General data protection regulation

General data protection regulation

If your organization processes and archives personal information relating to EU citizens within EU states, even if you do not have a business presence within the EU, then get set to comply with GDPR, because at its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.

The following categories of companies are required to adhere with GDPR provisions and mandatorily appoint a data protection officer.

  • A presence in an EU country;
  • No presence in the EU, however, the Company processes personal data of European citizens;
  • More than 250 employees; &
  • Fewer than 250 employees, however, the Company’s data-processing impacts the rights of individuals (data subjects), is not occasional or includes certain types of sensitive personal data.

Overview of key components

  • Data privacy by design;
  • Data portability;
  • Rights of data subjects:
    • Right to access;
    • Right to be forgotten;
    • Right to restriction of processing; &
    • Right to rectification.
  • Data breach notification; &
  • Consent.

GDPR principles

  • Lawful, fair and transparent processing;
  • Purpose limitation;
  • Data minimization;
  • Accurate and up-to-date processing;
  • Limitation of storage in the form that permits identification;
  • Confidential and secure; &
  • Accountability and liability.

Penal consequences
GDPR allows for steep penalties of up to €20 million or 4% of global annual turnover, whichever is higher, for non-compliance. Failure to adequately conduct a data protection impact assessment wherever appropriate, is a breach of GDPR and could lead to fines of up to 2% of an organisation's annual global turnover or €10 million; whichever is greater.

Way forward
MGC Global Risk Advisory LLP (‘MGC Global’ or ‘the Firm’) has been assisting its clients to comply with GDPR by undertaking the following services in this regard:

  • GDPR readiness assessment;
  • GDPR transformation program;
  • Data processing inventory; &
  • Third-party procedures.

Mapping IT security, governance and GDPR introduces several privacy arrangements and control mechanisms that are intended to safeguard personally identifiable information. Most of these controls are also recommended by ISO/IEC 27001:2013, ISO/IEC 27002:2013 and other ISO27k standards, as well as COBIT 5.