GDPR COMPLIANCE (General Data Protection Regulations)

ABSTRACT

GDPR took effect on May 25, 2018. It’s the strictest global privacy law. It was designed by the European Union to control the method by which organisations collect, administer, and preserve the personal data of EU citizens. The research focuses on GDPR theory. Books, the internet, and secondary sources like articles and research papers provided much of the material.

Personal data subjects may obtain copies of their data. Build a consent management system and Article 30’s processing registry. The ePrivacy Directive requires companies to declare whether and how they use cookies. Organizations must get users’ authorization in a method that demonstrates active, unambiguous consent. The Draft ePrivacy Regulation would increase penalties and regulations.

The GDPR requires a governmental authority or an entity with large-scale monitoring operations to designate a data protection officer (DPO). DPOs assist companies to monitor internal compliance, advising on data protection regulations, and communicating with data subjects and authorities.

The basic concepts of GDPR compliances are discussed in this research paper like GDPR data subject rights, steps of GDPR compliance list. Thus, this research will be fair and on to the point.

KEYWORDS
Data Protection, Data Controllers, GDPR, subjects

INTRODUCTION

An organisation that is considered GDPR compliant has demonstrated that it satisfies the requirements outlined in the General Data Protection Regulation (GDPR) for the correct and ethical management of individuals’ personal data.

The General Data Protection Regulation (GDPR) defines certain obligations that organisations are required to follow, which place restrictions on how personal data can be used. In addition to this, it outlines eight data subject rights that guarantee particular entitlements for an individual’s personal data. Ultimately providing people with more control over their personal information and the uses to which it is put.

The General Data Protection Regulation (GDPR) is now the most stringent worldwide privacy regulation in existence. Developed by the European Union (EU) in order to govern the manner in which organisations acquire, manage, and safeguard the personal data of inhabitants of the EU. The General Data Protection Rule (GDPR) went into effect on May 25, 2018, and it is a binding regulation that is inscribed directly into the laws of Member States. Its purpose is to bolster individuals’ rights to privacy by providing them with more control over the collection, use, and disclosure of their personal information.

The General Data Protection Regulation was created with three primary purposes in mind

Recognize the basic privacy rights of persons and ensure that they are protected.

Replace the separate privacy rules in each of the 28 EU member states as well as the Data Protection Directive from 1995 with a unified set of privacy regulations for the whole EU.

Revise existing privacy rules so that they reflect the impact that the shifting technological environment has had over the last quarter of a century on individuals’ personal information.

GDPR TERMINOLOGY
Any EU resident whose data is collected, retained, or processed by a controller

or processor is a data subject.
Data Controllers determine the purpose and legal justification for processing

personal data.
The Data Processor processes personal data for the Data Controller.

Processing includes the collection, recording, organisation, structuring, storage, adaptation or modification, retrieval, etc. of personal data or sets of personal data.

Personal data includes a person’s name, email address, pictures, and bank records, which may be used to identify them in their private, professional, or public life.

Getting the data subject’s permission means getting a “freely provided, explicit, informed, and unequivocal signal” that they accept to personal data processing. Data subjects might consent by speech or behaviour.

OBJECTIVES
To analyse GDPR data subject rights

To study about 11 steps GDPR compliance list 4

RESEARCH METHODOLOGY

The majority of the information came from books, the internet, and secondary sources such as articles and research papers. The focus of the study is on the theoretical aspects of GDPR compliances.

RESEARCH ANALYSIS AND FINDINGS

To analyse GDPR data subject rights

•  Right to information (GDPR Articles 12 to 14): Subjects of personal data have the right to be informed about the collection and use of their data.
•  The right of access (GDPR Article 15): Subjects have the right to access and request copies of their personal information.
•  Right to correction (GDPR Article 16): Individuals have the right to request that erroneous or out-of-date personal information be rectified or updated.
•  Right to erasure / Right to be forgotten (GDPR Article 17): Data subjects have the right to seek the deletion of their personal data. Note that this right is not absolute and may be subject to exceptions under specific laws.
•  Suitable for data transfer (GDPR Article 20): Data subjects have the right to request that their data be disclosed to them or transferred to another controller. The information must be given in a machine-readable manner.
•  The right to limit Processing (Article 18): Data subjects have the right to request that their personal data be restricted or deleted.
•  Right to revoke consent (GDPR Article 7): Data subjects have the right to revoke permission previously granted for the processing of their personal data.
•  Freedom to object (GDPR Article 21): Subjects of personal data have the right to object to the processing of their data.
•  Right to object to automation (GDPR Article 22): Subjects of personal data have the right to object to choices made primarily based on automated decision-making or profiling.

