General Data Protection Guidelines


Securing the consumer with General Data Protection Regulation (GDPR):

The world today has graduated from the Age of Information Technology to the Age of Raw Data. Comprehending the power of this raw data and transforming it into essential knowledge is now the foundational principle for many corporate entities, across the globe.

To misquote Uncle Ben from Spider-Man, with great data comes great responsibility and accountability. Considering the mammoth leaps in technology in recent years, the members of the European Union (EU) have constructed a new data framework, which not only assures users about the security and privacy of their data, but also holds businesses that capture and/or store consumer data of EU-residents accountable for privacy and security of such data.

After 4-years of extensive discussions, debates, and dialogues, the member states of the EU adopted the New Data Protection Framework on April 8, 2016.

The regulation will be in the form of General Data Protection Regulation (or GDPR, as it will be addressed from here). Replacing the current directive on data protection, GDPR will usher a new age of data security and privacy for the citizens of the EU.

Applicable to all Member States without the need of a separate national legislation, the regulation comes into force on May 25, 2018.

Uncertainty about the GDPR has been causing companies to delay their efforts to comply.

Understanding the GDPR framework:

The world’s largest population after India and China, the EU has 508-million inhabitants (including those of the United Kingdom). The recent advances in user services pertaining to web and mobile resulted in a significant amount of data export from the EU, frustrating the agencies and citizens, given the lack of body to address issues related to data security and protection.

Concisely, the GDPR focusses on the following aspects of user data:

• Inculcates notifications and legal consequences for data misuse

• Ensures room for the availing of explicit consent from the citizens (subjects)

• Notification in case of data hack, breach, or theft

• A dedicated Data Protection Officer (DPO)

Clearly, the enforcement of the GDPR will warrant urgent changes at the operational end of many corporate entities, given no piece of information can now be attributed to a single user.

Controller and Processor:

Broadly speaking, Controller is the collector of data.

• If your business deals directly with customers, you are likely collecting their data such as name, email, credit card information etc. This makes you a Controller.

• You could then be working with another provider to process (store, archive, print etc.) that data, such as hosting provider, mail merge service, print service, payment gateway, etc.

• All of those service providers are Processors in this case. They deal with customer data, indirectly, and yet, would be required to be comply with the GDPR norms.

In the following sections, we shall address why your business needs GDPR.

Why your business needs to be GDPR Compliant:

Is your business operating within the jurisdiction of EU?

• GDPR will include operators and processors running businesses in the EU, collecting and monitoring subjects’ data

• According to a certain set of terms and conditions, the same processors will now be required to appoint a representative within the EU

• Any company, across the world, tracking subjects of the EU via their personal data will be accountable under the GDPR

Are your business solutions securing user data?

• Compliance to the GDPR must also be demonstrated to the operational and design structure of the virtual property

• Documentation maintenance and evaluating the necessary risk factors pertaining to data in question is necessary

• Data Minimization must be inculcated in all future projects and the current ones must be upgraded to ensure privacy in design

You can no longer ignore the consent of your consumers:

• Data processors must avail explicit consent from the user before processing. Alongside, the consent must be easy to withdraw

• In case of conflict or breach, the processor must be able to display the availed consent. Existing consents must be reavailed to meet the new framework

• Availed a user data cannot be used for direct marketing cannot be sold to third parties. Alongside, user can object if conclusive evidence of data misuse is obtained

The Absolute right of a consumer to control his/her personal data:

• The EU subjects must be supplied with transparent information pertaining to the use of their data by controllers

• Existing notifications related to data control and use will have to re-evaluate in the light of the new framework

• Data Subjects within the EU must be informed of their new rights under the GDPR, or helped with in an easily accessible form

Raising the stakes: Why Businesses Cannot Escape GDPR:

The catalyst: Data Protection Officers are the new normal:

• According to a defined set of instructions, entities will be required to designate a Data Protection Officer (DPO) to ensure accountability

• The DPO will be required to have an extensive understanding and knowledge of the data processing activities

• The DPO, according to the guidelines issued in April 2017, will be reporting to the highest management level and should be residing in the EU.

A hefty ticket: GDPR penalties could shatter your credibility:

• Using a tiered framework, the GDPR can impose hefty fines for breach amounting to EUR 20 million or 4% of the annual global turnover of the entity in question (whichever is higher)

• Subsidiary infringements in the GDPR will attract fines in the excess of EUR 10 million or 2% of the annual worldwide revenues

• DPOs must acquaint themselves with the new framework, and understand the respective consequences of each infringement. An undertaking must be signed

Employing transparency: Reporting thefts and breaches in real-time:

• Data Protection Authorities (DPAs) must be acquainted about the breach or theft of data within 72-hours of the accident, when feasible. Else, a justification must be provided for the delay

• Citizens within the EU who have been or can be affected by the data breach must be informed by the entity through appropriate mediums

• However, if the theft poses no risk to the privacy of the subjects of the EU, the DPAs are not necessarily required to be informed

Source :-

1 thought on “General Data Protection Guidelines”

  1. Hi Emily,

    This is such an important post for all businesses. Data protection is one the most vital aspect of today’s business. There are different laws in different countries. It is necessary for businesses running in a particular country to have proper data protection mechanism for that country.

    Thanks for sharing, have agreat day.


Leave a Comment