Understanding General Data Protection Regulation (GDPR)

What Is GDPR?

The General Data Protection Regulation (GDPR), is a detailed regulation on data privacy for processing and collecting personal information for the residents of the European Union (EU). It came into effect in May 2018.

Since the regulation is applied no matter where the websites are located, all websites that attract European Union visitors must comply with GDPR, even if they do not specifically sell goods or services to EU residents.

GDPR contains the provisions and requirements related to personal processing data, data processing, the data subject, data controller, and data processor. GDPR is the most strict privacy and security law present in the world. The main goal of GDPR is to allow individuals to control their data and simplify the regulatory environment for international companies by unifying the regulation within the European Union. Furthermore, the GDPR will impose high fines on those who violate its privacy and security standards, with penalties which can amount to ten million euros.

Also Read: Non-Fungible Token (NFT) – a legal quandary

Applicability of GDPR

This legislation applies to any business entity or organization that processes data subjects’ personal data as part of their activities with any one of the branches established in the European Union, regardless of where data is processed.

Impact of GDPR on business in India

Under Article 3, which deals with GDPR’s territorial scope, any entity that processes or controls the personal data of an EU citizen is required to comply with GDPR. For India, Europe is a substantial marketplace for the IT, BPO, and pharmaceutical industries. The estimated size of the IT industry in the top two EU member states is around 155–220 billion USD. Primarily attributable to the size and reach of the internet, several businesses operating out of India now can target their customers internationally.

Suppose an entity, targets persons in the EU, offers its goods or services, and accordingly collects and processes personal data of such individuals. In that case, the entity must comply with the rules and processes set out in GDPR. GDPR will have its maximum impact on the IT/ITES industry as software development happens on the outsourcing model. Non-compliance with GDPR may also hamper the business of the Indian companies.

If the Indian companies fail to meet the GDPR requirement, they can injure the European Union’s solid customer base. The GDPR imposes a penalty structure of 20 million EUR or 4% of global turnover in cases of non-compliances.

Compliances under GDPR

GDPR compliance lays out the responsibilities for the organization to ensure the privacy and protection of personal data, and powers are assigned to the regulators to ask for a demonstration of accountability. They can even impose fines in cases where an organization does not comply with GDPR requirements provide the data subject with certain rights.

Below are mentioned few sets of rules which a company has to follow:

• Lawful, fair, and transparent processing
• Limitation of purpose, data, and storage
• Data subject rights
• Consent
• Personal data breaches
• Privacy by design
• Data protection impact assessment
• Data transfers
• Data protection officer
• Awareness and training

Penalties for non-compliance

The data protection regulator administers fines in each EU country under the GDPR. The authority will determine the occurrence of the infringement along with the severity of the penalty. The ten criteria under which it is selected whether a fine will be assessed and in what amount are: Gravity and nature, intention, mitigation, preventive measures, history, cooperation, data category notification, certification, and aggravation factors. 

The company must pay a certain amount of money to the public authorities for every non-compliance with performance requirements.

Therefore, fine will be assessed in two ways:

• Lower-tier fines- the organization can fine up to $10 million or 2% of the company’s annual revenue, whichever is more significant. They include any violation of the article governing-:
  • Controllers and processors (Article 8, 11, 25-39, 42 and 43)
  • Certification bodies (Article 42-42)
  • Monitoring bodies (Article 41)

Also Read: AI concerning the Indian judicial system

• Higher-tier fines- a more severe violation can result in a penalty of up to $20 million or 4% of the company’s annual revenue, whichever is more significant. These include any breach of the article governing-
  • The basic principles for processing (Article 5, 6, and 9)
  • The conditions for consent (Article 7)
  • The data subjects right (Article 12-22)
  • The transferring of data to an international organization or a recipient in a third country. (Article 44-49)

Conclusion 

GDPR is one of the most comprehensive European Union laws to date, and its penalties are so severe that no company can ignore it. Therefore, it is essential to understand the requirements and their impact on your business and implement them in your business environment. GDPR brings challenges to our business, and it also creates opportunities.