FAQ'S

GDPR can be regarded as a legal framework which is useful in setting up guidelines for collection as well as processing of an individual?s personal information within EU. It is just not applicable to enterprises having location within EU but also to those organizations which are having location outside EU that is, only if they deal with having to offer goods & services to, or having to monitor behaviour of the EU data subjects. It is applicable to all kinds of enterprises who process as well as hold personal data of the data subjects that reside in EU, regardless of the location of enterprise.

GDPR should be categorized as compliance rather than a certification because it is all about demonstrating whether an organization?s processes, controls and any kind of documentation in relation to processing of personal data are proper or not so as to meet the intention set by this regulation.

Overall, implementation of GDPR project would take more than just 200 hours if an organization hasn?t started doing anything yet.

Previously, it was mandatory only for the data controllers to be abiding by the regulations. But now with changing times, needs and demands, it is also mandatory for the data processor to be compliant as well.

An organization can either adhere to a ?code of conduct? that is prepared by a business association and has been approved by DPA or adhere to a kind of ?certification mechanism? which is operated by any one of the certification bodies who have got accreditation from DPA or from a national accreditation body or both (whichever is decided in each of the Member State Law).

The organizations not following GDPR or breaching it would be fined for up to ?20 Million or 4 percent of the annual global turnover. This can be considered as the maximum range of fine that can be levied for the serious infringements such as; not holding enough consent from the customer in order for data processing or maybe not following the concept of Privacy by Design.

GDPR takes in tiered approach when fines are considered that is, an organization can be put to fine of up to 2% for not keeping their own records in proper order, not having notified supervisory authority as well as data subject about any breach or not having conducted impact assessment. It is to be kept in mind that such rules would be applicable to data controllers and a processor both, which means ?clouds? wouldn?t be exempt from the enforcement of GDPR.

Any sort of information which is in relation to any natural person or a ?data subject?, that can be made use either directly or indirectly so as to identify that particular person. Data can constitute things such as; name, photo, email address, medical information, IP address of computer, posts made on any social networking websites or bank details.

DPO(s) are a must who have to be appointed in cases such as; public authorities, enterprises that engage themselves in huge scale systematic monitoring or enterprises that engage themselves in huge scale sensitive personal data processing. If an organization does not come under any one of the mentioned categories, then there isn?t any need of appointing a DPO.

The proposed regulations that surround data breaches mainly are in relation to notification policies of organizations which have been breached. The data breaches that might pose some kind of risk to any individual should be notified to DPA within a period of 72 hours and to the individuals affected without delaying any further.

Any discussions that surround the principle of one-shop-stop are said to be debated a lot and still quite unclear as standing positions are still hugely varies. The Commission text is said to have a quite simple as well as concise ruling which would be in favour of this principle. The parliament too is said to promote a lead DPA and seen as adding much more involvement from any other DPA(s) concerned. The view of the Council waters down any of the ability of lead DPA much further.