Getting Ready for General Personal Data Protection Regulation (GDPR) -Corporate Newsletter

---

Getting Ready for General Personal Data Protection Regulation (GDPR)

The General Personal Data Protection Regulation (hereinafter referred to as ‘GDPR’) will be implemented in the European Union (EU) with effect from May 25, 2018. It is touted as the biggest change to personal data protection law for a generation. The implications of the GDPR would cross the borders of the EU member states and would be applicable on every company having a role in collecting, storing and processing the personal data of EU residents. Thus, it is important for Indian Companies as well to sketch a plan dealing with GDPR compliance.

• Understand the lawThe very first step that the company should take is to educate the concerned staff and the key people about the GDPR, its requirements, impact on Indian companies and changes it would bring.
• Be awareAfter implementation of GDPR, the accountability of a company would increa se massively. Therefore, the most important step that a company should take is of personal data mapping. The company should:
  • Be aware of the personal data it holds
  • Be aware of how this personal data flows in and out
  • Be aware of where the personal data is stored and how is it processed
  • Be aware of who has the access of the personal data
• Identify the informationThe company should document the personal data it holds, where it came from and with whom is the personal data shared. Organizing the personal data would help in auditing the information whenever required and deleting the information which is not required by the Company.The GDPR is going to keep a check from the planning stage till the releasing of personal data. It requires the organization should have a personal data security management at every stage of each business processes, from planning to release.

• Information to clients make it mandatory for every company to inform the clients about the personal information that it would hold and the purpose for which it would be used.
• ConsentIt is important for the company to relook into how the consent is taken from its client and where and how is the consent recorded. The company should ensure that the consent is taken from every client for the specific purpose for which their personal data is used or will be used. In addition, the process of withdrawing the consent should be easy. GDPR places a greater emphasis on consent that is specific, granular, and auditable.^[1]
• ClientsThe requirements under GDPR are separate for adults and children. Therefore, it is significant for the company to document its client list. As in case of children it would require obtaining the consent from anyone holding ‘parental responsibility’ of the child.
• Personal data breachesGDPR mandates that the personal data breach, which risks the rights of the client, should be reported to the client within 72 hours of becoming aware of it.The companies should review their strategy of tackling personal data breaches. If it is not efficient enough, they must put in place a new strategy compliant with the GDPR.
• Personal data Protection OfficersThe Company should designate someone to take responsibility for personal data protection compliance and assess where this role will sit within the company’s structure and governance arrangements. The question that needs consideration would be whether the company is formally required to designate a Personal Data Protection Officer.^[2]

——————————–

^[1]https://www.computerworlduk.com/personal data/how-prepare-for-general-
^[2]personaldata-protection-regulation-gdpr-3652439/
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

 

---

Reporting Data Breach Under General Data Protection Regulation (GDPR)

With the availability of digital technologies today, the amount of personal data that companies hold today is immeasurable. In the fast-moving technological world today, everything about privacy and data protection is significant. It is crucial for companies to delve into the data security measures it takes to protect the personal data it holds. With the General Data Protection Regulation around the corner, focusing on the data security by the companies has become more essential, keeping in mind the hefty sanctions for noncompliance.

The General Data Protection Regulation (GDPR) in Article 33 strictly mandates that ‘In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.’^[1]To comply with the 72-hour deadline, it is imperative to understand what is specifically mentioned regarding the same in the Article. Accordingly, the Article 33 focusses on:

1. Personal Data Breach:Personal Data Breach as defined by the GDPR is
   a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.^[2]
2. Supervisory Authority:The 72-hour deadline is for informing the relevant authorities about the breach. The question which now arises is who these supervisory authorities are, which the Article is talking about. These supervisory authorities could be local or national data protection authorities. In the U.K., for instance, the organization must notify the Information Commissioner’s Office (ICO). ^[3] The GDPR defines supervisory authority as
   ‘Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.’ ^[4]

The reporting under GDPR requires certain details to be reported to the supervisory authorities within 72 hours instead of every single detail of the breach. If the company does not have all the details available, it can provide them later. The company should at least give the following information^[5] , while reporting the authorities within 72-hours:

• describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• describe the likely consequences of the personal data breach;
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

• Risk to the Rights and Freedoms of Natural Persons:Article 33 of the GDPR further spills into Article 34 of the regulation which further states that if the rights and freedoms of natural persons are threatened majorly, the controller shall communicate in clear and plain language the nature of the personal data breach to the data subject without undue delay.^[6] However, the notification to the data subjects is not required if:

• The controller has implemented appropriate technical and organisational protection measures in respect of the personal data affected by the breach (such as encryption).
• The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to arise.
• It would involve disproportionate effort.

