General Data Protection Regulation GDPR

What does GDPR want?

• Protection of personal data and privacy of EU citizens
• Restriction on export of personal data outside the EU

When?
• The regulation was adopted on 27th April, 2016
• Companies must be able to show compliance by 25th May, 2018

What does GDPR protect?

• Personally Identifiable Information (PII) is any data that can be used to identify a specific
individual such as
• Basic identity information – name, address and ID numbers, and email addresses.
• Web data – location, IP address, cookie data, RFID tags, login IDs, social media posts
or digital images, geolocation, biometric and behavioral data.
• Health and Genetic Data
• Racial or Ethnic Data
• Political Opinions
• Sexual Orientation

The Rights of a Data Subject

Any resident of EU can demand the following:
• Right to Access – Find out what information about him/her you hold, where did it come from,
when it was used and who all used it.
• Right to be Forgotten – Ask for all records and all traces of him/her be removed. This applies
when
• The personal data is no longer necessary in relation to the purpose for when it was
collected.
• The individual specifically withdraws consent to processing
• Personal data has been unlawfully processed
• The data must be erased in order for a controller to comply with legal obligation (for
ex – the deletion of certain data after a set period of time)

Who will be responsible for Compliance?

• Data Controller – Is the user/consumer of the personal data – a company that wants to act
on it.
• Data Processor – The company or outsourced partner who seeks and works on the data as a
service provider to the Data Controller
• Data Protection Officer – An appointed officer responsible for responding to all queries and
insuring compliance. Could be an internal officer or an external officer.

Which Company does this apply to?

Any company that stores or processes personal information about EU Citizens within EU states that
has:
• A presence in an EU country
• No presence in the EU but it processes personal data of EU residents.
• More than 250 employees
• Fewer than 250 employees but its data processing impacts the right and freedom of data
subjects

38
Compiled By Rammanohar Das
What if you are not GDPR Compliant?
• Steep penalties of up to €20 million or 4% of global turnover whichever is higher for non-
compliance.

Steps for GDPR Compliant

39
Compiled By Rammanohar Das