The European Union’s General Data Protection Regulation (GDPR) is considered as one of the most comprehensive privacy laws drafted over the last two decades and its extra territorial reach beyond the EU is making it one of the most discussed regulations around the world. Like most of the global organisations offering goods and service to EU based customers, Sri Lankan organisations offering similar services would need to prepare for GDPR, if they access or process personal data of EU customers or data subjects.
Being a sector neutral law, quite a few organisations are considering GDPR as a benchmark to establish their privacy and data protection framework, even if they aren’t processing personal data of EU based customers and don’t need to be GDPR ready.
The EU announced adoption of GDPR in 2016 and provided 2+ years for organisations around the world to be GDPR ready. It’s been a month, since the time GDPR got enforced effective 25May; let’s look at the most prominent aspects of this post GDPR enforced regime:
For customers:
- Most of the customers experienced (or probably are still experiencing) huge influx of emails from their goods and service providers. These emails were largely intended to inform customers about updated privacy notice and to refresh their consents. As one of the means to “Lawfulness for Processing” the personal data, GDPR mandated collection of an explicit (and not implicit) consent, which must be specific, informed, unambiguous, freely given, genuine, purpose-limited and withdrawable at any point of time.
However, the question is how many customers are really reading and understanding the updated notices and the need for re-consent!
For organisations:
- Majority of the organisations updated privacy notices to adhere with the GDPR requirements. A privacy notice is a good channel for organisations to notify consumers, employees, vendors, supplier etc. about details such as the personal data being collected, how it is shared, and how it is used by the organisation etc.
- Organisations who didn’t prepare and are now prioritising their efforts to be GDPR ready as well as the ones who designed a framework to protect data as per GDPR, are working to operationalise it. We look at GDPR as not a onetime effort or a tick in box and requires a long term sustenance
- As extended team and vendors play an important part of operating ecosystem, organisations are continuing their efforts to work on service contracts terms
- A lot of discussions continue to minimise the data i.e. relooking at the entire data lifecycle to assess if there are any components of personal data (of customers, employees, vendors, business partners) which are collected and/or processes without any legitimate means and can be avoided from further collection and/or processing
- Requirements such 72 hours breach notification, processing data subjects rights, cross border data transfer (outside EU) continue to be complex and pose challenges to operationalise.
- Breach notification: Organisations will have to, without undue delay, notify the supervisoryauthorities of the personal data breach not later than 72 hours after having become aware of it. The organisation will have to notify the data subjects, if the breach is likely to result in a risk to the rights and freedoms of natural persons.
- Data subject rights: A wide range of rights to data subjects are to be processed by organisations once exercised by data subjects. These rights are namely the Right to consent, Right of access, Right to Rectification, Right to erasure (Right to be forgotten), Right to restriction of processing, Right to data portability, Right to object and Automated decision making including profiling.
- Cross border data transfer: The cross border data transfers lays out two conditions for adequate data storage and processing:
- Data can be allowed to transfer to countries that provide adequate level of security as per the adequacy list maintained by European Data Protection Board(EDPB)
- It is the responsibility of the controller to foresee the level of protection
- Another critical aspect is culture of privacy, especially for organisation operating in the regions where local privacy laws don’t exists or are weak. To build privacy culture organisation are mandating regular privacy trainings To summarise, efforts being put before 25 May continue post 25 May scenario as well, considering organisations are still to conclude their GDPR readiness journey. Customers may continue to receive notification emails and request for re-consent. Regarding administrative fines, concrete cases of sanctions and penalty are yet to be heard.