However, the GDPR has not specifically answered the following questions:

• What would constitute ‘undue delay’ under Article 33?
• What are the criteria to determine ‘feasibility’ under Article 33?
• What factors would establish ‘huge risk to rights and freedom of individual’ for the purpose of Article 33 and 34?
• What would be considered as
  ‘disproportionate effort’ under Article 34?

________________________
^[1]Article 33 (1) of GDPR available at
https://gdpr-info.eu/art-33-gdpr/ 

^[2] Article 4 (12) of GDPR available at
https://gdpr-info.eu/art-33-gdpr/

^[3]https://www.trendmicro.com/vinfo/in/security/news/online-privacy/do-72-

hours-really-matter-data-breach-notifications-in-eu-gdpr

^[4]Article 51 of GDPR available at https://gdpr-info.eu/art-33-gdpr/

^[5]Article 33 (3) of GDPR available at
https://gdpr-info.eu/art-33-gdpr/

^[6] Article 34 of GDPR available at https://gdpr-info.eu/art-33-gdpr/

 

---

Obeying 72-Hour Mandatory Notification Window under General Data Protection Regulation (GDPR): A Checklist

Article 33 of the General Data Protection Regulation (hereinafter referred to as the ‘GDPR’)^[1] mandates that companies should report the personal data breach to the supervisory authority within 72 hours after becoming aware of it. Non-compliance of this 72-hour mandatory notification window would result in heavy penalty mentioned in the Regulation itself. This requirement will prove to be challenging if proper planning and appropriate procedures are not in place. Careful planning would ensure and increase the chances of compliance with the GDPR.

Therefore, a detailed plan is important to beat the 72-hour mandatory notification window. Below are some steps that may be there to ensure compliance with Article 33 of GDPR:

• Train and educate the employees regarding the meaning of personal data breach, Article 33 of GDPR and other important articles mentioned in the regulation. This is important to make sure that the employees can identify when it actually happens and react timely.
• Prudently examine the policy with regards to personal data breach and check if it requires reworking. Two important questions that the policy should answer are:
  • Time taken and steps that would be taken about the personal data breach
  • Mode of notification to the concerned parties

For this process to work effectively, it’s vital to have communications, legal and management teams looped in and briefed in advance, so that they are ready to work together. Such preparations should include drafting a letter template and clarifying the process for sharing these communications to the concerned authorities and individuals, so that everyone is clear on their responsibilities in the event of a breach.^[2]

This is the most important preparatory step as timely reaction and reporting can be done only if proper procedures are recorded timely and are in place when required.

• Sort the personal data that the company holds. The sorting can be done in the decreasing order of the critical nature of the personal data, i.e. from the most critical to the least critical.
• Identify the steps from the company’s personal data breach policy that is essential to be taken in the 72-hour mandatory notification window. These steps could be:
  • Identifying the personal data breach
  • Investigating at the company level so that the initial risk assessment can be done.
  • Notifying the supervisory authorities
• Setting up and maintaining security alerts so that the personal data breach can be identified as soon as it happens. Alerts can be grouped by assets, such as people, and those involving customer data could be labelled as relevant to GDPR. This will help the company to spot more quickly when a breach has occurred and save the valuable time when it is needed. ^[3]
• Time the steps from the company’s personal data breach policy that are essential to be taken in the 72-hour mandatory notification window. This planning would help apt compliance in stressful situation.

___________________
^[1]Available at https://gdpr-info.eu/art-33-gdpr/ 

^[2]https://www.computing.co.uk/ctg/opinion/3019682/gdpr-what-will-happen-in-

the-first-72-hours-after-a-data-breach

^[3]https://www.computing.co.uk/ctg/opinion/3019682/gdpr-what-will-happen-in-

the-first-72-hours-after-a-data-breach

 

---

Individual Rights under GDPR

The General Data Protection Rights (hereinafter referred to as “GDPR”) seek protection of data and privacy for individuals residing within the territorial extent of the European Union. The said rights aim to safeguard the fundamental rights and freedoms of natural persons, in particular their personal data.