To study about 11-step GDPR compliance list 1. Make a plan 7 GDPR Principles

The GDPR outlines seven principles for personal data handling.

Lawfulness, fairness, and openness — Each processing action must be legal. Data processing isn’t unexpected, and the subject is informed.

Purpose restriction – Specify your processing and recording objectives in the privacy notice to persons. Limit processing to these goals.

Process personal data only as needed.

Accuracy – Ensure the personal data you processed is correct. Fix or delete erroneous personal data ASAP.

Limit data storage to what you require.

Integrity and security Have suitable security measures in place to safeguard personal data from unauthorised or illegal processing, loss, deletion, or damage.

Accountability – Take responsibility for what you do with personal data and keep adequate measures and records to show compliance.

The GDPR demands technological and organisational measures to apply data protection principles and protect data subjects’ rights. This is ‘data protection by design and by default’ This includes integrating data security into processing activities and business processes from design through the data processing lifecycle.

Articles:
Principles of Personal Data Processing Controller’s responsibility

2. Generate Article 30’s processing register

GDPR compels enterprises to preserve and update processing records. Data mapping is the process of creating an up-to-date central inventory of an organization’s data flows.

The GDPR doesn’t specify data mapping, but controllers and processors (B2B and B2C) must keep an inventory of processing operations. GDPR Article 30 is quite detailed, therefore even if an organisation has done data mapping before, it must be revised or rebuilt to comply.

Articles:
Processing lawfulness
Processing Activity Records (Primary) Processing Security

3. Implement DPIA and Privacy by Design

The GDPR requires controllers to complete a Data Protection Impact Assessment (DPIA) if processing activities are likely to result in a high risk to persons. Many specifics inside the GDPR make this more difficult than a normal questionnaire; for example, requiring a Data Protection Officer (DPO) engagement in certain processes, recording mitigation measures, documenting risk in terms of damage to the person, data subject consultations, etc.

In reality, companies use a lightweight risk questionnaire to evaluate whether a complete DPIA is required. GDPR process, documentation, user experience, and integration expectations necessitate purpose-built solutions.

Properly implemented, the DPIA may fulfill the Data Protection by Design and Default criteria.

Articles:
Data protection by default and design
Article 35: Data Protection Impact Assessments Article 36: Prior Consultation

4. Build a Consent Management Framework

The GDPR establishes a higher threshold for enterprises processing data based on permission. For example, permission has to be: precise, clear and in simple English, not buried in legal documents, not bundled with many notices, easy to withdraw, etc. Organizations must show granular consent.

Articles: Conditional Consent

5. Meet EU privacy cookie requirements

Under the ePrivacy Directive, enterprises must disclose if they use cookies and what they do. User’s permission must be gained in a way that enables the organisation to show that the consent was actively and unambiguously provided. The users also need to be informed about the varied purposes of the cookies used on the website, as well as the identification of businesses that deploy the cookies and utilise the data obtained via them. Cookies that are important to provide an online service at the user’s request are exempt, such as remembering what’s in their online basket or ensuring online banking security. If alternative technologies are used to store or access data on someone’s device, the same restrictions apply (for example SDKs for mobile apps).

Whether cookies handle anonymous or personal data, ePrivacy Directive rules apply. Even with anonymous cookies, user permission must fulfil GDPR rules. If the cookie data is not anonymous, the organisation must follow extra GDPR standards for personal data protection, such as completing a DPIA and logging such processing activities in their records of processing.

