General Data Protection Regulation (GDPR) is here, and has revolutionized organization’s outlook on data privacy. Here’s what we have done.
GDPR: General Data Protection Regulation (GDPR), is the new data privacy regulation which replaces the Data Protection Directive. The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizen’s data privacy and to reshape the way organisations across the region approach data privacy.
How did GDPR evolve?
2012: GDPR proposed by European Commission in place of EU Directive
2015: Approved by European Council & Parliament
2016-17: Adoption of Regulation & Implementation Phase
25th May, 2018: Enforcement of Regulations
How is GDPR applicable?
GDPR is applicable to every organisation that processes European personal data both inside and outside Europe. If you are still wondering if the GDPR applies to you, here are some points to consider:
- Do you process personal data?
- Is your organisation located in European Union?
- Is your organisation located outside the EU and does it offer goods or services, either for a price or free, to individuals residing in the EU?
- Is your organisation located outside the EU and does it monitor any behavior taking place in the EU?
- Is your organisation located outside the EU, but has an establishment in the EU with some processing activity related to that EU establishment?
What are the foundational principles of GDPR?
The GDPR is based on 6 privacy principles:
- Lawfulness, fairness and transparency:
- Maintain transparency and communicate to individuals on how their personal data shall be processed.
- Commit to ensuring that the personal data is only processed in accordance with what was communicated.
- Ensure that the processing activity is lawful and meets the lawfulness criteria mentioned in GDPR
- Purpose Limitation: Personal data shall be collected for “specified, explicit and legitimate purpose” and only processed in a manner communicated to the data subject and not for any other additional purpose without further consent of data subject.
- Data Minimization: To ensure that personal data processed is “adequate, relevant and limited” to the purposes for which they are processed.
- Data Accuracy:
- Implement measures to ensure that the personal data is kept accurate and where necessary, kept up to date.
- Take reasonable steps personal data, where found to be inaccurate are erased or rectified without delay.
- Storage Limitation: To ensure that personal data is not retained longer that is necessary for the purposes for which the personal data are processed.
- Integrity and Confidentiality: Implement adequate safeguards to protect the personal data from any unlawful processing, loss, destruction or damage.
What are the changes brought about by the GDPR?
- Wider Scope: The GDPR is not just applicable to EU organisations, but to any business that manages or processes personal information of EU citizens.
- Data Processors: Both data controllers and processors are now jointly responsible for complying with the new rules. Data Processors are now subject to additional obligations.
- Data Subject Rights: The GDPR retains the existing rights for data subject, and creates new rights such as right to erasure, right against profiling, right to Data Portability.
- Privacy Impact Assessment (PIA): Privacy impact Assessments (PIA) must be conducted for any risky or large scale processing of personal data.
- Breach Notification: Organisations now have to report data breaches to individuals who were affected and to a supervisory authority within 72 hours.
Our Commitment: Megrisoft believes that the GDPR is not just a journey for compliance but an opportunity to reinforce our commitments in respecting privacy and uploading the data protection rights of all individuals associated with us.
Data privacy and protection is one of the core principles that we embed into our business processes, products and services delivered by us. We have aligned our services and data handling processes to global standards and are committed to honoring, respecting and protecting the privacy of our employees, contractors, business partners, customers as well as visitors.
Strategy & Governance: We understand that our leaders have to be responsible and accountable for handling personal data. We have nominated a steering committee to pioneer our GDPR initiative. We have also established a Data Privacy Term led by our Data Protection Officer to govern and manage your personal data.
Policy Management: We recognize the need to standardize how we handle your personal data. We have updated our policies, procedures and guidelines to provide everyone in our organisations a systematic and mature approach to handle your personal data.
Data Transfer: We understand that your personal data may be at risk when it is being transferred to different countries. Where we transfer personal data outside of the EU, we either transfer personal data to countries that provide an adequate level of protection or we have appropriate safeguards, as allowed under GDPR, are in place.
Privacy by Design: We value your privacy over your personal data, and understand that we need to consider your privacy during every stage of our processes. We have redesigned our approach to safeguard your privacy from the ground-up while designing systems and processes.
Data Security: We recognize the need to secure your personal data using all possible measures. We have implemented robust security measures to ensure the confidentiality, integrity and availability of your personal data.
Data Breaches: We are committed to safeguard your personal data and have implemented robust security measures to ensure the same. We have invested into building state of the art solutions that enables timely detection and prevention of any unusual/malicious activities.
Training & Awareness: We recognize the need to educate, and install a commitment to protect your privacy among everyone handling your personal data, including our employees and sub – contractors. We have mandated data privacy and security training to all our employees and sub – contractors, and instructed our leaders to propagate the values to protect your privacy from the top-down.