation in the world needs a GDPR compliance strategy.

Data Collection:

Basic Data Special Category of Data: Sensitive
Name Race
Age Ethnic origin
Date of Birth Religion
Location Genetics
Sex Life
Sexual Orientation
Health
Politics

 

What difference between Processor and the Controller?

Processor Controller
Collect data Choose what data to collect, its purpose and how to process it
Store Data
Use data
Record Data
On behalf of the Controller like a local authority

 Seven Data Protection Principles:

If you process data, the following are the seven protection and accountability principles outlined in Article 5.1-2:

S.No. Principles Expectations
1 Lawfulness, fairness and transparency  Processing must be lawful, fair, and transparent to the data subject
2 Purpose limitation  Process data for the legitimate purposes specified explicitly to the data subject when you collected it
3 Data minimization  Collect and process only as much data as necessary for the purposes specified
4 Accuracy  Keep personal data accurate and up to date
5 Storage limitation  Only store personally identifying data for as long as necessary for the specified purpose
6 Integrity and confidentiality  Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g., by using encryption)
7 Accountability  The data controller is responsible to demonstrate GDPR compliance with all of these principles

Eight People’s Privacy Rights:

As an organization, if you are a data controller and/or a data processor, it’s important to understand the 8 Rights to ensure you are GDPR compliant.

S.No. Rights Expectation
1 The right to be informed Tell them Why?
2 The right of access Give them access to their data for free
3 The right to rectification You must correct the error
4 The right to erasure/forgotten You must delete their data (not all!)
5 The right to restrict processing Limit what you do it
6 The right to data portability Make data available to them
7 The right to object Stop collecting their data
8 The right about automated decision making and profiling. To opt-out of using the data automatically like artificial intelligence

Read More: https://bit.ly/FaultTreeAnalysisFTA

Data Security:

You’re required to handle data securely by implementing “appropriate technical and organizational measures.”

  • Technical Measures
    • mean anything from requiring your employees to use two-factor authentication (Banks Follow like password and OTP-One Time Password) on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption (Whatsapp).
  • Organizational Measures
    • staff training
    • adding a data privacy policy to your employee handbook
    • limiting access to personal data to only those employees in your organization who need it.

Data Protection by Design and by Default

  • Everything you do in your organization must, “by design and by default,” consider data protection principles (Article 25).
  • For example, you’re launching a new app for your company. You have to think about what personal data the app could collect from users, then consider ways to minimize the amount of data and how you will secure it with the latest technology.
  • Once you’ve determined the lawful basis for your data processing, you need to document this basis and notify the data subject (personnel). And if you decide later to change your justification, you need to have a good reason, document this reason, and notify the data subject (personnel).
  • Data Protection Officers: Contrary to popular belief, not every data controller or processor needs to appoint a Data Protection Officer (DPO).

Six ways to Process the Data?

Article 6 lists the instances in which it’s legal to process personal data.

S.No. Possible ways to process personal data Example
1 The data subject (personnel) gave you specific, unambiguous consent to process the data They’ve opted in to your marketing email list
2 Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party You need to do a background check before leasing property to a prospective tenant
3 You need to process it to comply with a legal obligation of yours You receive an order from the court in your jurisdiction (Example: Minimum age for working or working hours)
4 You need to process the data to save somebody’s life You’ll probably know when this one applies
5 Processing is necessary to perform a task in the public interest or to carry out some official function. You’re a private garbage collection company
6 You have a legitimate interest to process someone’s personal data This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

High Penalties:

  • fines for violating the GDPR are very high
  • There are two tiers of penalties
  • max out at €20 million or
  • 4% of global revenue (whichever is higher)
  • And data subjects (personnel) have the right to seek compensation for damages

Biggest GDPR Fines so far:

1. Amazon — €746 million ($877 million)

2. WhatsApp — €225 million ($255 million)

3. Google Ireland — €90 million ($102 million)

4. Facebook — €60 million ($68 million)

5. Google LLC — €60 million ($68 million)

References:

IATF 16949: 2016, Sanctioned Interpretation & FAQ

Industry Experts

This is the 154th article of this Quality Management series. Every weekend, you will find useful information that will make your Management System journey Productive. Please share it with your colleagues too.

In the words of Albert Einstein, “The important thing is never to stop questioning.” I invite you to ask anything about the above subject. Questions and answers are the lifeblood of learning, and we are all learning. I will answer all questions to the best of my ability and promise to keep personal information confidential.

Your genuine feedback and response are extremely valuable. Please suggest topics for the coming weeks.

5 2 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
oldest
newest most voted
Inline Feedbacks
View all comments