Rights of the Individuals under GDPR

The rights of the individuals as provided under GDPR include the following:

• The right to be informed.The information in relation to the processing of personal data relating to an individual should be given to him/ her at the time of collection of such data within a reasonable period. The individual has the right to be made aware about the consequences of providing such data.
• The right of access.The individual should have a right to access to his/ her personal information, which he/ she might have communicated, in order to enable him/ her to verify the processing of such data. However, the exercise of such right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular, the copyright protecting the software
• The right to rectification.With a view to strengthen the control over personal data, the individual should be allowed to receive his/ her personal data for the purpose of rectification of inaccurate/ incomplete details.
• The right to erasure.The individual should also have the right to get his/ her personal data erased and no longer processed where such data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or where he/she has withdrawn his/her consent in regard to the processing of the same.

• The right to restrict processing.The individual shall have a right to restrict processing of his/her personal information where
  • the accuracy of such data is contested,
  • processing is unlawful and opposed by the individual,
  • the data is no longer required or
  • the individual has objected.
• The right to data portability.Where the processing of personal data, provided by an individual with his/her consent, is carried out by automated means, the individual should be allowed to receive such data. It should not apply where processing is necessary to be carried on under legal obligations.
• The right to object.The individual shall have the right to object the processing of his/ her personal data, on grounds relating to his/ her particular situation upon which no further processing of such data shall take place unless there are compelling legitimate grounds necessitating such processing in furtherance of public interest or exercise of official duty.
• Rights in relation to automated decision making and profiling.The individual shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him/her. The said right is not applicable if the decision is required for entering into a contract or required under law or if the individual has consented for the same.

CONCLUSION

Being adopted with a view to enhance the importance of the personal data of the individuals in the European Union, the GDPR focusses on conferring rights on such individuals to regulate the dissemination of the information being so shared thereby expanding the scope of privacy law. Focused with the objective of effective enforcement, the GDPR imposes penalty for non-compliance of its provisions.

 

---

The concept of ‘Consent’ under the GDPR

Introduction:

As per Article 6 of the General Data Protection Regulation (hereinafter referred as ‘GDPR’), the processing of a European resident’s personal data shall be lawful only if and to the extent that at least one of the conditions mentioned therein is satisfied. One such condition is regarding the data subject providing consent for the processing of his/her personal data. This article deals with examining the consent mechanism under the GDPR.
^[1]

Nature of consent:

Article 4 of the GDPR defines
‘consent’ of the data subject as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.^[2]

Breaking down the definition we understand that it should be specified regarding why and for what purpose the consent is being obtained from the data subject, and free and explicit consent would be required to be obtained in that regard without any undue pressure or coercion to any extent. It should also be noted that under the GDPR, the consent of the data subject has to be informed and unambiguous in nature. This implies that there has to be immense clarity in the minds of the data subjects regarding the nature and purpose of obtaining such consent before the person i.e. the data subject, provides his/ her consent, by a statement or by a clear affirmative action, for his/ her personal data to be processed by the person/ entity obtaining the consent.

It should be noted that the consent cannot be said to be freely given if the conditions of a contract are conditional on consenting to the processing of personal data that is not necessary for the performance of that contract.^[3]

Evidence of consent:

The person/ entity obtaining the consent for processing of the data needs to keep clear evidence/ records so as to demonstrate that the consent has been duly obtained in a manner which is clearly distinguishable from the other matters to prove that the data subject had freely consented for his/ her data to be processed. Such records/ evidence is necessary to ensure that the consent can be verified. ^[4]

Withdrawal of consent:

The GDPR provides a right to the data subject to withdraw her consent at any time. Further, the data subjects must be informed of their right to withdraw consent at any time prior to giving the consent for processing the personal data. The GDPR prescribes to ensure that the withdrawal of consent should be as simple and uncomplicated as the giving of the consent. However, it should be noted that the withdrawal of consent shall not affect the lawfulness of processing based on consent before it has been withdrawn.^[5]

_______________________________

^[1]Article 6 of the General Data Protection Regulation. Available at: https://gdpr-info.eu/.

^[2]Article 4 of the GDPR.

^[3]Article 7(4) of the GDPR. Article 7(1) and 7(2) of the GDPR.

^[4]Article 7(3) of the GDPR.