The GDPR has affected the formulation of ePrivacy Regulation that will replace the present ePrivacy Directive and align even closely with the GDPR. The Draft ePrivacy Regulation will enhance fines and concentrate regulation.

Articles: Conditional Consent Article 21

ePrivacy Directive/Regulation Objections

6. Build a Data Subject Rights (DSAR) Request Portal

The GDPR grants data subjects certain rights, such as: data portability, access, erasure or “right to be forgotten”, correction, and more. There are also recordkeeping requirements for response time, requesting an extension, validating identification, and securely transferring the answer, among others. Managing, monitoring, and reporting on DSAR requests requires an automated system to process and triage requests.

Articles: Conditional Consent

Article 12: Transparent Information, Communication, and Rights Exercise Modalities

Article 13: Data Subject Information

Article 14: Personal Data Not Obtained from Data Subject Information

Article 15: Subject Access

Article 16: Redress

Right to Erasure

Right to processing restriction

Article 19: Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing

20: Data portability Article 21: Objection

7. Review and fix processor risks

GDPR renders the controller liable for processor activities or breaches. To have a defensible position in the case of a processor breach, data transfers and contractual obligations must be analysed with the same care as internal processing operations. It also helps companies identify what data was compromised.

Articles:
Processor
Controller’s responsibility
Process Controller or processor-authorized

(1) Transfers Subject to Appropriate Safeguards

8. Prepare an incident reporting and breach management workflow

The GDPR requires rigorous 72-hour disclosure to the supervisory authority and extra notification to data subjects where a data breach poses a substantial danger to their rights and freedoms. It’s vital for firms to have a systematic approach in place to achieve these standards.

Articles:
Notifying the supervisory authority of a data breach Article 34: Personal Data Breach Notification

Step 9: Review Cross Border Data Transfer Mechanisms

The GDPR protects personal data transmitted beyond the EEA. Organizations must assess and implement cross-border data transmission protocols.

When transferring personal data to a foreign nation, check for a “adequacy decision.” An adequacy determination implies the EU has determined a third country or international organisation provides appropriate data protection. However, the Commission may reverse this judgement (e.g., EU-US Privacy Shield). The EU granted the UK two adequacy judgments after Brexit.

The GDPR enables a transfer without an adequacy determination if the controller or processor provides ‘appropriate protections.’ The most frequent protection is Standard Contractual Clauses (SCCs), which put responsibilities on the data exporter and importer and provide data subjects rights.

Data transmission is possible without an adequacy determination or protections. In this circumstance, organisations may rely on a derogation, such as specific

agreement from the data subject or the transfer being required by contract. This is not encouraged since it increases the danger of a data breach.

GDPR articles

Article 44: Transfer Principle Article 45: Transfers Based on Adequacy Decision

Article 46: Safeguarded Transfers Article 47: Company Rules Article 49: Special Cases

10. GDPR Training

The GDPR mandates a data protection officer to supervise an organization’s compliance, which includes educating workers. Staff should get basic and refresher training. A system should be in place to retain training records for compliance.

GDPR articles
Data Protection Officer duties Article 47: Company Rules

APPOINT A DPO (DPO)

The GDPR requires an organisation to appoint a data protection officer (DPO) if it is a public authority or body, or if its core activities require large-scale, regular, and systematic monitoring of individuals (for example, online behaviour tracking); or if the core activities consist of large-scale processing of special categories of data or criminal convictions and offences.

DPO ensures GDPR compliance. They help the company monitor internal compliance, educate and advise on data protection requirements, give guidance on DPIAs, and function as a communication point for data subjects and data protection authorities.

GDPR ARTICLES
Data Protection Officer (Article 37) Data Protection Officer
Data Protection Officer duties

CONCLUSION

The General Data Protection Regulation (GDPR) must be adhered to in order to avoid legal ramifications. Currently, the Information Technology Act of 2002 provides poor data protection in India. The Indian government intends to adopt a more stringent regulatory framework for data protection and privacy. Companies with business interests in the EU should take measures to ensure data protection is not only GDPR-compliant, but also to prepare for a more stringent data protection regulatory framework that is internationally compliant, as well as the legal framework that will likely be established in India based on existing international data protection policies