The General Personal Data Protection Regulation (hereinafter referred to as ‘GDPR’) will be implemented in the European Union (EU) with effect from May 25, 2018. It is touted as the biggest change to personal data protection law for a generation. The implications of the GDPR would cross the borders of the EU member states and would be applicable on every company having a role in collecting, storing and processing the personal data of EU residents. Thus, it is important for Indian Companies as well to sketch a plan dealing with GDPR compliance.
Understand the law
The very first step that the company should take is to educate the concerned staff and the key people about the GDPR, its requirements, impact on Indian companies and changes it would bring.
2. Be aware
After implementation of GDPR, the accountability of a company would increase massively. Therefore, the most important step that a company should take is of personal data mapping. The company should:
- Be aware of the personal data it holds
- Be aware of how this personal data flows in and out
- Be aware of where the personal data is stored and how is it processed
- Be aware of who has the access of the personal data
3. Identify the information
The company should document the personal data it holds, where it came from and with whom is the personal data shared. Organizing the personal data would help in auditing the information whenever required and deleting the information which is not required by the Company.
The GDPR is going to keep a check from the planning stage till the releasing of personal data. It requires the organization should have a personal data security management at every stage of each business processes, from planning to release.
4. Information to clients
The GDPR would make it mandatory for every company to inform the clients about the personal information that it would hold and the purpose for which it would be used.
It is important for the company to relook into how the consent is taken from its client and where and how is the consent recorded. The company should ensure that the consent is taken from every client for the specific purpose for which their personal data is used or will be used. In addition, the process of withdrawing the consent should be easy. GDPR places a greater emphasis on consent that is specific, granular, and auditable.
The requirements under GDPR are separate for adults and children. Therefore, it is significant for the company to document its client list. As in case of children it would require obtaining the consent from anyone holding ‘parental responsibility’ of the child.
7. Personal data breaches
GDPR mandates that the personal data breach, which risks the rights of the client, should be reported to the client within 72 hours of becoming aware of it.
The companies should review their strategy of tackling personal data breaches. If it is not efficient enough, they must put in place a new strategy compliant with the GDPR.
8. Personal data Protection Officers
The Company should designate someone to take responsibility for personal data protection compliance and assess where this role will sit within the company’s structure and governance arrangements. The question that needs consideration would be whether the company is formally required to designate a Personal Data Protection Officer.