GDPR (General Data Protection Regulation) was adopted on 14th April, 2016 and after a two-year transition period, became enforceable on 25th May, 2018. It protects and empowers all EU citizens data privacy and reshapes the way organizations across the region approach data privacy. This Regulation applies to the processing of personal data in the context of the activities of an establishment, of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. In order to have more clarity on GDPR and its consequences, below are the FAQs on it, we hope it helps you out.
What is GDPR?
GDPR is a set of rules and regulations that give citizens of the European Union (EU) more control over their personal data. The objective of this new regulation is to strengthen as well as simplify the regulatory environment for businesses and individuals in a way that allows them to harness the power of the digital economy.
The GDPR is also designed to bring in greater transparency on how Organizations handle their user data, it aims to do so by holding them accountable for managing user data and imposing greater penalties on failure. These penalties can run into hefty fines for organizations that violate these regulations or fail to comply.
Who Does GDPR apply to?
While GDPR is a regulation passed and implemented by the EU parliament, it applies to organizations across the globe. How? In a globalized and interconnected economy, companies’ operations aren’t bound by geographies. Which is why every organization that controls or processes personal data relating to EU residents will have to comply with the GDPR.
Going by that rule, organizations don’t have to have a physical presence inside the European Union to be bound by GDPR.
What organizations need to do differently to comply with GDPR?
The GDPR requirement asks companies to change the way they process, store, and protect customers’ personal data. Companies are required to take natural person’s explicit consent to store and process personal data. Personal data must also be portable from one company to another, and companies must erase personal data upon request.
Companies must take efforts to be able to provide a “reasonable” level of data protection and privacy to EU citizens.
What could be the potential impact on non-compliance?
Fines for non-compliance can potentially run into millions of euros. The maximum fine set for the most serious violation by an organization is as high as €20 million or 4% of a company’s total global annual turnover of the proceeding financial year, whichever is higher. However, there is a tiered approach to fines and it can vary with the reported violations.
What does it mean for Indian users of Internet-based services or products?
Indian users can continue to use online products and services as before. The ambit of EU law is limited to the Union and it does not cover the citizens of other regions. Indian businesses dealing in EU, UK and Switzerland regions, however, will have to take the appropriate measures while dealing with the natural persons residing in those regions and ensure that their privacy is not infringed and accordingly will have to amend the privacy policies. Failure to do so will be subject to grievous penalties and fines.