GDPR stands for the General Data Protection Regulation
This regulation has been implemented in all local privacy laws across the entire EU and EEA region. It will apply to all companies selling to and storing personal information about citizens in Europe, including companies on other continents.
What is “PERSONAL DATA”
The concept of “personal data” has been defined in GDPR to refer to any information relating to an identified or identifiable natural person (i.e. “Data Subject”). An identifiable natural person is one who can be identified in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, and therefore all such information is considered as ‘personal data’ under the GDPR.
For Indian companies dealing with such ‘personal data’ of EU residents, it then becomes imperative to implement the data protection requirements stipulated in GDPR within their systems. The GDPR is compulsory for organisations as it helps to put governance and measures to manage and process personal data.
Non-compliance with the GDPR can result in fines of up to 4% of an organisation’s annual global turnover. Data subjects are also afforded the right to compensation.
Data Subject
A data subject is a living, identifiable individual to whom particular personal data relates. If you process their data, the GDPR requires you to meet certain obligations towards
Basic Rights of GDPR
Under the GDPR, individuals have:
• The right to access –this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
• The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
• The right to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
• The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
• The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
• The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
• The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
• The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
Why choose SecuRiteU?
• Conducting risk assessment on personally identifiable information within your organization and identify all the risks that could cause a breach
• Review Organization’s Data Policies.
• Recommendation for necessary policies and procedures.
• Recommendation with most appropriate measures (controls) to mitigate those risks.
• Checklist implementation for data protection
• Effectiveness of implemented controls
• Ensure Organization is compliant with GDPR.
• GDPR awareness at Organization level.
• Relevant ISMS controls implementation.
How ISO 27001 supports GDPR?
• ISO/IEC 27001 provides an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR).
• In fact, a company when implementing ISO 27001 would already complete at least half the job of achieving GDPR compliance by minimising the risk of a breach.
• An effective information security management system (ISMS) that conforms to ISO 27001 will meet all the above requirements.
