Compliance to GDPR mandatory after 25 May

By Rahel Kirnde

The Deloitte Risk Advisory team stated yesterday that the controlling and processing of personal data of EU residents should comply with the General Data Protection Regulation (GDPR) guidelines starting from 25 May.

GDPR is a standardised data protection law which applies to all organisations holding and processing personal data of EU Residents regardless of geographic location.

“Similar to the ‘do not disturb’ sign used in hotels even in the corporate world, privacy should be respected. But, since companies have leverage over its customers and their personal information, they do not deal with the implications of privacy in a proper manner,” said Deloitte Privacy and Data Security Director Manish Sehgal.

He also mentioned that, similar to money being deposited in a bank, individuals provide their data to companies with the expectation that it is safeguarded and protected, but corporations completely exploit that data and use it for their own benefit. “The violation of privacy begins when companies holding personal data forget that they are the custodians of that data and not the owners of it”

Sehgal stated that GDPR will ensure that maximum security is given to personal data as companies that violate GDPR guidelines will have to face dire consequences such as being fined up to EUR 20 million, or 4% of the annual global turnover.

Under the GDPR, any company that is based outside the EU, controlling or processing the data of EU residents, must adhere to the guideline which no longer permits region-based accountability previously used to avoid sanction.

The GDPR law also conditions that a data breach should be notified to authorities within 72 hours of being discovered. This maximizes the transparency around such incidents.

Sehgal stressed the fact that GDPR does not prevent corporations from using personal data for the purpose it is meant for, but only prevents the unlawful use of data and invasion of privacy.

Speaking of what GDPR is not, Sehgal said: “GDPR is not just an IT issue, and it is also not just about breaches and fines. It is an entire transformation of safeguarding privacy and personal space that is not limited to just one transaction or event.” GDPR gives greater power to regulators to penalise companies who mishandle personal data and are not open about how their businesses use it. It gives consumers greater leverage over their personal information as it requires firms to get clear consent from users before processing their data as well as grants users a right to easily access the data collected from them and transparency on how it is being used.

GDPR was adopted on 27 April 2017. After it is enforced, it will replace the 1995 EU Data Protection Directive, and supersede the 1998 UK Data Protection Act.

Data handlers are required to implement more informed consent processes when obtaining user data, so that they are fully aware of what they are opting into when an organization is entrusted with their personally identifiable information (PII).

EU citizens also hold the complete liberty to request for any personal information about them held through a subject access request (SAR), explaining what data is held about them and why it is being used. 

Pix by Indraratne Balasuriya