What is EUGDPR?
EUGDPR is all about privacy of personal information of EU citizens including England (even though England is going through Brexit). Any company in EU or outside EU, who deals with EU citizen data or processes which involves EU citizen personal information are covered under this law.
Is there any certification of EUGDPR?
EUGDPR is not an best practice but compliance (LAW) and as one can imagine there cannot be any certificate for LAW.
Does my ISO certification is enough for GDPR?
It’s an misconception, ISO certification is about data security and most of that is inclined towards IT control thus ISO is only 5% of total GDPR compliance . GDPR is about organizational and IT control and should be business practice rather than compliance activity.
What can happen if my company is not GDPR compliant?
You may lose business coming from your EU clients as they cannot ascertain GDPR compliance on your behalf and they would not like to be party of hefty penalties which GDPR can impose (Penalties are up to 20 million Euro or 4% of global turnover)
Is this an opportunity for business?
Yes if you see positive part of that. Lot of business will cease due to non compliance hence companies who are compliant can go for gap generated during this cycle.
What to do to understand my compliance requirement?
Organisation must go for GDPR readiness test to understand the GAP.
Lot of business thinks this is the only step, but unfortunately there is lot to do before you can claim to be GDPR compliant.
I do have some of the policies and hope that works with GDPR?
GDPR got its own policy framework , as a matter of fact nothing is left unambiguous in GDPR hence it will be good to get your policies audited.
As a processor what will be the first salvo I am going to get?
Very strict Data Protection Addendum from your client. This addendum is drafted by EUGDPR panel hence nothing can be changed and people interested in doing business with EU must sign and comply accordingly.
So Data protection addendum is another document we need to sign?
No, This alone ensures you have all policies and procedures in place and got “demonstrable evidence” to prove GDPR compliance. If you just sign and forget , you will get caught in next steps where your clients will ask for all evidences of compliance. Do note it is responsibility of your client (Controller) to make sure you are compliant else they will face total penalty and trust me no one knowingly will do that.
What all clients can ask ?
Lot of reporting . DPIA of processes , your personal data protection policies with evidences of implementation , processing activities registers , incidence breach reporting’s and many others.
This will increase my cost of production?
Certainly yes. but it also enhance opportunity window.
My controller/client is not asking anything?
As per Law it is responsibility of both parties to comply so it will be good if you update your controller/client. Every party must have “Legal basis and Lawful purpose” of processing EU information , so if your controller is not aware then you donot have any legal basis and lawful purpose to do your business.
I am not sure if I got any PI of EU citizens?
It depends on process to process , sometime PI is part of information though not important but cannot be extracted/removed . Law says if you can see PI that means you possess PI.
What will happen after I complete GDPR compliance?
Compliance is an activity which needs to be reviewed periodically to make sure everything is in place and recorded else it will become a heavy piece of document left somewhere with management. GDPR insist on “Demonstrable evidence of compliance “which can only happen if compliance is in practice and resultants are getting recorded.
What all business broadly covered under GDPR?
Any business dealing with EU PI information, mainly IT,ITES,BPO,KPO units dealing with EU companies